A security oversight at Apple's online store exposed tens of millions of T-Mobile customer PIN codes, but did not affect AT&T, Sprint, or Verizon customers. However, in a separate security incident that occurred on the website for Asurion, a company that provides insurance for cell phones, passcodes for AT&T customers were exposed as well.
The security gaffe that affected T-Mobile customers is related to Apple's online purchase system when buying an iPhone. When a customer buys an iPhone through Apple's online store, they are asked to select a monthly payment installment option, in this case through T-Mobile, and are presented with an authentication form that asks for their T-Mobile phone number, and account PIN or last four digits of their Social Security number, both of which are sensitive information.
As security researchers Phobia and Nicholas "Convict" Ceraolo explained to BuzzFeed, the authentication page did not have a limit on the number of entry attempts permitted. As such, it was susceptible to brute force attacks in which a hacker could rapidly guess a customer's PIN until they get it right. This only affected T-Mobile customers.
Ceraolo chalked it up to an engineering mistake in the validation API. The oversight exposed over million 77 million T-Mobile customers, though it's not clear if hackers actually took advantage of the vulnerability, and if so, how many PIN codes they were able to guess.
In a separate security incident, the PIN codes of AT&T customers who purchased phone insurance through Asurion were left vulnerable to hacking. Specifically, one of Asurion's insurance claim pages allowed hackers to gain access to another page containing a customer's PIN code, if they already knew the customer's phone number. It's not clear how many customers were affected though.
"Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe," a spokesperson for Asurion said.
PIN codes are considered sensitive information in part because, by default, they are often the last four digits of a person's Social Security number. In addition, a hacker could use a person's PIN code to hijack their calls and text messages, which in turn can be used to authenticate someone's identity on banking websites and other places.