TechCrunch has confirmed that the provider was using two sets of easily-guessed logins that let a security researcher access a company portal with access to customer data.
Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher navigated to pages that could have allowed access customer account data.
The researcher would only have needed an account holder’s phone number and a four-digit PIN to access their data, change plans or swap devices, and there was no limit on the number of PIN guesses.
In a statement, Sprint confirmed that the expert used “legitimate credentials” to get in. It promptly changed the passwords and vowed to “research this issue” in a bid to avoid a repeat.