On April 4th on Twitter T-Mobile Austria’s Twitter feed responded to a customer that customer service was able to see the first four characters of a user’s password and that they were storing it in an easily viewable method because customers would need it for the login.
In two Tweets T-Mobile Austria said they were storing passwords in plain text, and that they didn’t see why this would be a problem.
What followed tested the upper limits of what my phone could capture on Screenshot scroll capture as yet another representative let users know they stored data very carefully so there was nothing to fear.
While that might have been enough for some, some were not having it
Yeah, T-Mobile Austria’s security is amazingly good, Eric. Why can’t you let them be?
It went downhill when the T-Mobile Austria Twitter account asked if people were employees and trying to send warnings/threats.
Some people decided to test how their “Amazingly good security” held up and found XSS vulnerabilities in the IIS servers T-Mo Austria was using.
After what must have been a great week of commentary on this T-Mobile Austria announced that there was no data breach and that their databases are encrypted and secured. That said, the passwords were stored in plain text so there’s not much convincing anyone that the database passwords weren’t hardcoded into the web pages serving them.
As of two hours ago they’ve announced they will attempt to even further secure them by salting and hashing the passwords, which probably will help out T-Mobile Austria’s incredibly secure security out some.
As we previously said we will implement further steps to secure passwords. Passwords will be salted and hashed, service agents will not be ablt to see any parts of passwords. We will implement this as quickly as possible.
— T-Mobile Austria (@tmobileat) April 9, 2018
You can read the thing from the start here