T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security

A T-Mobile Austria customer representative made a shocking admission in a Twitter thread.
Image: Brandon Grasley/Flickr

Security is hard. Computer systems get more complex by the day and software is eating up the world, making the task of keeping hackers out harder and harder.

Sometimes, however, companies just make it too easy for the bad guy by disregarding the most basic and universally accepted security best practices. Today’s culprit: T-Mobile Austria.

The company admitted on Twitter that it stores at least part of their customer’s passwords in plaintext. This is a big no-no in this day and age because if anyone breaches T-Mobile (and companies are breached all the time), they could likely guess or brute-force every user's password. If the passwords were fully encrypted or hashed, it wouldn't be that easy. But having a portion of the credential in plaintext reduces the difficulty of decoding the hashed part and obtaining the whole password.


Read more: The Motherboard Guide To Not Getting Hacked

“Based on what we know about how people choose their passwords,” Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told me via Twitter direct message, “knowing the first 4 characters of your password can make it DEAD EASY for an attacker to figure out the rest.”

T-Mobile doesn’t see that as a problem because it has “amazingly good security."

On Thursday, a T-Mobile Austria customer support employee made that stunning revelation in an incredibly nonchalant tweet.

Twitter user Claudia Pellegrino was quick to point out that storing passwords in plaintext is wrong, but another T-Mobile customer rep didn’t see it that way.

“I really do not get why this is a problem. You have so many passwords for every app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,” the rep wrote back.

Another Twitter user chimed in saying “what if your infrastructure gets breached and everyone’s password is published in plaintext to the whole wide world?”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

That really didn’t sway the T-Mobile rep, who smugly replied: “What if this doesn't happen because our security is amazingly good?”

A T-Mobile Austria representative said that "there is a misunderstanding in this thread about how we store and what is being displayed for customer service agents. I will check with our security officer and get back to you." But didn't immediately follow-up.

It’s hard to overstate just how incredibly reckless it is, in 2018, to still store people’s passwords in plaintext. Over the years, literally billions of people’s credentials have been lost in countless data breaches, and everyone in cybersecurity agrees that companies should take precautions so that if a data breach happens, the passwords are hashed or encrypted and don’t get compromised.

I can’t remember such a self-own since the days when CNBC tried to teach people about passwords by asking them to give them up and send their passwords over an insecure connection.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.