Feeds

Vodafone secures email-flashing barn door

Horse settled down, bringing up foals

5 things you didn’t know about cloud backup

Vodafone has secured the security breach that allowed anyone with a bit of time on their hands to collect subscribers' email addresses and phone numbers.

The hole came to light on Wednesday and allowed anyone to enter a phone number and get the corresponding email address, or enter a valid user name to get both the email and phone number of that user. As word spread about the flaw and customers started getting emails from strangers who knew their phone numbers, Vodafone spent the last couple of days scrabbling to fix the problem.

The flaw isn't new, but hadn't been noticed until now. When a user forgets their password Vodafone asks for their phone number and sends an email to the corresponding address with a reminder. The problem was that the site also confirmed to whom the email had been sent, displaying the subscriber's email address. Users quickly discovered the same thing could be achieved by guessing a login name, in which case both the phone number and email address could be collected.

But now that's been fixed, so customers who forget their password will still get sent a reminder but will have to take it on faith that Vodafone has sent the message to the right place.

"We have sent an email to your registered email address," Voda says. "When you get it, click on the link. This will take you to a page where you can reset your password and view your username." We tried it this morning and have yet to receive the corresponding email, so some work is obviously ongoing, but at least it didn't display our email address to the world.

Quite how many email addresses were compromised in the 48 hours Vodafone spent fixing the problem we don't know. The operator has been busy reassuring customers, explaining: "The personal data stored on their My Account profile has not been directly at risk as a result of the site's functionality."

This is true, but the customer's email address and phone number might well have been compromised and that might matter to them. ®

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
Google has spaffed more cash on lobbying this year than Big Cable
Don't worry, it'll be cheaper when they use drones
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?