No Password Required: Mobile Carrier Exposes Data for Millions of Accounts
upstart writes in with an IRC submission:
No password required: Mobile carrier exposes data for millions of accounts:
Q Link Wireless, a provider of low-cost mobile phone and data services to 2 million US-based customers, has been making sensitive account data available to anyone who knows a valid phone number on the carrier's network, an analysis of the company's account management app shows.
Dania, Florida-based Q Link Wireless is what's known as a Mobile Virtual Network Operator, meaning it doesn't operate its own wireless network but rather buys services in bulk from other carriers and resells them. It provides government-subsidized phones and service to low-income consumers through the FCC's Lifeline Program. It also offers a range of low-cost service plans through its Hello Mobile brand. In 2019, Q Link Wireless said it had 2 million customers.
The carrier offers an app called My Mobile Account (for both iOS and Android) that customers can use to monitor text and minutes histories, data and minute usage, or to buy additional minutes or data. The app also displays the customer's:
- First and last name
- Home address
- Phone call history (from/to)
- Text message history (from/to)
- Phone carrier account number needed for porting
- Email address
- Last four digits of the associated payment card
[...] No password required . . . what?
Read more of this story at SoylentNews.