If you’re a Verizon customer, you need to change your PIN — the personal identification number you use when contacting customer service — right now.
An security firm revealed on Wednesday that information on as many as 14 million Verizon accounts was exposed on an unsecured server. The information consisted of the subscriber’s name, cellphone number, and the account PIN. The last element is obviously the crucial one: With the PIN, an attacker could easily gain access to the subscriber’s account.
With free access to the account, an attacker could make whatever changes to service that they want, theoretically adding lines or specific features. Targeting wireless accounts is also a key way cyber criminals bypass two-factor authentication (2fa) on third-party services, since many users choose to get verification codes via SMS text messages because of their convenience.
Initial reports of the breach indicated 14 million accounts were exposed, but Verizon told CNN that the number was 6 million. The security company, UpGuard, told Verizon about the exposed data on June 13, and Verizon had dealt with the problem by June 22, CNN reported. UpGuard is the same company that discovered unsecured voter registration data on the servers of an RNC contractor in June.
The exposed customer records were from call logs that get created when a Verizon user contacts customer service. The records go back six months, so only customers who called customer service had their account information compromised. Some PIN numbers were hidden but others were exposed. It’s unclear if the data is limited to Verizon Wireless customers or if residential and business services (such as FiOS) had exposed customer data, too.
So far Verizon has not provided a way for customers to check whether or not their data was exposed, so the safest thing to do right now is to change your PIN.
An Israeli company, Nice Systems, mistakenly designated the data, which was stored on an Amazon S3 server, as "public," ZDNet reported when it broke the story. Wireless carriers like Verizon often contract other companies to manage their customer service calls and the data they generate.