T-mobile tweets a user's name and password

 

Twitter, love it or hate it, can be a great tool to communicate quickly. It allows for impersonal conversation and thought sharing with users all across the world. But for T-Mobile, they made a massive blunder and tweeted not only the user name of an individual's account but also the password, too. 

A European website, webwereld.nl, picked up on the tweet and quickly called out T-Mobile for its reckless actions. T-Mobile claims that they contacted the individual to promptly change their password. 

Several issues become quickly apparent, for one thing, why does the same person using the company's Twitter account also have access to unencrypted usernames and passwords. It appears in this situation that the person running the account also has access to unmasked username and passwords which represents another issue, why aren't passwords encrypted on T-Mobile's database. If a hacker were able to penetrate their network, they would have access to thousands of users accounts instantly.

"[The tweet] probably should have been a direct message to the customer," says T-Mobile. "When we found out that data was revealed, we immediately removed the account and contacted the customer to explain what happened." (translated from Dutch).

T-Mobile also says that nothing happened to the users account but the user states otherwise. They say that someone changed their subscription and renewed it, and not only that, they claim they're receiving SMS messages from unknown individuals that reference things that could only be obtained from their account.  

Thanks for the tip Ashmir 

Report a problem with article
Previous Story

Gmail offering high resolution video chat via Labs

Next Story

Microsoft: Kinect will "blow away" iPad sales

29 Comments

Commenting is disabled on this article.

FYI, the password may be encrypted in the database, thus negating the writer saying if someone broke into the database they would have a bunch of decrypted passwords. That is wrong. The database is encrypted. The software used to pull the info up, decrypts it for the account manager can read it.

Hmmm...everytime I call Verizon I have to confirm my password. if they couldn't see it why would I need to confirm it?

So if the password on my account couldn't be read or seen, what would I be confirming when I call? When you make a password for an account, it is a given that someone can see it. You are protected in that the company can't use it in a malicious fashion. It appears here that a T-Mobile employee made a mistake and that's it...at least I hope.

TonyLock said,
So they don't use MD5 encryption?

MD5 is not encryption, it's a hashing algorithm. In short, it essentially means the original value cannot be derived from the hashed value. So it's one-way.

Nashy said,
Maybe the rep just changed the password... ever think of that?

It still shouldn't of been public knowledge and should of been a more direct message anyways. Changed or not it doesn't matter.

well...t-mobile should strictly investigate this matter. It almost destroyed their reputation. People are not gonna believe them anymore.

Faisal Islam said,
well...t-mobile should strictly investigate this matter. It almost destroyed their reputation. People are not gonna believe them anymore.

Anymore? Wait, I must have missed the memo to start believing them. I KID! I love my t-mob and even though I can only get a signal in the exact center of population areas of more than 300K people, I wouldn't trade it for anything!

Faisal Islam said,
well...t-mobile should strictly investigate this matter. It almost destroyed their reputation. People are not gonna believe them anymore.

Um, no, 99.9999999% of people don't care because this is a one-off, waste of our time, non story. It's not like they tweeted their entire database. It's just one doofus who made a mistake.

Nothing to see here. Must be a REALLY slow "news" day. 8P

grockk said,
it's not like it's a bank. What are the hackers going to do, pay my bill for me. Change my plan.

lame.


Haha, good one ;D. Maybe they will give you free access to T-Mobile network for lifetime.

grockk said,
it's not like it's a bank. What are the hackers going to do, pay my bill for me. Change my plan.

lame.


They could take over the account or load services on there which you'll have to pay for.

What does twitter have to do with account information anyway? I know how to accidently send an e-mail. I know how to accidently send a text message. But how do you accidently send a tweet with account information?

Maybe it's just my lack of imagination.

Anyway, the unencrypted password thing is something that I've seen at a lot of companies I worked for. Almost everywhere the passwords are open and visible to anyone with access to the database.
As a developer, I have access to passwords... combined with e-mail addresses. I don't dare to guess how many people use the same password everywhere...

So if I wanted to (which, for the record I don't want) I could look up someones hotmail address and check to see whether they have bought anything with Paypal lately. Wait... maybe they use the same password for their Paypal account... ah, yes. Free money!

I strongly support password privacy. Password encryption should be mandatory at every company.
Also, digital IDs (like Windows Live or Facebook) are also dangerous if you care for your privacy.

Bamsebjørn said,
What does twitter have to do with account information anyway? I know how to accidently send an e-mail. I know how to accidently send a text message. But how do you accidently send a tweet with account information?

I agree. It seems very strange to me.

Benjamin Rubenstein said,
T-Mo = FAIL... Actually, they really aren't that bad. Unfortunately, this kinda stuff just happens sometimes. Can't control all the retarded tweeters out there.

I don't think it's fine to accept that this can just happen. It was supposed to be a direct message and if somebody is using the company Twitter account, they should understand how Twitter works.

Calum said,

I don't think it's fine to accept that this can just happen. It was supposed to be a direct message and if somebody is using the company Twitter account, they should understand how Twitter works.

Agreed. Talk about bizarre... This makes absolutely no sense.

Unfortunately it's the norm that passwords are apparently unencrypted. When you phone up T-Mobile UK you have to confirm you're the account holder by reciting the password on the phone, which they confirm on screen.

testman said,
Unfortunately it's the norm that passwords are apparently unencrypted. When you phone up T-Mobile UK you have to confirm you're the account holder by reciting the password on the phone, which they confirm on screen.

Same with orange and virgin mobile.

Not many places encrypt passwords. I'm not going to confirm how I know that.

Baszert said,
German? It's from the Dutch T-Mobile

many people make this mistake because dutch and deutsch (deutsch is german for german ^^).
Some people confuse this.