Vodafone‘s online account management system has turned out to be leakier than a Welsh vegetable convention is week… And it has, to quote a man who knows, been “kicking off” in their online support forums as angry users who had heard the news mixed with those confused by unsolicited password-reset emails.
First spotted by Denny de la Haye, but highlighted by Really Mobile’s nominee for ‘Mr Mobile’ and friend of the site Terrence Eden blogged about the problem (and The Register regurgitated his efforts), it seems Voda’s online password recovery tool was so keen to help that in response to a request to recover a forgotten password the confirmation screen exposed email addresses or telephone numbers of users. It didn’t take long for the naughtier people of the internet to realise this (and a list of popular usernames) was a great way to harvest lots of data for spamming (or worse).
Although the password recovery service was disabled around 11am this morning many posting on the forum were angry this response took over 12 hours to come. Whilst Vodafone’s official representatives said they were ‘investigating‘ angry users posted data they had obtained using this technique as ‘proof’ of the hole. Other posts from users receiving password reset prompts (a harmless side-effect of the user’s details being exposed) suggest that at least a few people over to exploit the opportunity to harvest as much data as they could.
Questions are already being asked by customers as to whether there has been a breach of the UK’s data protection law, which amongst its provisions states that personal data must be ‘secured appropriately’ and ‘used only for the purpose it was collected’, but the bigger question has to be how Vodafone allowed the code responsible on it’s website and why a reaction was so slow to come.
The issue’s now been fixed properly, a further 12 hours after it was disabled, but a number of customers are still unhappy that there hasn’t been a clearer statement information from Vodafone or – it appears – an apology.
My email address and telephone numbers are available widely enough I’d be angry, but not at much extra risk, if my details had been leaked. But if I was a Vodafone customer tonight I would be thinking hard about whether I wanted to give my bank details to a business that was so slow to react to an apparent security breach.