The hacktivist group TeaMp0isoN has published the names and passwords of T-Mobile staff.
Following a dump of data on Pastebin, it said: "Look at the passwords, epic fail. All the passwords are manually given to staff via an admin who uses the same set of passwords." Talking to Softpedia the hackers said they targeted T-Mobile as it is supporting the Patriot Act in the US – and they would view any mobile phone company doing so as a legitimate target.
“One of the main reasons for the hack is because they are corrupted, but we also wanted to show how weak their security is,” the group said. It claimed to have found SQL injection vulnerabilities on the T-Mobile website where it found the names, email addresses, phone numbers and passwords of the administrators and staff members.
T-Mobile's parent company, Deutsche Telekom, said that only the newsroom section of the website was compromised and no other T-Mobile proprieties were affected. No customers have been affected, it said.
John Stock, senior security consultant at Outpost24, said: “The most worrying aspects of this attack are twofold. Firstly, the passwords used by T-Mobile staff seem to have been given to them by administrators who employ the same password for each individual, a fundamental security error. Secondly, TeaMp0isoN seem to have used an SQL injection to breach defences, one of the most used and most easily defended against means of attack.
“On closer analysis, these points can be attributed to a single failing by T-Mobile – a lack of understanding of current security threats. By now companies should be aware of the risks posed to their IT systems by common vulnerabilities, such as SQL and XSS attacks. Additionally, if companies are handing out passwords to staff they should be unique to each person, meaning that if one account is compromised, others aren't.”
TeaMp0isoN has previously targeted large organisations, with the United Nations targeted in November, and hit the headlines in the summer when the official BlackBerry blog was defaced after its parent, RIM, said it would co-operate fully with the Home Office and police following the London riots.