No password required: the wireless service provider provides data for millions of accounts
Q Link Wireless, a provider of low-cost cell phone and data services to 2 million customers in the United States, has made confidential account information available to anyone with a valid phone number on the operator’s network. This is an analysis of the company’s account management app shows.
Q Link Wireless, based in Dania, Florida, is known as a mobile virtual network operator. This means that it does not operate its own wireless network, but buys services in bulk from other network operators and sells them on. It provides government-subsidized phones and services to low-income consumers through the FCC’s Lifeline program. The company also offers a range of low-cost service plans through the Hello Mobile brand. In 2019, Q Link Wireless said it had 2 million customers.
The network operator offers an app called “My Mobile Account” (for iOS and Android) with which customers can monitor text and minute histories, data and minutes usage or buy additional minutes or data. The app also shows:
- First and Last Name
- Home address
- Call history (from / to)
- SMS history (from / to)
- Account number of the telephone provider that is required for porting
- The last four digits of the associated payment card
Screenshots from the iOS version look like this:
No password required. . . What?
For at least December and possibly much earlier, My Mobile Account has been displaying this information for each customer account when a valid Q Link wireless phone number is displayed. That’s right – no password or anything required.
The first time I saw a Reddit thread discussing the app, I was sure there was a bug. So I installed the app, got permission from another thread reader, and entered his phone number. I immediately looked at his personal information, as shown by the images edited above.
The person who started the Reddit thread said in an email that they reported this apparent uncertainty to Q Link Wireless sometime in the last year. Emails he provided show that he notified support twice this year, first in February and again this month.
Feedback from ratings for iOS and Android deals also reported this issue. On several occasions, a Q Link Wireless representative responded to the individual for feedback.
The data exposure is severe because phone numbers are so easy to come by. We pass them on to potential employers, auto mechanics and other strangers. And of course, phone numbers of private investigators, abusive spouses, stalkers, and anyone else who has an interest in a particular person can be easily accessed. Q Link Wireless, where customer data is freely available to anyone who knows a customer’s phone number, is gross negligence.
I started emailing the carrier about the uncertainty on Wednesday and followed up with nearly a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn’t respond, although I found that every hour he allowed data exposure to continue, the risk for his customers increased.
My Mobile Account stopped connecting to customer accounts late on Thursday. When the number of a Q Link Wireless customer is displayed, the app responds with the message: “The phone number does not match an account.” The iOS and Android versions of the app were last updated in February, suggesting the update is the result of a change Q Link Wireless made to a server.
My mobile account showed customers’ personal information, but there was no way to change that information. The app didn’t show any passwords either. This means that a person cannot exploit this leak to perform a SIM swap or lock users out of their accounts, although disclosing it may make it easier for a potential SIM swapper to get a Q Link Wireless agent to port a number after social engineering to win a new phone.
There is no evidence, one way or another, that this leak has been actively exploited. Researchers at security firm Intel471 found no discussion of the available data in criminal forums, but there is no way to tell if it was misused on a minor scale, for example by someone a Q Link Wireless customer knows or has interacted with.
As phone users looking for low-cost, no-frills cellular service, Q Link customers belong to a population that may be least able to afford data breach and other privacy services. The carrier has not yet notified customers of the data exposure. Users of the service should consider all data displayed by the app to be available to anyone who has their phone number.