A mobile carrier allowed anyone with one of its customers phone numbers to access their personal information, including name, address, phone number, and text and call history, according to a report by Ars Technica. The carrier, Q Link Wireless, claimed to have over two million customers in 2019.
Ars Technica noted a Reddit post saying that the app used by the carrier and its subsidiary Hello Mobile never asked for a password or any identifying information when the user was logging on with a phone number. Looking through the reviews, there are references to the poor security practices (to put it mildly) going back to December of 2020. While it’s unclear when the credential-less login system appeared, there is an update note from two years…