A mobile carrier allowed anyone with one of its Hello Mobile customersâ€™ phone numbers to access their personal information, including name, address, phone number, and text and call history, according to a report by Ars Technica. The carrier, Q Link Wireless, claimed to have over two million customers in 2019.
Ars Technica noted a Reddit post saying that the app used by the carrier and its subsidiary Hello Mobile never asked for a password or any identifying information when the user was logging on with a phone number. Looking through the reviews, there are references to the poor security practices (to put it mildly) going back to December of 2020. While itâ€™s unclear when the credential-less login system appeared, there is an update note from two years ago that mentions an â€śupdated login process.â€ť
A ton of information was available in the app, which didnâ€™t ask for a password
The carrier has reportedly fixed the issue â€” though it seems it may have done so by just turning off logins to the app altogether. Before the change, Ars was able to see, but not change, a bevy of information from a Hello Mobile customer who volunteered their phone number, including their name, address, account number, email address, and which numbers theyâ€™d contacted or been contacted by. The last one is probably the most sensitive â€” while the contents of texts or phone calls werenâ€™t shown, thereâ€™s still a lot of information that can be gleaned from knowing who you talked to and when you talked to them.
The appâ€™s description mentions that it allows users to add more minutes or data to their plans, but itâ€™s unclear if that required extra authentication. Regardless, thereâ€™s still a ton of information that was available to anyone able to get the phone number of one of Q Link Wirelessâ€™ Hello Mobile customers. Reportedly, Q Link Wireless hasnâ€™t notified those customers that their information had been accessible â€” which seems to be a worrying trend among companies that leak user data.
Ars found no evidence that the security vulnerability was widely exploited, but having to worry about others having access to a ton of their sensitive data isnâ€™t something that anyone needs.
Q Link Wireless didnâ€™t immediately reply to a request for comment.
Update, 5/14 2021, 11:53 AM: Added clarification that data lapses were only alleged to have occurred with Hello Mobile accounts.