T-Mobile and AT&T customers’ account PINs — passcodes meant to protect mobile accounts from being hacked — have been exposed by two different security flaws, which were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo.
Apple’s online store contained the security flaw that inadvertently exposed over 72 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers.
Apple and Asurion fixed the vulnerabilities after BuzzFeed News shared the security researchers’ findings. Apple declined to provide further comment on the record, stating only that the company is very grateful to the researchers who found the flaw. Asurion spokesperson Nicole Miller said, “Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”