Telecom giant T-Mobile has issued an alert about a data breach that may have compromised the personal information of 2 million customers.
In a statement on its website, T-Mobile said issued an alert “out of an abundance of caution” warning its customers of a security breach wherein hackers gained unauthorized access to customer information. They include names, billing details with zip code, phone number, email address, T-Mobile account type (prepaid or postpaid) and the account numbers.
An excerpt from the statement read:
On August 20, our cyber-security team discovered and shut down an unauthorized capture of some information, including yours, and promptly reported it to authorities.
The company insisted that no financial information, social security numbers nor passwords were stolen as a result of the breach. However, a closer look by VICE publication Motherboard revealed that T-Mobile’s data breach had in-fact included “encrypted passwords”.
A spokesperson told the publication that the company explicitly stated that “no passwords were compromised”…” because they weren’t,” according to the rep. “They were encrypted.”
Poring over the data, security researcher Nicholas Ceraolo discovered that the encrypted passwords were, in fact, hashed with MD5, an algorithm notoriously vulnerable to brute-force attacks.
Password-cracking firm Terahash CEO Jeremi Gosney analyzed the Hash and told Motherboard that while the algorithm isn’t totally clear, it could be reverse engineered with access to a large sample of hashes from the database.
T-Mobile is currently in the process of reaching out to victims directly via text messages to notify them of the breach, a spokesperson said.
“All affected customers have been, or shortly will be, notified. If you don’t receive a notification then that means your account was not among those impacted by this incident,” the company added.
Image credit: Pexels.