Verizon has been leaking customers’ personal information for days (at least)

  News
image_pdfimage_print
A Verizon FiOS box truck on a street in New York City.
Enlarge / A Verizon FiOS truck in Manhattan on September 15, 2017.

Verizon is struggling to fix a glitch that has been leaking customers’ addresses, phone numbers, account numbers, and other personal information through a chat system that helps prospective subscribers figure out if Fios services are available in their location.

The personal details appear when people click on a link to chat with a Verizon representative. When the chat window opens, it contains transcripts of conversations that other customers, either prospective or current, have had. The transcripts include full names, addresses, phone numbers, account numbers (in the event they already have an account), and various other information. Some of the transcripts viewed by Ars date back to June. A separate Window included customers’ addresses, although it wasn’t clear who those addresses belonged to.

“Hi—I’m looking to get the teacher discount for Fios,” one person wrote on November 29. Below are redacted screenshots of some of what has been available.

Ars learned of the leak on Monday afternoon and alerted Verizon representatives immediately. The plan was to report the leak only after it had been fixed. As this post went live, the leak was still occurring, although the number of exposed chats had lessened. Ars decided to report the leak to alert people who may use the service that this data is being exposed. It’s not clear when Verizon began leaking the data. With some of the chats dating back to June, it’s possible that the leak has been occurring for months.

In a statement issued Thursday morning, Verizon said:

We’re looking into an issue involving our online chat system that assists individuals who are checking on the availability of Fios services. We believe a small number of users may have seen a name, phone number, and/or a home or building address from an unrelated individual who had previously used this chat system to enter that information. Since the issue was brought to our attention, we’ve identified and isolated the problem and are working to have it resolved as quickly as possible.

It’s not the first time Verizon has spilled customer information. In 2016, a database of more than 1.5 million Verizon Enterprise Solutions customers was put up for sale on an online crime forum. Verizon said at the time that a “security flaw in its site [had] permitted hackers to steal customer contact information,” according to KrebsOnSecurity, which broke the news.

Verizon was also one of four US cellphone carriers caught selling customers’ real-time locations to services that catered to law enforcement. One of the services made subscriber locations available to anyone who took the time to exploit an easily spotted bug in a free trial feature.

For the time being, it makes sense to avoid using Verizon’s Fios availability chat feature. This post will be updated once Verizon says the glitch has been fully fixed.

https://arstechnica.com/?p=1727360