Security researchers have found that Sprint, T-Mobile and AT&T had all been affected by various security issues, which in two of the three cases were at least partly out of the carriers’ control, that left vital customer information such as account PIN numbers potentially exposed. Sprint’s flaw springs from an internal employee portal that could be accessed easily by hackers trying out common username and password combinations, AT&T customers’ information could be compromised by brute-forcing their account PINs on phone insurer Asurion’s website, and a similar exploit was possible with T-Mobile accounts being accessed to lease a new iPhone through Apple’s website. All three cases have since been patched up.

To go into a bit of detail, in both the Asurion and Apple cases, things seemed to boil down to a lack of adequate security on the page. Usually, a limited-time lockout is in place on both of those pages that kicks somebody out for a specified period after consecutive erroneous attempts to enter account information. While this was in place for all other carriers on the pages in question, the Apple page and Asurion page seemed to have improperly integrated the customer verification API that linked them to T-Mobile and AT&T, respectively. Sprint, meanwhile, seemed to have an employee portal entrance page that was too easy to find, coupled with no brute force protections, as above, and some employees who were reportedly using username and password combinations that were common, or weak and easy to brute force.