A security flaw in Apple's online store meant that PINs of T-Mobile customers got exposed.
The vulnverability, found by researchers Phobia and Nicholas Ceraolo, apparently leaked the PINs of more than 72 million T-Mobile users' accounts. These researchers also found the same flaw in phone-insurance website Asurion that exposed AT&T PINs.
Both companies fixed the flaws after being told by BuzzFeed News. Apple did not provide further comments, but said that it is "very grateful to the researchers who found the flaw".
The PINs (also known as passcodes) are used as additional security measures for accounts. To access them on Apple's website, it would involve a brute-force attack, meaning multiple different PIN combinations are entered at the same time.
BuzzFeed News explains that, after making a T-Mobile iPhone purchase on the Apple Store, it would direct the user to an authentication form asking for the T-Mobile number and PIN. The page then allowed infinite attempts to guess the passcode.
According to Ceraolo, the vulnerability is likely due to an engineering mistake made when connecting T-Mobile's account validation API to Apple's website.
The same validation form for other mobile-provider accounts used a limit that locks access to the page for 1 hour after 10 or so incorrect attempts. It seems that Apple made an error on just the T-Mobile page (which has now been fixed).
T-Mobile and AT&T users who may been concerned about their account should reset their PIN with support from the providers if needed. Please note that issue issues affects US customers only as T-Mobile has been taken over by EE in the UK.