‘HelloMobile’ App Exposed User Data to Anyone Who Entered Their Number

  • Customers of Q Link’s ‘HelloMobile’ have suffered a massive data breach right from the official app.
  • The app ‘My Mobile Account’ had no security implementation to protect third-party data access.
  • All that someone would need to have in order to get the sensitive details of anyone was their phone number.

The official ‘HelloMobile’ app named ‘My Mobile Account’ has been exposing since at least December 2020 various sensitive subscriber information to anyone who has their phone number and nothing else. Users have noticed this and repeatedly reported it to the company, but no action to fix the obvious lack of security was made. The only thing that someone would have to do to access a ‘HelloMobile’ subscriber information was to install the app on a device and enter the target’s number.

The information that the attacker would get is the following:

  • First and last name
  • Home address
  • Phone call history (from/to)
  • Text message history (from/to)
  • Phone carrier account number needed for porting
  • Email address
  • Last four digits of the associated payment card

This is so crazy that it’s hard to believe it happened in the first place, and also that it lasted for months. The company “fixed” the problem by taking the entire ‘My Mobile Account’ database offline, so the app doesn’t work anymore. However, this happened just yesterday, following a report by Ars Technica’s Dan Goodin, who tested the problem himself and confirmed it with screenshots and everything.

Source: Ars Technica

Q Link Wireless, the carrier behind the ‘HelloMobile’ brand, never responded to the reporter’s messages or the numerous user reports. They have also not sent out any notifications of a breach to the affected customers yet. The company provides its services to at least two million US-based customers, so it will have some extensive explanation to do to the FCC. In fact, the particular telco is contracted by the government for the ‘Lifeline Program,’ aiming to support low-income consumers.

While there are no indications that this security hole was exploited by malicious actors, the fact that it was so widely reported by so many people on social media and forums, combined with the extensive period that it remained unaddressed, we would consider data scrapings certain. We have scanned the dark web with the help of KELA’s cyber-intelligence tools, but for now, we were unable to find anything out there.

Latest
How to Watch Hard Knocks Season 18 Online From Anywhere
Ahead of the 2022 NFL season that's scheduled to begin on September 8, we will be treated to an interesting show that...
How to Watch Reasonable Doubt Season 5 Online From Anywhere
Reasonable Doubt is back with a new season that aims to expose flaws in the legal system and overturn guilty verdicts in...
How to Watch Black Ink Crew: Chicago Season 8 Online From Anywhere
The Chicago Black Ink Crew spin-off will launch a new season soon, and you'll be streaming its episodes online on your favorite...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]