The official ‘HelloMobile’ app named ‘My Mobile Account’ has been exposing since at least December 2020 various sensitive subscriber information to anyone who has their phone number and nothing else. Users have noticed this and repeatedly reported it to the company, but no action to fix the obvious lack of security was made. The only thing that someone would have to do to access a ‘HelloMobile’ subscriber information was to install the app on a device and enter the target’s number.
The information that the attacker would get is the following:
This is so crazy that it’s hard to believe it happened in the first place, and also that it lasted for months. The company “fixed” the problem by taking the entire ‘My Mobile Account’ database offline, so the app doesn’t work anymore. However, this happened just yesterday, following a report by Ars Technica’s Dan Goodin, who tested the problem himself and confirmed it with screenshots and everything.
Q Link Wireless, the carrier behind the ‘HelloMobile’ brand, never responded to the reporter’s messages or the numerous user reports. They have also not sent out any notifications of a breach to the affected customers yet. The company provides its services to at least two million US-based customers, so it will have some extensive explanation to do to the FCC. In fact, the particular telco is contracted by the government for the ‘Lifeline Program,’ aiming to support low-income consumers.
While there are no indications that this security hole was exploited by malicious actors, the fact that it was so widely reported by so many people on social media and forums, combined with the extensive period that it remained unaddressed, we would consider data scrapings certain. We have scanned the dark web with the help of KELA’s cyber-intelligence tools, but for now, we were unable to find anything out there.