Following security vulnerabilities affecting AT&T and T-Mobile a few days ago, TechCrunch reports this weekend that Sprint is also facing a security loophole. According to the report, Sprint used “two sets of easy-to-guess usernames and passwords” for access to a company portal that housed customer data.
TechCrunch says that a security researcher was able to successfully gain access to an internal Sprint staff portal using “two sets of weak, easy-to guess usernames and passwords.” The portal log-in page did not use two-factor authentication, with the security researcher saying they were able to access pages that “could have” allowed to customer account data.
Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.
On the employee portal were tools for things such as device swaps, cell plan management, activation status, and more. In addition to Sprint customers, the data of Boost Mobile and Virgin model – which are Sprint subsidiaries – was also accessible.
When alerted about the security lapse, Sprint said it did not believe customer information could have been obtained, though it added that customer security is a top priority and the issue had been resolved:
“After looking into this, we do not believe customer information can be obtained without successful authentication to the site,” said a Sprint spokesperson.
“Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” the spokesperson said.
News of Sprint’s apparent lapse in security comes just a few days after security flaws affecting T-Mobile and AT&T were also exposed. You can read more on those loopholes in our original coverage right here.