[breadwinner]

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...

[circusfly]

> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.

[illusive4080]

“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.

[iraqmtpizza]

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

[illusive4080]

Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.

[iraqmtpizza]

It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.

The salt just obscures whether two users have the same code