Data belonging to at least 6 million Verizon subscribers were exposed due to a security lapse by one of the carrier's customer service partners.
Customers who contacted Verizon's customer services in the past six months will need to be on high alert, and should take certain steps to ensure that their account will not be compromised.
Verizon Customer Data Leaked
An employee of Israel-based Nice Systems was found to have stored millions of Verizon customer records on an unprotected Amazon Web Services S3 server, allowing anybody to download the information easily.
Verizon was alerted of the leak on June 13, with the security issue fixed on June 22.
The misconfigured server was discovered by cybersecurity firm UpGuard, which earlier reported that as many as 14 million Verizon customers were affected by the leak. A Verizon spokesperson later claimed that the incident affected only 6 million customers.
The Cyber Risk Team of UpGuard, dedicated to finding and patching up data exposures online, found that the unprotected sever contained Verizon account information that included names, addresses, phone numbers, and most importantly, PIN codes.
The leaked security PIN codes are disconcerting because with it, anybody can gain access to a Verizon subscriber's account. Verizon representatives ask for the PIN codes to verify the identity of people requesting for customer service.
Hackers will be able to use the PIN codes to easily gain access to online accounts that are protected by two-factor authentication, which is a security measure that confirms the actions of users by sending a code to their mobile phone number. Hackers can call up Verizon and pose as the user that they are targeting using the leaked PIN code, with the goal of redirecting messages sent for two-factor authentication to their own device so that they can log into the victim's online account.
What Should Verizon Customers Do?
Verizon customers, specifically those who contacted the carrier's customer service over the last six months, should request for a change in their PIN code by going to a Verizon retail store, calling its customer service hotline, or through the carrier's website.
Customers who used the same PIN code for other accounts should also change them, in case hackers try to use the code to access other services under the user's name.
However, with this incident, perhaps Amazon should think about setting up a review group to regularly check if information stored in its web services are secure. A similar thing was reported last week, as another unprotected Amazon Web Services S3 server leaked the personal information of more than 3 million WWE fans.