The stars aligned themselves just right this past week for a significant number of data breaches and security vulnerabilities to come to light. The massive Facebook hack from August 2019 come back to haunt more than 533 million users whose personal data ended up in the hands of hackers. Even Mark Zuckerberg’s account was included on the list, yet Facebook will not notify users who might have been impacted. A similar hack involving scraped personal data for 500 million LinkedIn accounts was also disclosed, and the massive database of info was on sale online earlier this week. Then we saw a different data leak that allowed people to obtain the phone numbers of Facebook users who liked a page on the social network. Next up, a large number of credit card records and Social Security numbers were hacked on a platform that sells this type of stolen information — that’s to say that data had been stolen before this security exploit, but now it has been made available more widely. Finally, we also saw malware-spreading Android apps in the wild again, and Facebook allowed ads for a malware app on its platform.
To top it all off, there’s another vulnerability that millions of people need to be aware of. A small mobile operator failed to protect its customers’ personal data, so anyone was able to access account information by simply inputting a phone number into a mobile app.
The carrier in question is Q Link Wireless, a Mobile Virtual Network Operator (MVNO) with around 2 million US customers. A Reddit user first found the security vulnerability a few months ago, attempting to notify the carrier a few times via customer support and app reviews that highlighted the bug. Ars Technica followed up on that post, and its inquiries might have convinced Q Link Wireless to finally fix the security issue.
The “hack” allowed anyone to install the carrier’s My Mobile Account and then input any customer’s phone number to access the data associated with that account. No password was needed, and the information was accessible to anyone aware of the security issue.
The mobile app offers tons of information about users. Examples include a user’s first and last name, home address, phone call history (outgoing/incoming), text message history (outgoing/incoming), account number, email address, and last four digits of the associated payment card.
The app can’t be used to make any changes to someone’s account or harm the phone number via a SIM swap or locking someone out. But Ars says that a would-be SIM swapper might try to use the data to social engineer a Q Link Wireless employee into helping. A more simple type of attack involves spying on victims. People aware of the vulnerability could have used the security flaw to keep track of someone’s calls and texts. Abusive spouses, stalkers, and other people with malicious intentions who might target a particular victim could have done this with ease.
After ignoring the problem for months, Q Link Wireless appears to have fixed it, so the data is no longer available to anyone with knowledge of a phone number. It’s unclear if the vulnerability was abused, with security firm Intel471 telling Ars that it did not find discussions about this particular security flaw on forums frequently used by hackers and criminals. But the report points out there’s no way to know if the leak had been abused on a smaller scale.
Ars Technica’s full report is available at this link.