If you had difficulty wrapping your head around how third-party apps could access your information on Facebook so easily, you'll probably get a migraine after reading this. It appears that T-Mobile Austria stores customer passwords in plain text in its database because its security is "amazingly good".
In a mind-boggling Twitter thread, people who manage the T-Mobile Austria account have confirmed that customer service agents see the first four characters of a user's password and that the whole credential is saved in the database in plain text.
Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea— T-Mobile Austria (@tmobileat) April 4, 2018
This essentially means that a potentially rogue customer service agent who accesses the first four characters can generate the remaining part of the passwords with relative ease using a brute-force method. And if there's a data breach, the passwords will be available to the attacker in plain text. When this was explained to the T-Mobile representatives, they went on to state how there is nothing to fear because T-Mobile's security is "amazingly good".
@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe— T-Mobile Austria (@tmobileat) April 6, 2018
While T-Mobile Austria customers have genuine reasons to be worried, T-Mobile CEO John Legere has clarified that the company's US division doesn't store passwords in plain text.
I can only speak to @tmobile US. Our care reps can’t see passwords and we don’t store them in plain text.— John Legere (@JohnLegere) April 7, 2018
It's currently unclear if action will be taken to secure passwords by methods such as hashing, but it's certainly baffling to see companies defend moves such as these in this age of cybersecurity.