An anonymous security researcher found an internal Sprint staff portal that was protected by two sets of weak, easy-to-guess passwords.
The researcher was able to access pages which would have easily allowed him to steal or manipulate customer data.
In an email sent to TechCrunch, who broke this story, Sprint confirmed the validity of the weak credentials used to access its staff portal, and have since changed those passwords.
The portal in question allows a user to perform a number of operations, such as conducting a device swap, changing data plans and add-ons, checking activation statuses, replenishing customer accounts, and viewing customer account information.
All a hacker would have needed to access this portal, and potentially conduct all these actions, is a phone number and a 4-digit security PIN, which could easily be guessed, considering the page had no limit on the number of PIN trials allowed.
Access to telecom portals such as this one allows hackers to carry out "SIM swapping" attacks, which target and hijack cell phone numbers.
Hijacking phone numbers allows hackers to gain access to online accounts, as phone numbers are often used as backup methods of recovering lost passwords.
Hackers can also use "SIM swapping" attacks to intercept two-factor authentication codes and steal the contents of cryptocurrency wallets.
An investigation by Motherboard revealed that hundreds of people across the US have had their cell phone number stolen over the past few years.
The best way to protect your online accounts from getting compromised by "SIM swapping" attacks is to set up two-factor authentication on your online accounts using an authenticator app, instead of relying on SMS to deliver the codes.
Myki is perfect for receiving your 2FA codes, storing your passwords, and much more.