Hacker News new | past | comments | ask | show | jobs | submit login

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...




> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.


“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.


The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?


Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.


It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.

The salt just obscures whether two users have the same code




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: