Toggle Dark Mode
An unidentified security researcher was successfully able to gain access to an internal staff portal housing Sprint, Boost, and Virgin Mobile customer data.
Utilizing “two sets of weak, easy-to guess usernames and passwords” (while also exploiting the system’s inherent lack of two-factor authentication), the researcher claims he was able to identify a major security loophole in Sprint’s internal system that ] allowed him to access pages which “could have” allowed access to customer account data, according to the report published by TechCrunch over the weekend.
“Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal,” the report said, adding that “Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.”
According to the researcher, once access to the Sprint internal portal was granted to him after several failed attempts, he was able to view a host of tools for carrying-out actions including device swaps, wireless plan management, viewing and editing device activation status, and more for Sprint, Boost and Virgin Mobile customers.
A Sprint spokesperson appeared to push back on Monday morning, saying that the carrier does not believe any customer information could have been obtained. Nevertheless, they added that “the issue” has since been resolved, noting that customer security is among the carrier’s top priorities.
“After looking into this, we do not believe customer information can be obtained without successful authentication to the site,” the Sprint spokesperson said, adding that “Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts.”
While apparently no customer data was actually stolen for malicious purposes (yet), the researcher’s discovery has shed light on what merely equates to the latest in a string of high-profile data breaches affecting major U.S. carriers including T-Mobile, Verizon Wireless, and several other international tech and services companies.
If you’re a Sprint, Boost Mobile or Virgin Mobile pre-paid customer, it’s highly-recommended that you log-in and change your password now.
Use a stronger, alphanumeric passcode utilizing a mixture of numbers, upper- and lower-case letters, and/or symbols to ensure optimum security and protection of your account going forward.