Wow. Just... (/facepalm) wow.

[SunnyD]

As I'm sitting here dealing with cleaning up the aftermath of a hacked personal email account from this weekend, I sit and think of various security implications of things that happen on the web and why my request to Yahoo for detailed log information for the 20 minutes of "breach" was essentially stonewalled (rightfully so, after contemplating it) with a blanket "requires written request, court order or subpoena" for what I wanted from them.

But then, just a little while ago, I get not one but two emails from my new cell phone carrier regarding "my" port request having been completed. Well, one is for me. The other happens to be for some other individual in California, for some reason the customer service agent handling our requests decided to email me. Interestingly enough, in my brain-fog of privacy information-related fun, I am now furnished with a full name, address, telephone number (new and old), account information (new and old), pin number, SIM card information and other goodies about some unsuspecting chap in California. All by happenstance.

The mere fact that all of this information is even provided in an email in easy-to-use summary format simply blows my mind. I'm sure it's a slip for CS Agent Gonzalez. I really don't feel like getting anyone fired today. But gawd damn! Who needs the NSA when you get service like this?

/blog

cliffs:
Customer service emailed me nearly full account information for someone else's account, unsolicited.

 

[lxskllr]

GPG encryption should be more widely known and used.

Edit:
Thinking about it, GPG wouldn't have helped in this case. The CS probably copy/pasted the info into the email, and sent it to you. If he used your public key, you would have still been able to read the other guy's info. They just need to be more careful, and build a sanity check into their system to prevent screwups I guess.

 

[TwiceOver]

Yahoo email? There's your first mistake.

 

[SunnyD]

Yahoo email? There's your first mistake.

I use it as mostly a junk account these days, but I have some legacy things tied to it which are difficult to change contact emails for.

Really, the problem as I see it isn't the email service either. It's the "partner" services that are tied in (which appears to be the source of the breach). Of course Google, Microsoft, Apple, etc. all have similar affiliate services and would be subject to similar issues.

 

[silverpig]

I had a similar thing happen with me and my government student loans account.

I subscribed to transunion's online credit monitoring service and they notified me of a change in score because of a change in address. I logged on and corrected the mistake, but found that the government had reported my address to be changed from what it actually is.

So I logged in to my government student loans account and found all of my information had changed - name, address, email, phone.

It seems what happened was a CSR was dealing with me a while back for a routine inquiry and had my account open. I guess they didn't close it when dealing with someone else and must have pasted that person's information into my account view by mistake.

I contacted the government and let them know - they apparently launched an investigation as to the cause.

I also emailed the other person to let them know that there was a mistake and that they should check their account online. Never heard from them though.