back to article Three UK does it again: Random folk on network website are still seeing others' account data

British telco Three UK has once again let random people viewing its homepage view its customers' account details as if they were logged in, exposing personal and billing data to casual browsing. Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three's website, they …

  1. Kubla Cant Silver badge

    fewer than 10 customers have reported being able to view another customer's account information

    It's hard to imagine a security breach so specific that it only affects "fewer that 10" users. Perhaps the significant word here is "reported" - everybody was affected, but only 9 reported it.

    1. Anonymous Coward
      Anonymous Coward

      > fewer than 10 customers have reported being able to view another customer's account information.

      Fewer than 10 neurons were used in the writing of this press statement

    2. Graham 32

      Also note from the article that you didn't have to log in to see someone else's details. So there could be non-customers who could see customer details. And some of those non-customers could have reported it too.

      Of course they find the smallest number they can and carefully word the press release to say only that number.

    3. Anonymous Coward
      Anonymous Coward

      "It's hard to imagine a security breach so specific that it only affects "fewer that 10" users. Perhaps the significant word here is "reported" - everybody was affected, but only 9 reported it."

      That is for sure, but the lesson, here, is, for security issues, you can really get away with the most brain insulting bollocks.

      El Reg apparently didn't believe this, but the mainstream is gonna buy into it.

  2. Anonymous Coward
    Anonymous Coward

    Once is an unfortunate cockup. Twice needs stamping on

    Three means we take privacy of our customers extremely seriously

    1. AndrueC Silver badge
      Joke

      Re: Once is an unfortunate cockup. Twice needs stamping on

      Four shalt thou not count.

      Five is right out.

    2. eamonn_gaffey

      Re: Once is an unfortunate cockup. Twice needs stamping on

      Even a one time 'cock up' is no excuse. Companies this shoddy and dangerous deserve a response from their customers.... who should take their own privacy seriously and vote with thier feet.

      1. Anonymous Coward
        Anonymous Coward

        Re: customers.... who should take their own privacy seriously and vote with thier feet

        while in real world... no.

  3. Pascal Monett Silver badge
    Flame

    "fewer than 10 customers"

    Oh, so that's all right then, nothing to see here.

    Move along, move along.

    1. teebie

      Re: "fewer than 10 customers"

      Fewer than 10 people who have remained on as customers?

  4. fostejo

    This issue was apparent before this weekend...

    I bumped into this exact issue on the evening of their (last) large outage on the 16th Oct and commented about it in the https://forums.theregister.co.uk/forum/all/2019/10/17/three_uk_down_outage_not_working_borked_parrot_dead_ceased_to_be/ article (comment #75-ish, reproduced below) - despite copying in the ICO, providing an image of someone else's bill and chasing numerous Three numerous times via Twitter, I've have absolutely zero response... Good to see they're taking responsibility...

    "In other TITSUP news...

    The network issues are annoying granted, but possibly not as important as being directly logged into someone else account when hitting the My3 URL last night at about 19.50 and being able to browse all their call logs/billing details.

    Appears remarkably reminiscent of: https://www.theregister.co.uk/2017/03/21/three_admits_to_data_breach/

    So far, no response as of yet on Twitter from Three Support on that one..."

  5. lglethal Silver badge
    Joke

    Well you know the old saying, these things happen on 3...

  6. Anonymous Coward
    Anonymous Coward

    ICO

    "I bumped into this exact issue on the evening of their (last) large outage on the 16th Oct and commented about it in the https://forums.theregister.co.uk/forum/all/2019/10/17/three_uk_down_outage_not_working_borked_parrot_dead_ceased_to_be/ article (comment #75-ish, reproduced below) - despite copying in the ICO, providing an image of someone else's bill and chasing numerous Three numerous times via Twitter, I've have absolutely zero response... Good to see they're taking responsibility..."

    The ICO are not well resourced. I've direct contact with some of their staff and it can still take 3 days to get a reply for serious issues. The ICO doesn't currently get to keep the fines it issues. So that £160M it handed out to BA will go the the treasury not to the ICO.

    1. fostejo

      Re: ICO

      My 'Good to see they're taking responsibility' comment was squarely aimed at Three, not the ICO - though a simple Twitter reply from them also to acknowledge they were aware of wouldn't have gone amiss either.

    2. robidy

      Re: ICO

      It's a good thing they don't keep the fines, it's appauallling the limited amount of resources they have and impressive what their limited staff do achieve woth those limited resources.

  7. Joe Harrison

    Confusing

    Although a customer I never really bother with Three's website or billing system but thought I would login to see if I'm affected by this latest bug.

    It does seem to show my own details rather than someone else's but still not a lot of use. "Your next bill will be ready on 13 Aug 2019 (83 days ago)" ???

  8. N2 Silver badge

    Threes website

    I must admit threes website is the epitomie of web 2.0 or what ever its now called utter shyte at its very finest.

    The Log In not changing to log out at the top is just the start, or have I locked down too many useless scripts?

  9. Uplink

    Low data notifications

    Is that why Three is texting me that my data allowance is low? I mean, I only have 1.6 GB left out of my 2 GB, and to some people that might be low, but come on.

