Major Verizon Data Breach: What to Do Now

UPDATED 8:20 a.m. ET Thursday (July 13) with a statement from Verizon.

Have you called Verizon customer service in 2017? Better change your account personal identification number (PIN), if you have one.

Credit: DayOwl/Shutterstock

(Image credit: DayOwl/Shutterstock)

Verizon told CNN that personal information pertaining to six million customers, including names, street addresses, email addresses, telephone numbers and account PINs, had been left exposed in a database on a third-party cloud server for an undetermined length of time.

UpGuard, the information-security company whose researcher, Chris Vickery, found the exposed database, contended in its report today (June 12) that the number of affected Verizon accounts might be closer to 14 million.

MORE: What to Do After a Data Breach

The unprotected cloud server was operated by NICE, an Israeli firm that handles customer-service operations for many large American companies.

Vickery, who specializes in finding unprotected data online, stumbled across the database by guessing its web address. He said it contained logs of Verizon customer-service inquiries beginning in January 2017.

Vickery notified Verizon of the exposed database on June 13, the UpGuard report states, but the database was not fully secured until June 22. There is no evidence that anyone other than Vickery accessed the data — but on the other hand, there's no evidence that no one did.

Although the logs made reference to voice recordings of customer-service calls, the UpGuard report said Vickery found none on the server.

It was not immediately clear whether the customer database pertained to Verizon wireless, landline or business customers, or a combination of any of the three.

Last month, Vickery revealed that he'd found data pertaining to nearly every registered U.S. voter on an unprotected online database run by a political analytics firm. That was the second time he'd done so. Last year, he found data pertaining to nearly 2,000 children in a server run by a parental-monitoring software firm.

Vickery also found data on the NICE server pertaining to Orange, a French cellular carrier that has operations in two dozen countries in Europe, the Middle East and Africa. That data appeared to be less sensitive.

UPDATE: Verizon has released a statement that reads, in part:

"We have been able to confirm that the only access to the cloud-storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."

The statement goes on to imply that the telephone numbers involved are primarily from residential and business landlines, and that "the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.