A mobile carrier allowed anyone with one of its Hello Mobile customers’ phone numbers to access their personal information, including name, address, phone number, and text and call history, according to a report by Ars Technica. The carrier, Q Link Wireless, claimed to have over two million customers in 2019.
Ars Technica noted a Reddit post saying that the app used by the carrier and its subsidiary Hello Mobile never asked for a password or any identifying information when the user was logging on with a phone number. Looking through the reviews, there are references to the poor security practices (to put it mildly) going back to December of 2020. While it’s unclear when the credential-less login system appeared, there is an update note from two years ago that mentions an “updated login process.”
The carrier has reportedly fixed the issue — though it seems it may have done so by just turning off logins to the app altogether. Before the change, Ars was able to see, but not change, a bevy of information from a Hello Mobile customer who volunteered their phone number, including their name, address, account number, email address, and which numbers they’d contacted or been contacted by. The last one is probably the most sensitive — while the contents of texts or phone calls weren’t shown, there’s still a lot of information that can be gleaned from knowing who you talked to and when you talked to them.
The app’s description mentions that it allows users to add more minutes or data to their plans, but it’s unclear if that required extra authentication. Regardless, there’s still a ton of information that was available to anyone able to get the phone number of one of Q Link Wireless’ Hello Mobile customers. Reportedly, Q Link Wireless hasn’t notified those customers that their information had been accessible — which seems to be a worrying trend among companies that leak user data.
Ars found no evidence that the security vulnerability was widely exploited, but having to worry about others having access to a ton of their sensitive data isn’t something that anyone needs.
Q Link Wireless didn’t immediately reply to a request for comment.
Update, 5/14 2021, 11:53 AM: Added clarification that data lapses were only alleged to have occurred with Hello Mobile accounts.