The security concern, revealed by research from cyber security firm UpGuard, was made by a misconfigured security setting on a cloud server because to “human error.”
The error made consumer phone numbers, names, and some PIN codes openly available online. PIN ciphers are used to confirm the status of people who call for customer service.
No loss or theft of consumer information occurred, Verizon told CNN Tech.
UpGuard, the same company that found leaked voter data in June initially said the failure could impact up to 14 million accounts.
Chris Vickery, a Cyber Security researcher at UpGuard, found the Verizon data was exposed by NICE Systems, an Israel-based company Verizon was operating to facilitate customer service calls. The data was gathered over the last six months.
Vickery alerted Verizon to the flaw on June 13. The safety hole was closed on June 22.
The incident arose from NICE security areas that were not set up properly. The group made a security setting public, rather than private, on an Amazon S3 storage server a simple technology used by companies to keep data in the cloud. This suggests Verizon data stored in the cloud was momentarily visible to anyone who had the public link.
The security firm examined a sample of the data and obtained some PIN codes were protected but others were visible next to phone numbers.
UpGuard refused to reveal how the leaked data was discovered.
Dan O’Sullivan, a Cyber Security Analyst with UpGuard, said public PIN codes is a matter because it allows scammers to obtain someone’s phone service if they convince a customer help agent they’re the account holder.
“A scammer could get a two-factor authentication message and potentially modify it or alter the authentication to his liking,” O’Sullivan said. “Or they could cut off way to the real account holder.”
Verizon consumers should update their PIN codes also not use the same one twice, O’Sullivan advises.