On August 23rd, wireless network operator T-Mobile announced that its cyber-security team had discovered and shut down a security breach that had taken place on Monday, August 20.
At the time, the operator had said that the unauthorized access compromised personal data of its customers, saying that the intruders had attempted to siphon names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (whether prepaid or postpaid).
T-Mobile said that the hackers were unable to retrieve any passwords, social security numbers, or any financial information, however.
Speaking to Motherboard, the network operator said that the customers affected represent less than 3% of its customer base. As of the second quarter of 2018, figures suggest that T-Mobile boasts 75.62 million customers, this would mean that the number of affected customers sits close to 3.9 million. T-Mobile’s official announcement had claimed the number of affected users was 2 million.
But an update on Friday revealed that T-Mobile’s statements may be misleading. It turned out that some passwords were leaked, but T-Mobile had claimed otherwise since the passwords were encrypted. There was no word on the number of stolen passwords or the hashing algorithm.
Later on, a security researcher who had obtained a sample of the compromised data through a ‘mutual friend’ revealed to Motherboard that it included what looks like a hash. Motherboard shared the hash with two different security researchers who later said that it could be an encoded string hashed with a notoriously weak algorithm known as MD5, which can be vulnerable to brute force attack.
Motherboard also shared the hash with a well-known password expert and CEO of the password-cracking firm Terahash, called Jeremi M. Gosney. Gosney said that “while the hash algorithm is not totally clear, algorithm could likely be reverse engineered with access to a larger sample of hashes from the database.”