Millions Of Verizon Customers’ Account PINs Leaked - 6 Million People Exposed

A security lapse exposed the PINs of approximately 6 million Verizon customers.

If you're a Verizon customer who's called customer service in the past six months, it's probably a good idea to update your PIN, or the four-digit billing password that protects your account from people trying to impersonate you over the phone.

An Israel-based company called Nice Systems, a Verizon partner, reportedly exposed as many as 14 million records of subscriber calls on an unprotected Amazon S3 storage server, downloadable by anyone with the server's web address. The records show the subscriber's name, phone number, and account PIN. Security firm UpGuard detailed exactly what data was vulnerable in a recent blog post.

Verizon claims that no loss or theft of customer information occurred. In a statement emailed to BuzzFeed News, a Verizon spokesperson said the leaked dataset included the information of approximately 6 million subscribers. "Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers," the statement said.

Why is that bad?

That last bit of data — the security PIN — is especially sensitive information, as it would grant anyone with the four digit number access to your Verizon account. Verizon representatives use this account code (which, BTW, is different than the code you use to access your smartphone) to verify a customer's identity during a customer service call.

With this PIN, hackers can more easily gain access to online accounts (email, social media, banking, etc.) protected by two-factor authentication, which requires a code typically provided by text message in addition to a password.

Hackers would be able to call cell providers, impersonate the user, and change the SIM card on record to their own (which is what happened to Black Lives Matter activist DeRay Mckesson, when his Twitter account was hacked last year). This method of attack essentially reroutes the security code to another device, allowing hackers to bypass two-factor authentication for any account with it enabled.

I'm a Verizon customer, what should I do?

The first thing you should do is change your account PIN, just in case. You can never be too careful with your online privacy. Call customer service at (800) 922-0204, visit a retail store with government identification, or go to vzw.com/PIN. Note that the code *can't* be the last four digits of your Social Security number or cell number.

If you've reused that same PIN for other accounts, make sure you update those, too. It's best to keep all of your PINs unique. Those who have trouble remembering all of their PINs can store them safely in a password manager like Last Pass and Dashlane.

Source: Nicole Nguyen