A database of 2.8m records containing sensitive information regarding hundreds of thousands of CenturyLink’s customers was left open online for anyone with internet access to see. The records making up the database were logs from a third party notification platform used by CenturyLink. They included multiple pieces of personal information including name, email address, phone number, and address, along with account-specific information.
CenturyLink is a Fortune 500 technology company that provides residential, business, and enterprise customers with a variety of products and services, including internet, phone, cable TV, cloud solutions, and security.
Comparitech discovered the exposed MongoDB database in collaboration with security researcher Bob Diachenko. The discovery was made on September 15th and Diachenko notified CenturyLink that day, but the database had already been exposed for many months by that point. As of September 17th, it was closed.
After alerting CenturyLink and allowing them time to resolve this issue, they requested we hold off on publishing this report. This was to allow time for CenturyLink to conduct an internal investigation and refer the matter to the FCC before notifying their customers.
The database comprised API logs with customer information and contained more than 2.8 million records in total. Because some customers were the subject of multiple records, the estimated number of customers affected is much lower, but still in the hundreds of thousands.
CenturyLink gave Comparitech the following statement:
Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident. The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. We will continue to work to protect customer information. CenturyLink takes the protection of our customers’ information seriously, and we will work to ensure that we earn our customers’ trust.
Timeline of the data leak
The MongoDB database was made publicly available such that no authentication was required to access it. Here’s what we observed:
- November 17th, 2018: The database was first indexed on Shodan.
- September 15th, 2019: Security researcher Bob Diachenko discovered the exposed database. He immediately contacted CenturyLink.
- September 17th, 2019: The database had been closed.
- October 17th, 2019: We received notification that FCC investigation had concluded
It appears the database was exposed for around 10 months before being closed to the public.
This would have given malicious parties more than ample time to use the data in various schemes.
What information was exposed?
The exposed MongoDB was affiliated with a third-party vendor. This was a multi-channel notification platform for internal and external communications, for example, between customers, technicians, and agents.
The type of data exposed was API logs of those communications. The customer records were in plain text (not encrypted) and held the following data:
- Email address
- Phone number
- Physical address
- CenturyLink account number
- Notification logs
- Conversation logs
Among other data, there was information about which CenturyLink services each customer subscribed to, for example broadband or home security. It is unclear whether the subjects were residential or business customers, but based on the addresses, it appears that most, if not all, are residential.
Dangers of data exposure to CenturyLink customers
The personal information exposed in the database isn’t considered highly sensitive in nature. For example, there is no banking information or Social Security numbers. That being said, a set of information such as a person’s name, email address, phone number, and mailing address can be very valuable to criminals.
CenturyLink customers should look out for targeted phishing schemes and related scams that could be carried out over email, phone, or even mail. Knowing that you’re a CenturyLink customer and in particular which services you subscribe to, a fraudster could convincingly pose as a company representative in an attempt to get you to hand over additional information such as your account password or credit card number.
The information pertaining to accounts seems fairly harmless on the surface. However, given the length of time the database was exposed for, it’s possible that malicious parties have had the opportunity to track individual customers over time. The information included in the logs could even assist in physical crimes. For example, knowing that a technician is scheduled to visit could give a criminal an opportunity to attempt to enter a person’s home.