Vodafone has been caught taking liberties with customers' email accounts, and it seems at least some of the customers aren't happy about the practice. The problem is with the password reminder feature on the “My account” section of the carrier's website. All you have to do is enter the phone number of the person you're …
I left vodafone a couple of years back and ported the number away and yes my email addy is visible . Dipsticks
I've just played around with it a bit
And if you log-in (via password reminder or whatever) and then unsubscribe from all services and then from Online Services (clicking on "Deregister from Online services and remove my vodafone details"), this trick won't work anymore.
Not just the number
It will do the same for a username. So just type in random possible usernames and you get presented with their e-mail address.
I tried it with a few and every username was taken and the address presented.
Still working at 1715. I tested it with the numbers of a few work colleagues.
Following on from the A/C a few before me, if you punch in a random username, you get an email address come back and asking whether that's the right one. If you say no, it tells you it's sent a text to the associated mobile, and even gives you the number. Helpful.
haven't been on Vodamoan for 6 years yet
one of my older email address aliases is still shown - which has recently been getting spam for the first time ever. Thank you Vodaspam.
And that's why...
...I have a spam account.
Because I don't trust any of the buggers.
he walks among us, and uses Hotmail!
Jesus uses Vodafone according to the undocumented feature ;q
fortunately I've never shared my email with them so I remain less spammable.
I think my next phone will be bought outright and a selection of monthly SIMS used as I see fit with no disclosure of such information
After I posted on their forum about this
Their forum manager phoned me and apparently they are aware of the issue and doing everything they can as fast as they can. They weren't aware it worked with usernames too though.
"Everything they can" doesn't, it seem, include taking down the offending page. Which is strange, 'cos that's the first thing I'd do.
On the plus side, if we can find a way to extract electrical energy from Vodafone's incompetence, that'll be global warming sorted.
That's not his boss's address
How did Terence Eden get my email address? I'm not a Vodafone subscriber.
Data Protection Act fail?
Having not been a Vodafone customer for over 4 years, I was somewhat surprised to see that my online account is still active and that they've retained my personal details (D.O.B., address and so on). Now, I'm no legal expert but I do think that hanging on to my details for nearly half a decade after I dispensed with their services counts as being "kept for longer than is necessary".
It is reasonable for Vodafone to keep account information for seven years due to UK tax laws.
If they destroyed accountholder info after four years as you suggest, they would fail an audit if required.
Just tried a couple of attempts and yes, mine and my boyfriend's phone numbers and usernames return our e-mail address.
Haven't seen it give up my phone number to my username.
Now it's off-line though - the world's friendliest error message states:
"We're making things better
We're making some improvements to this area of our site. But don't worry - we'll have everything back to normal soon."
It'll be interesting to see what they come up with.
Longer than necessary
They may pass an audit on the basis that they kept the records, but I can tell you they would fail on basis of the risk presented by this exploit.
All they have to do to fufil that requirement is keep the data on record somewhere, not serve it up on a faulty web front end.
Half fixed by a half-assed company
Type in "bilbobuggins" and get a "wrong username" error, type in "tonyblair" and get an "Unfortunately, your request cannot be processed". So no longer spilling the beans but it seems you could still build up a list of usernames for attack later.
It may be reasonable for Vodafone to keep billing and invoice information for seven years due to UK tax laws, but they certainly don't need my date of birth or email address.
I'll (almost) leave the final word on this to the ICO who enforce the Data Protection Act "...there is a significant difference between permanently deleting a record and archiving it. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake". Such as serving it up to all and sundry via a faulty website, for example.
Oops, I forgot to say Vodafone
That would be the Terence Eden, who recently left Vodafone after 6 years
Terence began in the security team, moved onto the web teams, ended his days there as a "commercial planning manager". Clearly no love lost between him and Vodafone now.
Ever heard of responsible disclosure, Terence? Look it up before you broadcast how to recover Vodafone customer emails addresses to the world.
Its stopped working now
Its putting up holding page when you click 'I've forgotten some details' saying their site is under maintenance.
And it's fixed
You now get:
"If you provided us with a valid email address when you registered online, click on Send email. When it arrives, click on the link which will take you to a page where you can reset your password and view your username.
Alternatively, you can enter your email address by clicking 'Enter my email address'."
You can still build up a list of valid usernames as it gives you the message "something's wrong with your account; contact the support desk blah blah blah" if you enter an invalid username, but get the above text when it's valid.
At least it's not a phone -> e-mail converter any more.
And if you click on 'Enter my email address' it helpfully tells you the phone number of that valid username...
Not any more
Nope - it sent a code to my mobile phone and asked me to enter it.
Vodafone Fail after Fail
As a VF customer I am amazed every time I read any news it contains stories about Vodafone cocking something up.
Rolling out malware on the HTC Desire .... then rolling out junk onto the Samsung Galaxy S.
Then giving out people's data to criminals/stalkers/spammers.
Whoever developed those Vodafone processes is an idiot who needs sacking. They clearly haven't got a clue about security or how to protect people's data.
I'm surprised this isn't illegal under the data protection act. Aren't companies obliged to take care of your data?