Why is my password emailed to me after changing it?

Tutor

Why is my password emailed to me after changing it?

I was surprised to get an email with my password in the clear after resetting it from my iPad.

Email is by no means secure.  This policy is VERY bad.

 

Can somebody from AT&T comment?

 

Thanks.

Message 1 of 23 (1,060 Views)
Highlighted
Community Manager

Re: Why is my password emailed to me after changing it?

Hello bacaboy,

 

Thank you for your feedback, we'll make sure it gets to right people.

 

Dmitriy,

Community Forums Team


Rethink Possible


Did a post have a solution that worked for you? Help other people find solutions faster by marking posts that helped you as an "Accepted Solution". Learn about accepted solutions: Learn More.

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 2 of 23 (1,034 Views)

Re: Why is my password emailed to me after changing it?

If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.
Message 3 of 23 (925 Views)
Expert

Re: Why is my password emailed to me after changing it?


harryspar wrote:
If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.

or they are sending a one time use password to verify

 

1. you are who you claim to be

2. to notify you that a password request was made on the account

3. to let you choose the password that you wish to utilize

 

Banks, online financial houses, anti-virus companies, online retailers all use the one time password change verification method, the number of online access firms that allow you to change the password on the fly are shrinking, at this is a good thing, any online retailer that still does this needs to have a security audit on their systems to see how many accounts have been compromised by this irresponsible method of immediate password change ability with no verification.

Message 4 of 23 (909 Views)
Tutor

Re: Why is my password emailed to me after changing it?

It is NOT a one time password.  It is the password I entered.

Message 5 of 23 (881 Views)
Tutor

Re: Why is my password emailed to me after changing it?

EXACTLY.  Hard to believe they don't hash the passwords, but also that they'd email it back to you.

This is something I'd expect in 1997.

 

I'll have to think about moving to another carrier if this is how they handle security...

Message 6 of 23 (881 Views)
Employee

Re: Why is my password emailed to me after changing it?

Where did you change your password? From the myAT&T app or from the website? 

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 7 of 23 (855 Views)
Tutor

Re: Why is my password emailed to me after changing it?

[ Edited ]

aBenjamin wrote:

Where did you change your password? From the myAT&T app or from the website? 


Neither.  I changed it on the iPad.

 

Settings -> Cellular Data -> View Account -> (then login) -> Edit User & Payment Information

Message 8 of 23 (852 Views)

Re: Why is my password emailed to me after changing it?

Similar observations were made here:

nakedsecurity.sophos.com/2013/04/01/rude-password-login-denied-the-att-april-fool-that-wasnt/

Basically, it is clear that ATT stores your passwords unsecurely.
Message 9 of 23 (754 Views)
Tutor

Re: Why is my password emailed to me after changing it?


harryspar wrote:

Basically, it is clear that ATT stores your passwords unsecurely.

That is becoming clear to me.  And since that occured almost a year ago, I can see they haven't done anything to really address the problem.

 

Can somebody from AT&T security chime in with something less speculative if we are in fact wrong about this?

Message 10 of 23 (719 Views)

Re: Why is my password emailed to me after changing it?

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 

Message 11 of 23 (716 Views)
Expert

Re: Why is my password emailed to me after changing it?


harryspar wrote:

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 


did you even read the articles? The customer was the one that let loose the information not att.

 

example one from your first link

 

It starts innocently enough with a phone call from someone claiming to be with AT&T offering you a credit on your bill to take a short survey. The questions are all about service, but by the end you have unknowingly given up just enough information to grant the scammer access to your account.

 

Randy and his wife say this is their proof they were victims of a clever phone scam.

 

On your second link if you would have followed the link that was given in the article you would have seen this

 

http://www.11alive.com/rss/article/302420/40/Cell-phone-scammers-target-ATT-caller-ID

 

Takes nothing to spoof the ANI that is displayed on the lcd read out on your phone, I can make any one of our corporate phones show absolutely anything I want it to simple by making a 20 second change in the settings of the phone. The only portion of the ANI that cannot be spoofed is the one that goes to emergency services for 911 calls

 

Both of the articles you linked show that a phone scam survey by a 3rd party initated the call and was able to ask a few questions to obtain enough information to make changes on the account in question - the same thing happens at the other carriers also.

 

Pray tell, how exactly is it a security hole when the person in question handed all the information, including the SSN/TID number to the caller? You know comon sense dictats that if a incoming caller asks for personal information such as SSN, then something is rotten in Denmark.

 

 

 

 

Message 12 of 23 (705 Views)

Re: Why is my password emailed to me after changing it?

The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.
Message 13 of 23 (703 Views)
Expert

Re: Why is my password emailed to me after changing it?


harryspar wrote:
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.

and you have proof of this? Sorry the two examples you left have nothing to do with this topic but everything to do with a phone scam and no indication of lax security on the carriers part. If you take the time to actually read the articles, the scammers gained all the information they needed from talking to them, absolutrly no indication that the caller already had the information.

 

If are assuming that the caller had the information prior becasue the att logo showed up on caller id you are incorrect, the information of what cell numbers belong to what carrier or provider is public domain and can be obtained from hundreds of websites on the internet, in fact if you are willing to pay a couple of bucks you can get address information also, once again all public domain information if you know where to look for it.

 

 You brought it up, not me, You should expect rebuttal when you claim something.

Message 14 of 23 (692 Views)

Re: Why is my password emailed to me after changing it?

Yes, it was an error to introduce any extra information into the thread. It distracts from the main topic and tempts nitpickers.
Message 15 of 23 (687 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.