Sprint contractor leaves 261,000 phone bills exposed on an unprotected server

Hundreds of thousands of cell phone bills were discovered exposed on an unprotected cloud server.

More than 261,300 documents belonged to AT&T, Verizon and T-Mobile subscribers that show names, addresses, phone numbers and call histories.

Bank statements were also found in the bucket, in addition to usernames, passwords and PINS – allowing anyone to access these accounts.

The leak has been tracked back to a Sprint contractor and the marketing agency and although an accident, it is being blamed on a lack of security surrounding the storage of the data.

The server held more than 261,300 documents with a majority being phone bills that go back as far as 2015, as reported by TechCrunch.

More than 261,300 documents belonged to AT&T, Verizon and T-Mobile subscribers that show names, addresses, phone numbers and call histories

A Sprint spokesperson told DailyMail.com in an email: ‘As soon as we became aware of the situation, we contacted the vendor and have been assured that a security vulnerability has been corrected.’ 

‘We take the security of customers’ information very seriously and are monitoring this situation closely to ensure that the vendor takes all appropriate steps to strengthen security measures.’

‘Impacted customers will be notified directly with details on how to contact us for additional information.’

The data was being held on Amazon Web Services (AWS) and was found to be without a password, allowing anyone to access the server’s contents.

TechCrunch noted that it is not clear how long the data was exposed before being spotted.

The cell phone bills showed names addresses and phone numbers, and many included call histories of subscriber from AT&T, Verizon and T-Mobile.

The data was being held on Amazon Web Services (AWS) and was found to be without a password, allowing anyone to access the server’s contents

The documents were part of the Sprint’s sales tactic, which offers to pay the termination fee if customers leave their current carrier to join theirs

The documents were part of the Sprint’s sales tactic, which offers to pay the termination fee if customers leave their current carrier to join theirs.

TechCrunch also discovered bank statements and a screenshot of a web page that had subscribers’ online usernames, passwords and account PINs — which in combination could allow access to a customer’s account.

U.K.-based penetration testing company Fidus Information Security found the exposed data, but it wasn’t immediately clear who owned the bucket, TechCrunch reported.

And the server has since been shutdown.

Jeff Deardorff, president of Deardorff Communications, confirmed his company owned the server and told TechCrunch in an email: ‘I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again.’

A separate leak surfaced last month that exposed more than a billion people.

Profiles of 1.2 billion individuals were left exposed on a single server that contained everything from social media accounts to phone numbers and email addresses.

There were also bank statements and a screenshot of a web page that had subscribers’ online usernames, passwords and account PINs — which in combination could allow access to a customer’s account

The data trove contained millions of social media profiles, nearly 50 million phone numbers and 622 million email addresses – making it one of the largest leaks from a single source in history.

The leak was discovered by a dark web researcher who said the server shared enough information that hackers could easily impersonate the victims online.

Vinny Troia made the discovery in October while looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan, as first reported on by Wired.