Carrier says no personally identifiable info leaked, blames outside vendor
When it comes to telecom companies and consumer data breaches, you’ll most likely have seen T-Mobile in the headlines way too many times in recent years. The self-titled Un-carrier has been attacked time and again with disastrous results. But now, the carrier (and its customers) won’t be alone in victimhood this year — newly-released intelligence alleges millions of Verizon subscribers have had their information leaked out into the open internet.
The assessment comes from SafetyDetectives which picked up on a Verizon database posted to an open forum this January. Entries contained within date between sometime in 2021 and January 2022.
Analysis indicates approximately 7.5 million wireless subscribers have had some data points exposed including what kind of devices they had connected to Verizon service, what rewards they were signed up for, and what auxiliary subscription services like Apple Music, Disney+, YouTube TV, or Verizon Cloud they were signed up for. Each entry also contained a hash-obscured customer ID — potentially using a SHA256 key as the original forum post notes. The dump also contains customer ID hashes, first names, usage and speed metrics, router specifications, and contract statuses of about 1.5 million home internet subscribers. Besides the first names, it seems no unencrypted personally identifiable information has leaked, but the exposure of those hashes still presents a threat if the right key or keys are found.
Verizon was notified by SafetyDetectives’s research team on February 8. The company has yet to respond on this matter. We’ve reached out for comment and will let you know if we hear back.
Big Red had a more concrete security scare back in 2017 (via BankInfoSecurity) when personally identifiable information from about 6 million wireless accounts was mishandled. The company apologized, stating no data was lost or stolen and that the incident was the responsibility of an outside vendor.
UPDATE: 2023/03/06 17:09 EST BY JULES WANG
Statement from Verizon
Richard J. Young, a spokesperson for Verizon, has told us the SafetyDetectives piece refers to an issue the company already addressed back in January regarding another outside vendor that provided video guides for customer service questions, pointing us to an early article from The Cyber Express.
The company never gave access to personally identifiable information such as social security numbers, addresses, or credit card numbers besides first names to the vendor. Verizon has since conducted a review of the vendor and has severed ties.
“Since then, there’s been an effort to recirculate this issue and material as if it’s new,” Young goes on to say. “The fact is that there’s nothing new here. The bad actor’s findings are being reposted, but it’s all recirculated material.”
We’ve decided to keep this story up for transparency’s sake on our part, but have changed the headline which was originally titled “VerizonVerizon data breach exposes millions of customers’ account data”
