Hacking into Sprint.com user accounts is amazingly easy.
I’ve had my problems with SprintPCS’ customer service in the past, but I never thought they’d compromise my account security so easily. But if someone can figure out my username and the answer to a simple challenge question, they’re home free to access my account and change the password. They don’t even need to use an e-mail confirmation to change it. Here’s what I discovered when I needed to change my password this morning:
1. Click on the link to reset your password
2. Enter your username. Usernames are generally unsecure and easy to guess. The focus is always on strong passwords, not usernames.
3. The next screen requires you to either enter an account pin or answer a security question. You know those questions such as “what is your mother’s maiden name?” These questions are usually dead simple and easy for someone to find out, such as “what city were your born in?”.
4. I assumed the next step would be for me to go to my email and look for a confirmation link. But that’s not the case. Sprint.com forwards you to a Nextel.com web address where you can change your password and automatically logon!
I reset my password through this process about 20 minutes ago and haven’t received a notification from Sprint via e-mail about a password change. Isn’t this internet security 101?
Andrew Allemann says
I just received an email notification from sprint at 11 CDT, an hour after I wrote this story, saying my password had changed.
jp says
Thanks to the internet it is very easy to get a users’s answers to their secret questions. Often times a quick google search can turn up all sorts of great info on a person. Stuff like old High School football rosters (tells where you went to school, an probably where you were born), and so on…
Sadly I wouldn’t call email “secure” either by any means, however it is secure enough to stop the casual hacker.