Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

Discussion in ' News Discussion' started by MacRumors, Aug 24, 2018.

  1. JohnnyApple$eed macrumors member


    Feb 19, 2015
    Absolutely blown away by this, T-Mobile has 72M customers?!?!
  2. theheadguy macrumors 65816

    Apr 26, 2005
    no... don’t... head are exploading as a result of this...

  3. TheShadowKnows! macrumors 6502a


    Sep 30, 2014
    National Capital Region
    Six digits ::= birthdate ::= {MMDDYY or DDMMYY or YYMMDD} (more likely the not)

    And, she is correct when she said "... accept that people are going to write it down". Kudos to her!

    No offense dude, this reminds me of security jockeys that enforce users' passwords:
    1. with mandatory changes every two months,
    2. with a retention history of no less than two years (i.e. uniqueness amongst twelve old passwords), and
    3. with no less than N alphameric and special characters (with N a large number).
    More likely than not, the users are prone to keep clear text logs, even post-it notes, of their password history, defeating the security so proudly enforced.
  4. avanpelt macrumors 68030

    Jun 2, 2010
    T-Mo's had a hell of a day. This morning, it was disclosed that a breach impacted 2 million of their customers. Now there's this story about the account PINs of 72 million of their customers being exposed.
  5. SteveJUAE macrumors 68030


    Aug 14, 2015
    Land of Smiles
    Don't worry the other X100M:apple: customers are safe …………………………. ish
  6. coolfactor macrumors 601

    Jul 29, 2002
    Vancouver, BC CANADA
    What an irresponsible article, both here and at BuzzFeed. It's difficult to trust when MacRumors reports "72 million" when the original BuzzFeed" article reports "77 million".

    And then to say that many where "exposed"? What, a hacker successfully obtained the PINs of that many T-Mobile customers, or had the *potential* of obtaining that many? Those are two VERY different things! Neither article details exactly how many accounts were actually compromised. I suspect it was far, far less than 70+ million!
  7. alphaod macrumors Core


    Feb 9, 2008
    But you would still need my password to access your account... no?
  8. pika2000 macrumors 603

    Jun 22, 2007
    So it’s about brute forcing a PIN where there’s no limit. Hate to say it but that’s not hacking.
  9. Westside guy macrumors 603

    Westside guy

    Oct 15, 2003
    The soggy side of the Pacific NW
    For anyone. :p
  10. ipponrg macrumors 68000

    Oct 15, 2008
    Yeah, the article didn't mention they were hacking. It said they were brute force attacking. However, hacking in its most simple definition is just identifying a system's weakness and exploiting it. In this case, there was no limit on PIN input.
  11. allenvanhellen macrumors regular

    Dec 8, 2015
    Did this expose all of them or just make all of them POTENTIALLY vulnerable to being exposed?
  12. gooey macrumors newbie

    Sep 10, 2008
    Now I'm confused. I think this means some kind of T-mobile account PIN, which is not the same with my iPhone PIN that I can use to unlock the phone, right? There's no way that either Apple or T-mobile had access to the PIN I use - this would be equivalent to storing my raw fingerprint images on their server!

    I use ID and Password when logging in to T-Mobile web site, so I don't even know what PIN they mean here.
  13. Marshall73 macrumors 68000


    Apr 20, 2015
    So, should this not read “potentially exposed the passcodes to be potentially hacked via brute force before the exploit was fixed” or is that not sensational enough? It’s a bit click baity.
  14. Piggie macrumors G3


    Feb 23, 2010
    I agree about just 4 digit pins not being secure at all really.
    Which is why I was so shocked that in the UK, and I assume many other countries, when we moved over to "CHIP AND PIN" Credit / Debit cards, the only form of security was a 4 number PIN of numeric digits. "0 - 9"

    That's terrible.

    At least if they has put a Alphanumeric keyboard at the terminal you could of had A-Z and 0-9 to pick 4 characters from.
    But no......
  15. Mascots, Aug 25, 2018
    Last edited: Aug 25, 2018

    Mascots macrumors 68000


    Sep 5, 2009
    Wait, where actual security pins leaked or were they just easily brute forced?
  16. LinusR macrumors 6502


    Jan 3, 2011
    Agree with this one; also, the bigger you get, the more complex your systems grow, which in turn renders maintaining high quality security more difficult.
  17. JackieInCo Suspended

    Jul 18, 2013
    The article I read elsewhere says AT&T was involved as well.
  18. apolloa, Aug 25, 2018
    Last edited: Aug 25, 2018

    apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    Bit of a none story, nothing happened, just the usual security hole that Apple was most likely told about months ago and did nothing about it, until it went public.
    Like other companies. But all it states is they were exposed, in other words exposed to the world but no one noticed or cared.

    I do hope Apple didn’t keep the pins as plain text like the lazy companies do and hashed them? I think that’s the term anyway.
  19. Stiss macrumors 6502a

    Apr 18, 2009
  20. iapplelove macrumors 601


    Nov 22, 2011
    East Coast USA
    I can only speak for AT&T, which calls theirs a passcode. Didn’t know I had one either but I do.

    It’s there in case you forget all your credentials and need to verify yourself over the phone.

    Or you can add it to another layer of security when you call in and alwasy have to verify your pin along with everything else.

    It’s only 4 digits and with AT&T you can’t just change it like a password. You have to verify your last 4 of the social first.

    Then their auto system will alow a new passcode to be generated.

    I just changed mine, along with my password.
    --- Post Merged, Aug 25, 2018 ---
    It sure is. But big companies have a nack for making these kinds of headlines go away quickly in the news.

    But at the same time, after the equifax breach nothing really bothers me like it use to lol.
  21. tizeye, Aug 25, 2018
    Last edited: Aug 25, 2018

    tizeye macrumors 6502a


    Jul 17, 2013
    Orlando, FL
    What PIN? As a T-Mobile customer for well over a decade I don't have a PIN and don't recall ever having to create one. Changing to a new phone has never been problematic, and even easier thanks to Apple and iCloud. Long gone are the days of wired content porting between the old and new phones. Yes, I have a T-Mobile online account, but it uses a regular password well beyond 4 digits on a PIN.

    Given that I spend about 3 weeks in Europe, T-Mobile is the only way to go with free email, text, and wifi to plan limit (unlimited in my case) in most countries. Calls do cost - but not Facetime/Skype. Rules out ATT and Verizon who charge hundreds for the same multi-week non-call international service.
  22. Neo-Tech macrumors regular

    Jun 19, 2009
    What a hilarious comment. This article has NOTHING to do with T-Mobile’s security in general. Almost completely ignoring that it’s 100% Apple’s fault. But let’s just skirt over that and look at T-Mobiles security instead.
  23. MacBH928 macrumors 68040


    May 17, 2008
    personally I am tired of digital data breaches... I am tired of everything needs pin codes, passwords, two-factor authentication, secret question. The internet is convenient, but maybe we should take a step back and return to the "analogue" days or "disconnected" days instead of having to panic that our whole lives are digitally online somewhere.

    Things were much better when all we need to worry about online is our email and its password...and there was no data tracking collection.
  24. apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    Trouble is we have all these fancy online services now like finding your nearest whatever. So you need to be tracked, the majority of them are offered for free so are paired for by advertising, and so you need to be tracked so you have targeted advertising.

    If your happy to lose a lot if not all of these services then we can go back to analogue days.
    It’s funny we live in a world now where a paper and pen is more secure because it can’t be hacked.
  25. Jsameds macrumors 68040

    Apr 22, 2008
    Apple devices do have good security.

Share This Page