Reconsidering Identity Security: The T Mobile® Breach

By Zach DeMeyer Posted August 27, 2018

Passwords Exposed T Mobile

A week ago today another massive corporation was the target of a hacking attempt: telecom company, T Mobile®. The company was targeted by a reportedly “international” hacking group. The attack was successful, with almost 2 million T Mobile customers’ data compromised. That’s almost 3% of their customer base. The thought of such a breach sends chills down the spine. It’s times like these that one can only hope that companies start taking identity security seriously.

The T Mobile Breach

Hacked Information

Per their press release, T Mobile’s cyber-security team found that the hackers responsible for the August 20th breach made out with at least one or more of 2 million people’s “name, billing zip code, phone number, email address, account number, and account type” (T Mobile). Luckily, no credit card data was reportedly stolen, but something just as critical may have been.

The representatives from T Mobile claim that “no passwords were compromised.” This statement, however, is a sort of half truth. After their original release, the press team at T Mobile told the public that passwords were, in fact, stolen, but were all encrypted, and therefore, uncompromised.

As you likely know, not all encryption is created equal. The compromised-not-compromised passwords were supposedly encrypted using an outdated hashing algorithm, MD5, which was “no longer considered safe” by its creators in 2012 after the 6.4 million user LinkedIn hack. Even if the passwords were encrypted in a method that wasn’t the MD5 algorithm, experts say that the hashing method could be reverse engineered with a few larger hash samples from the T Mobile database (Motherboard).

Reconsidering Identity Security

Clearly, the whole situation with T Mobile is both a frightening and thought-provoking one. How can enterprises and individuals alike prevent something similar happening to them? Well, here at JumpCloud, we believe firmly in adopting strong password management principles and taking advantage of other identity security tools on the market, such as multi-factor authentication (MFA) or a zero trust security model.

It’s not just a passing phase, folks. If the T Mobile breach should teach us anything, it’s that these sort of breaches are almost a monthly (even weekly) occurrence. These days, your online identity is the gateway to, well, everything. Social security numbers, credit cards, sensitive company information. The list of “hackable” information goes on and on. If anything, most (if not everyone) should be incorporating MFA into their online accounts. According to Symantec, 80% of breaches could be eliminated by multi-factor authentication. Couple MFA with tighter password complexity requirements, biometrics, or perhaps an up-to-date hashing algorithm, and companies can dramatically decrease the chances of identity compromise.

If you are interested in implementing stronger security practices such as MFA at your organization, contact us to learn more.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts