Here's What Happens When a Sprint Contractor Exposes AT&T, T-Mobile, and Verizon Bills

Sprint Contractor Data Leak

On its website (which, on an unrelated note, is loaded through HTTP, and not HTTPS), Deardorff Communications, a marketing and communications company based in Georgia, says that its team is highly experienced in a variety of fields, including strategic planning, sales, advertising, etc. Unfortunately, when it comes to configuring Amazon Web Service storage buckets, their expertise is lacking a bit.

A Deardorff employee put a little over a quarter of a million documents in an Amazon S3 bucket, failed to set a password, and forgot to change the accessibility settings from "public" to "private". As a result, the bucket, along with all the files in it, could be viewed from anywhere in the world. Not surprisingly, at one point, researchers from a penetration testing company called Fidus Information Security, the same people who revealed a security flaw in the Vatican's new eRosary as well as a data leak by Magic: The Gathering's publisher, ended up looking at Deardorff's bucket.

Phone bills and plenty of sensitive information left out in the open

There were a little over 260 thousand documents in the bucket, and the majority of them were cell phone bills that belonged to AT&T, T-Mobile, and Verizon subscribers. Deardorff collected all these files because Sprint, one of their biggest customers, wanted to persuade subscribers to change their cell phone service provider. According to one of the documents, Sprint was even prepared to pay the early termination fees, just to ensure that more people are using its services.

The phone bills themselves reveal quite a lot of personal information and contact details, and they also often contain call logs, which some people probably prefer not to share with the rest of the world. In addition to all this, the researchers also found a bank statement and a screenshot that revealed the online usernames, passwords, and PINs of an unknown number of subscribers.

At first, it wasn't clear who had exposed the data. Shortly after finding the bucket, the experts notified Amazon, which got in touch with the data's owner and had it taken offline. For legal reasons, however, Amazon refused to tell Fidus who was responsible for the leak.

The data was shared with Zack Whittaker from TechCrunch, though, who ran some of the files through a metadata checker and learned that it was probably owned by Deardorff. Jeff Deardorff, the marketing company's president, admitted that one of his employees was responsible for the leak and promised that he'd do what he can to figure out what went wrong and what can be done to prevent similar incidents in the future.

Data leaks like this are far too common

Some of you might say that this is far from the most horrific data security incident and that many other documents can be far more dangerous. A quick look at your latest regular phone bill reveals, however, that what looks like an innocuous piece of paper actually contains information that can easily lead to identity theft. In this particular case, Deardorff also revealed subscribers' passwords and PIN numbers, which increases the risk of attacks like SIM swapping and credential stuffing.

The real problem is that similar leaks happen on a daily basis. More often than not, they are caused by easily avoidable and fairly simple configuration mistakes, but lack of education means that IT people don't know what to do when they're tasked with securely storing users' data.

Deardorff didn't say when the bucket was first opened to the public, and nobody can confirm whether or not cybercriminals managed to get to it before it was taken offline. Zack Whittaker asked AT&T, Verizon, and T-Mobile for further comment, but he received nothing substantial, most likely because the three telecommunication providers simply don't have anything to add. The upshot is, we don't know how many people were potentially affected by the leak, which means that if you're an AT&T, Verizon, or T-Mobile subscriber or if you have switched from them to Sprint, you might want to watch out for any signs of fraud or identity theft.

By Duran
December 9, 2019
News
English
December 9, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

How To

How to Protect Your Data on Mobile Devices

According to a 2017 survey done by the Pew Research Center, 28 percent of smartphone owners do not use a lock screen or other security tools to lock their phones. That's almost 1/3 of smartphone users, who leave their... Read more

August 7, 2019
How To

How to Reset Your Forgotten Mobile Banking Password of Santander Bank

Did you forget your online/mobile Banking password for your account at Santander Bank? Or maybe your password got blocked because you entered the wrong password one too many times? If you're having a password-related... Read more

January 25, 2019
News

T-Mobile Data Breach Forces Customers to Change Their Passwords

Over the weekend, T-Mobile customers started receiving text messages that got them quite worried. Their telecommunication provider had suffered a data breach, which resulted in unauthorized access to customer... Read more

November 26, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.