In the wake of a T-Mobile security breach, number four carrier Sprint also faces a similar security issue. A TechCrunch report says Sprint used “two sets of easy-to-guess usernames and passwords” to allow access to a company portal that contained customer data.
Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.
Sprint is the fourth largest US cell network with 55 million customers.
The employee portal contains tools used to perform device swaps, manage cell service plans, view activation status, and more. Customer data for Sprint subsidiaries Boost Mobile and Virgin Mobile were also accessible.
Sprint, when informed of the issue stated it didn’t believe customer information was accessible, but that the issue had been fixed.
“After looking into this, we do not believe customer information can be obtained without successful authentication to the site,” said a Sprint spokesperson.
“Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” the spokesperson said.