Sprint staff portal poorly secured, allowed for easy SIM swapping attack

According to TechCrunch, an anonymous individual described as a "security researcher" was able to easily access an internal Sprint staff portal. The researcher got into the system using "two sets of weak, easy-to-guess usernames and passwords," while also exposing the system's lack of two-factor authentication. This led to the hacker reaching pages that "could have allowed access [to] customer account data." This data was for Sprint as well as subsidiaries Boost Mobile and Virgin Mobile.

At one point, the researcher ended up in a part of the portal in which all that was needed to access individual accounts was a phone number and PIN number, with no time or attempt limitation on PIN number attempts. In that section of the site, attackers could execute a device swap, adjusted plans or replenished the account. The system, at that point, had no limit for the amount of attempts.

This vulnerability leaves Sprint's system especially vulnerable to "SIM-swapping" attacks. The vector allows an attacker to take over a target's phone number, and use it to access bank accounts and other personal information. Given the phone number-centric nature of most two-factor authentication methods, this can expose a target to mass account theft.

After getting into the system, the researcher then notified TechCrunch, who in turn told Sprint.

"Based on the information and screenshots provided, legitimate credentials were utilized to access the site," Sprint said in a statement. "Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts."

The Sprint breach follows news from last week that T-Mobile recently suffered a data breach of its own. The carrier announced Friday that it had "discovered and shut down an unauthorized access to certain information" which may have affected the data of up to two million customers. Sprint and T-Mobile earlier this year agreed to merge, with the deal now in the hands of regulators.