The company says that passwords may have also been revealed, only through an encrypted form not [compromised].
In a statement to consumers on Thursday evening, T-Mobile announced a new data breach that allowed hackers to access more than 2 million people’s personal information such as their name, number, address, accounting number, and account type. Credit card information was not accessed during the breach. T-Mobile’s representative spoke out to Motherboard to explain how “[a]round 3 percent of [the company’s] 77 million customers…may have been affected” (Sean Keane, CNET). A text message was sent to all customers affected by the breach.
It was later discovered that “encrypted passwords” were also exposed in the data breach, as explained by a spokesperson from T-Mobile.John Legere T-Mobile’s CEO mentioned in a tweet that “it’s always a good idea to regularly change account passwords.”
As this article from CNET explains:
“The company says that hackers couldn’t actually read them — since they were encrypted — but Motherboard says that a pair of security researchers believe T-Mobile used the MD5 algorithm to protect them, a protection scheme whose own author declared it “no longer considered safe” back in 2012. However, T-Mobile wouldn’t confirm whether it used MD5 or not.“.
T-Mobile had experienced another cybersecurity issue back in May when researchers noticed that customers’ personal data could easily be retrieved through means of using their phone number. Meanwhile, the company is working to improve its quality of service for its customers.
The original article from CNET (as referenced in this post) can be found here.