In what seems to be an emerging pattern, telecommunication companies have been admitting to serious lapses in their security. After T-Mobile and AT&T, Sprint is the latest telecommunications service provider to come out with major shortcomings in its cybersecurity. A cybersecurity researcher was able to gain access to an internal company portal which was strictly restricted to the staff. Moreover, what seems to be even more alarming than the breach itself was the method used to carry it out.
The security expert who wished to remain anonymous gained access to the Sprint staff portal by guessing the relevant usernames and passwords. Once inside, he was able to access pages which would have allowed him further access to the account information of all the customers. Sprint is one of the largest telecommunications companies in the United States with over 55 million customers. In addition to Sprint user data, the ethical hacker was also able to access the information of users of Sprint’s subsidiaries, namely Boost Mobile and Virgin Mobile.
“Based on the information provided, legitimate credentials were used to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” said a Sprint spokesperson.
All that was needed was a user’s mobile number and a confidential 4 digit PIN which was easy to bypass. The security researcher admitted to using the brute force technique which entails running every possible combination of the PIN. This was mainly possible due to the fact that users have an unlimited number of attempts to enter their PIN.