The U.S government has made several legislative changes over the last year to minimize the ongoing pandemic impact. One such change was to help low-income families with mobile data and easier ways to look for a job. Tap or click here for a tool that helps find your perfect career.
One wireless provider stepped up to offer various connectivity solutions, cheaper mobile data, and handsets at a reduced price. As a Mobile Virtual Network Operator (MVNO), it leased bandwidth from other providers and sold that to its customers.
To check balances and manage your account, you can download the company’s My Mobile Account app for iOS and Android. But a major flaw has been discovered in the code, putting the personal details of millions of users at risk.
Here’s the backstory
Initial reports of the Q Link Wireless flaw started to surface last year on Reddit. Several users questioned why no password was required to log into an account — only a valid Q Link Wireless number. After some investigation, it turns out that anybody can log into your account.
This has potentially exposed the personal details of over 2 million customers. Among the data available to anyone includes:
- Full name
- Home address
- Calling history
- Text messages
- Phone carrier account number
- Email address
- Last four digits of the associated payment card
If anybody got their hands on your information, it could be used for a variety of nefarious things. Identity theft is among the worst.
It should be noted that none of the exposed information could be edited or changed, so there isn’t an imminent danger of someone stealing your account.
What can you do about it?
At the time of writing, it seems that Q Link Wireless is hastily trying to plug the holes. Many users have reported that the app has stopped working or gives an error about the phone number not matching the account. Q Link Wireless is likely implementing a fix on its servers.
Unfortunately, there is no way to know if your information has been exploited through this flaw. The good news according to Ars Technica, “security firm Intel471 found no discussions in criminal forums about the available data.” So the data most likely hasn’t been used by cybercriminals yet.
To check if your information has ever been part of a breach, visit HaveIbeenpwned? The site will show you which breaches are associated with your email address or social media accounts and suggest actions. Tap or click here to see how the site works.
Malware trap: Think twice before you click Google Drive links
Don’t click any email link or web link before asking these questions