back to article Vodafone shares subscriber info with world+dog

Vodafone has been caught taking liberties with customers' email accounts, and it seems at least some of the customers aren't happy about the practice. The problem is with the password reminder feature on the “My account” section of the carrier's website. All you have to do is enter the phone number of the person you're …

COMMENTS

This topic is closed for new posts.
  1. Matt Brigden
    WTF?

    Gah morons

    I left vodafone a couple of years back and ported the number away and yes my email addy is visible . Dipsticks

    1. Anonymous Coward
      Boffin

      I've just played around with it a bit

      And if you log-in (via password reminder or whatever) and then unsubscribe from all services and then from Online Services (clicking on "Deregister from Online services and remove my vodafone details"), this trick won't work anymore.

  2. Anonymous Coward
    Anonymous Coward

    Not just the number

    It will do the same for a username. So just type in random possible usernames and you get presented with their e-mail address.

    I tried it with a few and every username was taken and the address presented.

  3. Gene Poole
    Thumb Up

    Still working

    Still working at 1715. I tested it with the numbers of a few work colleagues.

  4. Anonymous Coward
    Anonymous Coward

    Extra hack

    Following on from the A/C a few before me, if you punch in a random username, you get an email address come back and asking whether that's the right one. If you say no, it tells you it's sent a text to the associated mobile, and even gives you the number. Helpful.

  5. el-em
    WTF?

    haven't been on Vodamoan for 6 years yet

    one of my older email address aliases is still shown - which has recently been getting spam for the first time ever. Thank you Vodaspam.

  6. Anonymous Coward
    Anonymous Coward

    And that's why...

    ...I have a spam account.

    Because I don't trust any of the buggers.

  7. Dante Alighieri
    Black Helicopters

    he walks among us, and uses Hotmail!

    Jesus uses Vodafone according to the undocumented feature ;q

    fortunately I've never shared my email with them so I remain less spammable.

    I think my next phone will be bought outright and a selection of monthly SIMS used as I see fit with no disclosure of such information

  8. johnnytruant
    FAIL

    After I posted on their forum about this

    Their forum manager phoned me and apparently they are aware of the issue and doing everything they can as fast as they can. They weren't aware it worked with usernames too though.

    "Everything they can" doesn't, it seem, include taking down the offending page. Which is strange, 'cos that's the first thing I'd do.

    On the plus side, if we can find a way to extract electrical energy from Vodafone's incompetence, that'll be global warming sorted.

  9. Darryl

    That's not his boss's address

    How did Terence Eden get my email address? I'm not a Vodafone subscriber.

  10. Voda_Fail
    Big Brother

    Data Protection Act fail?

    Having not been a Vodafone customer for over 4 years, I was somewhat surprised to see that my online account is still active and that they've retained my personal details (D.O.B., address and so on). Now, I'm no legal expert but I do think that hanging on to my details for nearly half a decade after I dispensed with their services counts as being "kept for longer than is necessary".

    1. McMoo

      Seven

      It is reasonable for Vodafone to keep account information for seven years due to UK tax laws.

      If they destroyed accountholder info after four years as you suggest, they would fail an audit if required.

  11. Pandy06269
    FAIL

    @20:30 GMT

    Just tried a couple of attempts and yes, mine and my boyfriend's phone numbers and usernames return our e-mail address.

    Haven't seen it give up my phone number to my username.

    Now it's off-line though - the world's friendliest error message states:

    "We're making things better

    We're making some improvements to this area of our site. But don't worry - we'll have everything back to normal soon."

    It'll be interesting to see what they come up with.

  12. David Neil
    FAIL

    Longer than necessary

    They may pass an audit on the basis that they kept the records, but I can tell you they would fail on basis of the risk presented by this exploit.

    All they have to do to fufil that requirement is keep the data on record somewhere, not serve it up on a faulty web front end.

  13. Anonymous Coward
    FAIL

    Half fixed by a half-assed company

    Type in "bilbobuggins" and get a "wrong username" error, type in "tonyblair" and get an "Unfortunately, your request cannot be processed". So no longer spilling the beans but it seems you could still build up a list of usernames for attack later.

  14. Voda_Fail
    Big Brother

    @McMoo

    It may be reasonable for Vodafone to keep billing and invoice information for seven years due to UK tax laws, but they certainly don't need my date of birth or email address.

    I'll (almost) leave the final word on this to the ICO who enforce the Data Protection Act "...there is a significant difference between permanently deleting a record and archiving it. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake". Such as serving it up to all and sundry via a faulty website, for example.

  15. Mr Young
    Grenade

    Cheeeeeeeeeeeeeeeeeese

    Oops, I forgot to say Vodafone

  16. Nym O'Nonymous

    That would be the Terence Eden, who recently left Vodafone after 6 years

    Terence began in the security team, moved onto the web teams, ended his days there as a "commercial planning manager". Clearly no love lost between him and Vodafone now.

    Ever heard of responsible disclosure, Terence? Look it up before you broadcast how to recover Vodafone customer emails addresses to the world.

    Nym

  17. Wize

    Its stopped working now

    Its putting up holding page when you click 'I've forgotten some details' saying their site is under maintenance.

  18. Pandy06269
    Go

    And it's fixed

    You now get:

    "If you provided us with a valid email address when you registered online, click on Send email. When it arrives, click on the link which will take you to a page where you can reset your password and view your username.

    Alternatively, you can enter your email address by clicking 'Enter my email address'."

    You can still build up a list of valid usernames as it gives you the message "something's wrong with your account; contact the support desk blah blah blah" if you enter an invalid username, but get the above text when it's valid.

    At least it's not a phone -> e-mail converter any more.

    1. stratofish
      Black Helicopters

      ...or not

      And if you click on 'Enter my email address' it helpfully tells you the phone number of that valid username...

      /facepalm

      1. Pandy06269

        Not any more

        Nope - it sent a code to my mobile phone and asked me to enter it.

  19. Matt Hawkins
    WTF?

    Vodafone Fail after Fail

    As a VF customer I am amazed every time I read any news it contains stories about Vodafone cocking something up.

    Rolling out malware on the HTC Desire .... then rolling out junk onto the Samsung Galaxy S.

    Then giving out people's data to criminals/stalkers/spammers.

    Whoever developed those Vodafone processes is an idiot who needs sacking. They clearly haven't got a clue about security or how to protect people's data.

    I'm surprised this isn't illegal under the data protection act. Aren't companies obliged to take care of your data?

This topic is closed for new posts.

Other stories you might like