According to the report from BuzzFeed News, the flaw that exposed the PINs were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo. The first flaw came from Apple’s own online store where the vulnerability revealed the PINs for T-Mobile customers. In AT&T’s case, the passcodes for customers were revealed via a vulnerability discovered in the website for phone insurance company Asurion.
It is unclear if these flaws might have been exploited and the PINs and passcodes of customers were stolen, but Apple and Asurion were quick to patch the issue. Apple declined to comment but according to Asurion spokesperson Nicole Miller, “Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”
AT&T spokesman Jim Greer adds, “In addition to the multiple layers of security we have in place to help protect our customers, we will continue to work with Asurion to investigate this. We will take any additional action that may be appropriate.”