    1. Anonymous Coward
      Anonymous Coward

      'Tis but a scratch, I say

      I've just been told the same when their app shows I've got 3.89GB of 4GB remaining!

    2. ianmcca

      Re: Low data notifications

      One our accounts also has the problem of receiving incorrect low or out of data messages which has been going on for what seems like years. The same account also showed nonsense on the website for billing cycle data not used etc.

      By coincidence I lost patience just yesterday and used live chat to complain. Magically a mere 45 mins later the website was fixed and hopefully the stupid messages will stop now. Time will tell.

      To be fair to 3 billing has always been correct and despite the messages data flowed as normal.

  10. nronchers

    Related...?

    https://www.theepochtimes.com/chinese-state-sponsored-hackers-intercept-text-messages-worldwide-cyber-report_3135052.html

  11. Jamie Jones Silver badge

    You say the website died last week. Maybe they had a disk failure, and restored the site to an old version prior to the original fix?

    Just a thought.

    1. Anonymous Coward
      Anonymous Coward

      backups

      My thought too.

  12. LeahroyNake Silver badge

    Hang on

    I thought security was their 'highest priority'?

    Obviously it is not.

  13. Ken Moorhouse Silver badge

    ...fewer than 10 customers have reported...

    Or to be more specific:-

    3 Customers have reported...

  14. dnicholas Bronze badge

    Typo

    "fewer than 10(million) customers"

  15. This post has been deleted by its author

  16. PPK
    Facepalm

    Autologin to blame?

    If your phone is connected via mobile data and not WiFi, and you use the Three app, it automatically logs you into your account based on some aspect of the SIM information. Clicking through to (for instance) itemised bills bounces you to a web browser, but again automatically logs in to the My3 part of the website - no username or password required.

    Likelihood of that first step there (auto identification) being borked at times?

    1. Anonymous Coward
      Anonymous Coward

      Re: Autologin to blame?

      Interesting thought, that would mean their RAN (Radio Access Network) check for unauthenticated journeys is... Well mildly borked by the sound of things and isn't correctly connecting the customers details. On top of allowing more access than should ever be allowed without putting at least a password in.

      I wonder if the mobile numbers involved have been ported from a different network onto 3 (since there's other databases involved in tracking who looks after which number rather than the block number range to each opperater like in the early days).

      Anon because I work for a rival company and schadenfreude can be a bitch when it comes back around.

  17. sbt Silver badge
    Facepalm

    3 is the magic number

    Sounds like they're failing to invalidate session keys before recycling them on their Web site.

    I just clicked "Login" and got "Login successful". Idiots!

  18. JimPoak

    Halfwit!

    Ok this is now damning. There are two my3 logins. https://www.three.co.uk/New_My3/My3_Home which keeps rotating user accounts and https://www.three.co.uk/My3Account2018/My3Login which correctly asks for user login and password. The first being broken should have been disabled.

    And yes it's still exposing user details. I know I'm old and crusty but has the art of diagnostics been lost forever?

    At some time in the future there will be a new category to measure company performance Good, Average, Poor. Bad and Three

  19. Anonymous Coward
    Anonymous Coward

    It's the new web "woke" model

    Everything for everyone, no log ins required.

    Get with the program...

  20. L3TH4L1TY

    Very strange set-up

    Firstly, that "fewer than 10" comment is hilarious, that's just indicative of the amount of people who just happened to access the Three website using someone elses hotspot AND bothered to report it.

    I set up Three wireless broadband for my ex, and although on good terms, there's physical distance between us, so when I get questions about it being down etc, two things have struck me as being strange practice. Firstly, you can only reset a MyThree password if you have access to the sim card, which presumes said sim card is in a phone and able to receive messages? Secondly, and more ironically relevant given this story, you can only access the Three mobile app when connected to your (although I'm now presuming any) Three connection. Want to check your bills etc out of home, forget about it. The set-up seems oddly backwards.

  21. Cavey Wavey
    WTF?

    What the shitting Crikey!!

    Now completley unrealated to the article, and rant incoming...

    Reading this article I thought i'd log in and check my three account..you know just out of Curiosity.

    I noticed I had a £3 charge that was outside of my normal fees...Looking in to it I'd been charged for receving a text message!!! I had a look at the text message in question and it reads "To get our short simple tasty cooking recipes and enjoy hassle free cooking visit http://my.recipefind.co.uk". I had just ignored it as spam, but had been charged £3 to just receive it...the number it came from was 65144.

    Just phoned up 3 who have refunded the cost and blocked future paid messages..... Thank you el-reg without you I probably wouldn't have noticed it. I would never have imagined you could be charged for receiving spam.... Sorry folks rant over

  22. steviebuk Silver badge

    Three are the same...

    ...people that are dicking around with NordVPN on their network, I'm sure of it. It regularly fails to work on the Three network so I switch to WIFI to test. Works fine on the WIFI then flip back to Three and isn't working again once connected to Nord's servers. Disconnect from Nord, network traffic on Three works again. Connect to Nord a while later on Three, all works. Getting fucking annoying now.

  23. MalkyJonson

    Three Bashing

    Wow a lot of Three bashing going on in the article and comments and a few interesting theories from people too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019