If you're a Verizon customer who's called customer service in the past six months, it's probably a good idea to update your PIN, or the four-digit billing password that protects your account from people trying to impersonate you over the phone.
An Israel-based company called Nice Systems, a Verizon partner, reportedly exposed as many as 14 million records of subscriber calls on an unprotected Amazon S3 storage server, downloadable by anyone with the server's web address. The records show the subscriber's name, phone number, and account PIN. Security firm UpGuard detailed exactly what data was vulnerable in a recent blog post.
Verizon claims that no loss or theft of customer information occurred. In a statement emailed to BuzzFeed News, a Verizon spokesperson said the leaked dataset included the information of approximately 6 million subscribers. "Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers," the statement said.
Why is that bad?
That last bit of data — the security PIN — is especially sensitive information, as it would grant anyone with the four digit number access to your Verizon account. Verizon representatives use this account code (which, BTW, is different than the code you use to access your smartphone) to verify a customer's identity during a customer service call.
With this PIN, hackers can more easily gain access to online accounts (email, social media, banking, etc.) protected by two-factor authentication, which requires a code typically provided by text message in addition to a password.
Hackers would be able to call cell providers, impersonate the user, and change the SIM card on record to their own (which is what happened to Black Lives Matter activist DeRay Mckesson, when his Twitter account was hacked last year). This method of attack essentially reroutes the security code to another device, allowing hackers to bypass two-factor authentication for any account with it enabled.
If I'm a Verizon customer, what should I do?
The first thing you should do is change your account PIN, just in case. You can never be too careful with your online privacy. Call customer service at (800) 922-0204, visit a retail store with government identification, or go to vzw.com/PIN. Note that the code *can't* be the last four digits of your Social Security number or cell number.
If you've reused that same PIN for other accounts, make sure you update those, too. It's best to keep all of your PINs unique. Those who have trouble remembering all of their PINs can store them safely in a password manager like Last Pass and Dashlane.
How can I protect my account in case of a future security breach revealing PIN numbers?
PIN codes are a still a good way to protect your account, despite the breach. Update your cell provider PIN periodically (every year or so) and don't re-use PINs.
Secondly — and most importantly — if you use two-factor authentication, stay away from using text message-based authentication when you can. Both Google and Facebook (and the previously mentioned password managers!), for example, allow you to use the Google Authenticator app, which generates random codes, or a security key, which is a physical device that can be inserted into a computer's USB port or an Android phone's USB-C ports. iOS users will need the Google Authenticator app in addition to the security key.
These two methods require a hacker to physically have access to your phone or security key, making it much more secure than SMS (text message), which can be intercepted.
What if I'm a customer of another cell provider?
You should still add a PIN — or update it if you haven't in a while.
T-Mobile
You can request to use a "customer care password," which is an additional password required to gain access to your T-Mobile account over the phone.
T-Mobile will text you a PIN number, then prompt you to provide that PIN number to a representative before creating the customer care password.
To enable this feature, call customer service at (877) 746-0909.
Sprint
You're good! Sprint already requests that customers set a PIN, along with security questions, when they sign up.
AT&T
You can add extra security from the myAT&T app or the AT&T mobile site.
Go to Menu > Profile > Login Information. Scroll down and tap Manage wireless passcode, then check Extra security.
Extra security requires an additional passcode when you attempt to get online access to the account, discuss the account in any retail store, or call AT&T's customer service line.
Cyberspace is dark and full of terrors. Stay safe out there!
CORRECTION
The security breach involved the data of 6 million customers and 14 million records of subscriber calls. An earlier version of this story misstated the number of Verizon customers affected by the information leak.