back to article Vodafone shares subscriber info with world+dog

Vodafone has been caught taking liberties with customers' email accounts, and it seems at least some of the customers aren't happy about the practice. The problem is with the password reminder feature on the “My account” section of the carrier's website. All you have to do is enter the phone number of the person you're …

COMMENTS

This topic is closed for new posts.
WTF?

Gah morons

I left vodafone a couple of years back and ported the number away and yes my email addy is visible . Dipsticks

1
0
Boffin

I've just played around with it a bit

And if you log-in (via password reminder or whatever) and then unsubscribe from all services and then from Online Services (clicking on "Deregister from Online services and remove my vodafone details"), this trick won't work anymore.

0
0
Anonymous Coward

Not just the number

It will do the same for a username. So just type in random possible usernames and you get presented with their e-mail address.

I tried it with a few and every username was taken and the address presented.

0
0
Thumb Up

Still working

Still working at 1715. I tested it with the numbers of a few work colleagues.

0
0
Anonymous Coward

Extra hack

Following on from the A/C a few before me, if you punch in a random username, you get an email address come back and asking whether that's the right one. If you say no, it tells you it's sent a text to the associated mobile, and even gives you the number. Helpful.

0
0
WTF?

haven't been on Vodamoan for 6 years yet

one of my older email address aliases is still shown - which has recently been getting spam for the first time ever. Thank you Vodaspam.

0
0
Anonymous Coward

And that's why...

...I have a spam account.

Because I don't trust any of the buggers.

0
0
Black Helicopters

he walks among us, and uses Hotmail!

Jesus uses Vodafone according to the undocumented feature ;q

fortunately I've never shared my email with them so I remain less spammable.

I think my next phone will be bought outright and a selection of monthly SIMS used as I see fit with no disclosure of such information

0
1
FAIL

After I posted on their forum about this

Their forum manager phoned me and apparently they are aware of the issue and doing everything they can as fast as they can. They weren't aware it worked with usernames too though.

"Everything they can" doesn't, it seem, include taking down the offending page. Which is strange, 'cos that's the first thing I'd do.

On the plus side, if we can find a way to extract electrical energy from Vodafone's incompetence, that'll be global warming sorted.

0
0
Silver badge

That's not his boss's address

How did Terence Eden get my email address? I'm not a Vodafone subscriber.

0
0
Big Brother

Data Protection Act fail?

Having not been a Vodafone customer for over 4 years, I was somewhat surprised to see that my online account is still active and that they've retained my personal details (D.O.B., address and so on). Now, I'm no legal expert but I do think that hanging on to my details for nearly half a decade after I dispensed with their services counts as being "kept for longer than is necessary".

1
0

Seven

It is reasonable for Vodafone to keep account information for seven years due to UK tax laws.

If they destroyed accountholder info after four years as you suggest, they would fail an audit if required.

0
0
FAIL

@20:30 GMT

Just tried a couple of attempts and yes, mine and my boyfriend's phone numbers and usernames return our e-mail address.

Haven't seen it give up my phone number to my username.

Now it's off-line though - the world's friendliest error message states:

"We're making things better

We're making some improvements to this area of our site. But don't worry - we'll have everything back to normal soon."

It'll be interesting to see what they come up with.

0
0
FAIL

Longer than necessary

They may pass an audit on the basis that they kept the records, but I can tell you they would fail on basis of the risk presented by this exploit.

All they have to do to fufil that requirement is keep the data on record somewhere, not serve it up on a faulty web front end.

1
0
FAIL

Half fixed by a half-assed company

Type in "bilbobuggins" and get a "wrong username" error, type in "tonyblair" and get an "Unfortunately, your request cannot be processed". So no longer spilling the beans but it seems you could still build up a list of usernames for attack later.

0
0
Big Brother

@McMoo

It may be reasonable for Vodafone to keep billing and invoice information for seven years due to UK tax laws, but they certainly don't need my date of birth or email address.

I'll (almost) leave the final word on this to the ICO who enforce the Data Protection Act "...there is a significant difference between permanently deleting a record and archiving it. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake". Such as serving it up to all and sundry via a faulty website, for example.

1
0
Grenade

Cheeeeeeeeeeeeeeeeeese

Oops, I forgot to say Vodafone

0
0

That would be the Terence Eden, who recently left Vodafone after 6 years

Terence began in the security team, moved onto the web teams, ended his days there as a "commercial planning manager". Clearly no love lost between him and Vodafone now.

Ever heard of responsible disclosure, Terence? Look it up before you broadcast how to recover Vodafone customer emails addresses to the world.

Nym

0
0

Its stopped working now

Its putting up holding page when you click 'I've forgotten some details' saying their site is under maintenance.

0
0
Go

And it's fixed

You now get:

"If you provided us with a valid email address when you registered online, click on Send email. When it arrives, click on the link which will take you to a page where you can reset your password and view your username.

Alternatively, you can enter your email address by clicking 'Enter my email address'."

You can still build up a list of valid usernames as it gives you the message "something's wrong with your account; contact the support desk blah blah blah" if you enter an invalid username, but get the above text when it's valid.

At least it's not a phone -> e-mail converter any more.

0
0
Black Helicopters

...or not

And if you click on 'Enter my email address' it helpfully tells you the phone number of that valid username...

/facepalm

0
0

Not any more

Nope - it sent a code to my mobile phone and asked me to enter it.

0
0
WTF?

Vodafone Fail after Fail

As a VF customer I am amazed every time I read any news it contains stories about Vodafone cocking something up.

Rolling out malware on the HTC Desire .... then rolling out junk onto the Samsung Galaxy S.

Then giving out people's data to criminals/stalkers/spammers.

Whoever developed those Vodafone processes is an idiot who needs sacking. They clearly haven't got a clue about security or how to protect people's data.

I'm surprised this isn't illegal under the data protection act. Aren't companies obliged to take care of your data?

0
0
This topic is closed for new posts.

Forums