Verizon confirmed to CNN Tech on Wednesday that personal data from 6 million of its customers has leaked online.
CNN Tech reported that the security problem was first detected by research from a cybersecurity firm called UpGuard.
UpGuard found that Verizon experienced a misconfigured security setting on one of its cloud servers due to “human error.”
The flaw reportedly made customer names, phone numbers, and some PIN codes publicly visible online.
PIN codes are used to confirm the identity of individuals calling customer service, according to CNN Tech.
Verizon told CNN Tech that no customer information had been lost or stolen during the security gap.
Some Twitter users on Wednesday criticized Verizon over the error, which UpGuard reportedly alerted it to on June 13.
Hey @verizon you gonna charge us up the ass just to leak our info?😂— Eric (@edaragon22) July 12, 2017
Verizon alerted of leak on 6/13. Took 9 days to fix. Customers were never told. Tough to believe any damage control pr a month later— Alan Pedersen (@apeders40) July 12, 2017
Verizon reportedly closed the security hole on June 22, meaning data it collected from customers over the last six months was visible online for nine days.
UpGuard researcher Chris Vickery purportedly noticed that NICE Systems, an Israel-based company Verizon was working with to facilitate customer service calls, was behind the gap.
NICE made a security setting public rather than private on an Amazon S3 storage server used for keeping data in the cloud.
Verizon’s affected on the cloud was subsequently temporarily visible to anyone who had a public link to the server, according to CNN Tech.
CNN Tech additionally reported that UpGuard analyzed a sample of Verizon’s data and discovered that some PIN codes were hidden while others were visible next to phone numbers.
Dan O’Sullivan, a Cyber Resilience Analyst at UpGuard, said Verizon customers should update their PIN codes and not use the same version twice.
Exposed PIN codes can help scammers access someone’s phone service, he added, if they convince a customer service agent they are an account holder on the service.