Security researchers have found that Sprint, T-Mobile and AT&T had all been affected by various security issues, which in two of the three cases were at least partly out of the carriers' control, that left vital customer information such as account PIN numbers potentially exposed. Sprint's flaw springs from an internal employee portal that could be accessed easily by hackers trying out common username and password combinations, AT&T customers' information could be compromised by brute-forcing their account PINs on phone insurer Asurion's website, and a similar exploit was possible with T-Mobile accounts being accessed to lease a new iPhone through Apple's website. All three cases have since been patched up.
To go into a bit of detail, in both the Asurion and Apple cases, things seemed to boil down to a lack of adequate security on the page. Usually, a limited-time lockout is in place on both of those pages that kicks somebody out for a specified period after consecutive erroneous attempts to enter account information. While this was in place for all other carriers on the pages in question, the Apple page and Asurion page seemed to have improperly integrated the customer verification API that linked them to T-Mobile and AT&T, respectively. Sprint, meanwhile, seemed to have an employee portal entrance page that was too easy to find, coupled with no brute force protections, as above, and some employees who were reportedly using username and password combinations that were common, or weak and easy to brute force.
To give some background, brute force attacks lay at the heart of all three exploits. A brute force attack is one wherein a computer generates and tests many passwords systematically, with the theory behind it being that it's a numbers game; try enough possible combinations, and you're sure to eventually stumble upon the right one. Pages blocking account logins after a certain number of unsuccessful attempts can thwart brute-forcing by detecting it long before it is statistically feasible for the attack to succeed, and the lockout systems for Asurion and Apple seemed to be broken in these cases. Sprint, meanwhile, added to the issue with seemingly lax security policies, allowing employees to use weak login information that was easy for hackers to crack wide open. These developments come hot on the heels of T-Mobile having to disclose a recent data breach and Verizon throttling a fire department's unlimited data plan during critical operations with a remote firefighting machine, painting a stark picture of the mobile carrier scene in the US at present.