Date: 22 February 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, OS Commanding, Weak Password Recovery Validation

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

References:

• Paris Hilton Hack Started With Old-Fashioned Con [Washington Post]
• Paris Hilton: Victim of T-Mobile's Web Flaws? [PCWorld]
• Known Hole Aided T-Mobile Breach [Wired.com]
• How Paris Got Hacked? [O'Reilly Network]