A1 Bleeds out customer data

It was a wonderful Monday morning. I was sitting on my couch, when I got a notification about a new E-Mail in my inbox. As always, it was someone, who wants money from me. This time it was the ISP A1. I took a brief look at the message itself. A1 told me there, that they attached the invoice to the message and that the invoice is protected with a password. And this password is my date of birth. *Facepalm*

But what’s wrong? You have to enter your birthdate to access the invoice. The PDF File. The PDF-File, that contains personal information like your address or your customer number? Or your call log?

Well, from a security standpoint, this is a disaster! Because A1 exposes new customer Data. Important Data like your exact birthday. But no, you gonna say! They don’t expose the Data, they protected the invoice with it. Well….

As they say, they are using the YYMMDD format. So, we are talking about a six digits number. A whole six digits password can be brute forced in Milliseconds. But let's take it further. Well, the year can be full two digits. Let's talk about the month. We just have 12 Month. So, M1 can be 0 or 1. And M2 can be 0-9. And the date DD is similar. We just have 31 days, so D1 can be 0-3 and D2 can be 0-9. With these assumptions, we have even less iterations to brute force.