BuzzFeed News reports that there was a flaw in Apple’s online store that exposed over 72 million of T-Mobile customer’s account PINs.
The vulnerability was discovered by security researchers Phobia and Nicholas “Convict” Ceraolo, who also found a similar flaw in the website for phone insurance company Asurion that exposed AT&T account PINs.
For Asurion, hackers with an AT&T customer’s wireless number could gain access to a separate form that asked for the account holder’s passcode. Again, no limit was imposed on attempts, allowing hackers to infinitely attempt at the passcode. As with the vulnerability from Apple, other carriers had a limit on the amount of attempts could be made.
Both Apple and Asurion fixed the website flaws that left the PINs vulnerable after learning about them from BuzzFeed News.