T-Mobile Has Revealed Data Breach of 2 million Customers

The company says that passwords may have also been revealed, only through an encrypted form not [compromised].

In a statement to consumers on Thursday evening, T-Mobile announced a new data breach that allowed hackers to access more than 2 million people’s personal information such as their name, number, address, accounting number, and account type. Credit card information was not accessed during the breach. T-Mobile’s representative spoke out to Motherboard to explain how “[a]round 3 percent of [the company’s] 77 million customers…may have been affected” (Sean Keane, CNET). A text message was sent to all customers affected by the breach.

It was later discovered that “encrypted passwords” were also exposed in the data breach, as explained by a spokesperson from T-Mobile.John Legere T-Mobile’s CEO mentioned in a tweet that “it’s always a good idea to regularly change account passwords.”

As this article from CNET explains:

        “The company says that hackers couldn’t actually read them — since they were encrypted — but Motherboard says that a pair of security researchers believe T-Mobile used the MD5 algorithm to protect them, a protection scheme whose own author declared it “no longer considered safe” back in 2012. However, T-Mobile wouldn’t confirm whether it used MD5 or not.“.

T-Mobile had experienced another cybersecurity issue back in May when researchers noticed that customers’ personal data could easily be retrieved through means of using their phone number. Meanwhile, the company is working to improve its quality of service for its customers.

The original article from CNET (as referenced in this post) can be found here.


Social-Engineering, A Different Type of Hacking

Apparently it doesn’t take more than a teenage hacker, a well-thought strategy, and a call to Verizon & AOL to gain access to the personal email account of high-ranking CIA Director, John Brennan. As reported by Wired, the hacker gained access to Brennan’s AOL account using a low-tech social engineering hacking technique, sans sophisticated coding skills.

As the old saying goes, “A chain is only as strong as its weakest link.” The same applies even for the CIA’s email security. In the case of this hack, the weak-link was a third party outlet. The hacker reportedly began the plan with a reverse lookup on Brennan’s number. After discovering that he was a Verizon customer, he made a call to Verizon and posed as a Verizon technician. All it took was a lie saying, “Our tools are down,” to be given access to Brennan’s personal details including account number, four-digit PIN, backup mobile number, email address, and the last four digits of his bank card.

Once they received the information they needed, they called in to AOL and claimed to be locked out of their account. After asking simple security questions, the password was reset and they were in. Once inside, they discovered emails that had been forwarded from his work email, revealing numerous employee social security numbers and other confidential information. After 3 days of having access to the email account, it was finally disabled.

With that being said, if there can be a breach in the CIA security system, we should probably make a concerted effort to at least throw a few barriers into hackers paths. Two-factor authentication is a substantial form of protection, drastically minimizing the risk of sweet-talking hackers being successful with their plans. If you can enter a code sent to your mobile phone, the vulnerability of remote resets are reduced.  Marc Boroditsky, manager of Authy, a cybersecurity company calls an attack like this ‘social engineering.’

“If someone is as determined as these hackers were to breach these officials’ accounts, no amount of knowledge-based security is going to protect you from this extent of social engineering.”