Bitterwallet reader stumbles upon 80,000 name 3 Mobile database
March 26th, 2009 • 49 Comments
We’re never surprised by the myriad of ways in which various large, so-called professional organisations misuse the personal information of their customers. You know, ordinary folk like you, us, that man over there in the hat, that woman with the wonky eye and that strange tall chap in the corner who looks like he wants to be sick.
It’s only gone and happened again and the guilty party this time are 3 Mobile. We’ve received an email from Bitterwallet reader Dan who told us how with a smidgeon of curiosity, some basic snooping and a few clicks of his mouse, he’d found himself staring at a 3 database containing almost 80,000 names and addresses of UK citizens.
We’ve seen the list ourselves (excerpt above) and it’s for real. We don’t know if the people on it are 3 customers but we assume they are. Likewise, we’re not going to tell you how Dan found the list or how you can see it – that would be insane as it is literally an identity thief’s paradise.
We’ve alerted 3 and hopefully they’re working hard to secure the leak – you know, a spot of encryption, maybe just a password, anything really that might stop any one of us from looking at the names and addresses of 79,035 people. The bloody idiots.
Once we’ve heard that they’ve plugged the leak, we’ll update this one and let you know just how childishly simple it was to get to see such a vast and supposedly confidential database.
EDIT: Update to story HERE…
Where is this again?
Could be another BNP members list, instead of 3 customers data base.
You should have definitely blackmailed them with going to The Sun. “Give ME £100k, or my story goes to The Sun! Muahahahaha!”
If this rumored “list” is indeed true, then 3 would be liable for a fairly massive lawsuit on account of their customers (including me) wanting to file said lawsuit against them.
Bitterwallet reader “Dan” would be most irresponsible for informing this site of such a list, and this site would be most selfish to brag about being informed of it, when there are plenty of concerned 3 customers out there who might have just had their personal details compromised!
We’ve emailed 3’s press people about it last night and as of 10.15am this morning, the database is still accessible.
We’ve revealed nothing that would show people how to get to see the database. We’ll do that once they’ve plugged the leak.
How considerate of you.
At least you got to scan your beady little eyes over the details, presumably before you found a free minute or two over wanking over a pot noodle or whatever it is that you do with your days to let 3 know of this.
This is bullshit of the purest form!
And who exactly moderates these posts? A lame monkey?
I’d suggest saving your anger for Three if they don’t fix this asap…
Stolendiagram – quite the potty mouth, aren’t you?!
Let us just wait for a response. BW have not done anything wrong here.
Great article.
Mr Diagram, why so angry? You got some details on your 3 account that you don’t want Bitterwallet to know about? All those chatlines you’ve been calling for example?
Strangely enough no, I’m more concerned about my phone number and address being used for unscroupulus purposes
Stolendiagram – What if ‘Dan’ hadn’t brought this to anyones attention? BW have actually done something about it before anyone can potentially use/abuse the information it contains, I see this as quite resposible. Oh, I want my diagram back you thief!
Chances are, if BW hadn’t reported it (and ultimately not had the decency to post “na na na naaaa, we’ve got a list of private details, we’ll tell you how easy it is to access but only after we’ve taken our fill and 3 have fixed the shit”) then it would end up being reported to a news body, such as one of the papers or the BBC.
We’re talking to two newspapers about covering the story at the moment. They increasingly use blogs like this as sources you know. Are we not acting responsibly by withholding the info about how to access the database?
Maybe you should be on the phone to 3 yourself, insisting they look into this. We’ve contacted them and they’ve done nothing to plug the leak yet.
… same difference innit?…
Oh believe me, 3 will be finding out just how angry I am regarding this, surely this goes against the contract I signed – what do I direct them to however in terms of proof to support my claim?
And you probably are acting responsibly by witholding the info, were you acting responsibly however when you read the list, realising what it was? How do any of us know what you intend to do with it? You said it yourself “an identity thief’s paradise”!
@Andy, if the list is as easily accessible as you say then I’m fairly sure someone looking for such flaws will appreciate the tip-off and be able to find the same loop-hole pretty damn quickly and pilfer any useful information.
Its like telling a burglar theres a unprotected house full of valuable goods on ‘Brookside close’ but you’re not going to tell them which house it is. How long do you think it’d take them?
Chaps, we assumed that, as we contacted them with a heads-up last night, that the gimps at 3 would have plugged this leak at some point before, let’s see, what time is it now, ah… 11.17am this morning. Unbefuckinglievable.
Chris – then Three should fix it ASAP. They were informed about it yesterday, the hole should’ve been closed at 09:05amtoday.
If it still isn’t fixed later today then full disclosure is the best way to get a company to take notice and sort the problem out (such as when Be* internet refused to close the backdoor in their routers).
LATEST: Just heard from 3 and their investigations team are looking into the leak now. Should be plugged very shortly we’d expect.
@Full Disclosure as a Last Resort
thats assuming the fix is a 5min job, which I doubt. I suspect its a SQL injection ‘hole’ which is the result of poor coding, but can be a pain to fix depending where there system is. What 3 should have done is turn off the website to public access until a plug was found.
Hi BW, we’ll fix the loophole backdoor thing when we can be arsed and when we’ve finished our breakfast, it’s also Thursday, so we were out last night and can’t see to well, so it might take a bit longer than usual, expect it to be done about next Tuesday afternoon. Thanks guys.
P.S. Don’t tell anyone bout this will you?
Thanks Chris for letting us know your such a bell end with your technical know-how, but we already knew you were a bell, thx bai
Aww Andy!
Don’t worry andy I support you, these will teach the f**kers for using 3
Sadly I wasn’t too aware of 3 and their epic fail network coverage before I signed up for a 12 month contract with them – I was, at the time trying to work out why they wanted to give me a free phone (nokia 6500 slide) unlimited texts and 600 mins.
Now that I know better, I won’t be going back to them again when my contract expires next month.
@Mike
Love you too, big hugs! x
Anyone reported this to the Information Commissioner’s Office? http://www.ico.gov.uk/complaints.aspx
lol what have i missed here!!!! if ur in the big papers and u have to do an interview, can u name drop me andy thanks.
Wow! this is crazy…
i usually dont tell u guys off
But I think u guys should tell 3 and give them more time before posting it here.
A lot of hackers will try to do the same thing and I am sure things can get complicated really quick.
Now, do the right thing and pull this post out before you guys do any more damage. I love your bitching about dead shopping carts.
omg this is great stuff, andy this is ur best article, u must b quite excited!!!!
well done dan for stopping it also!! keep us updated, any more news???
i suspect the search bar of 3 is executing PL-SQL code
well done dan for spotting it, not stopping lol
Yeah me too Andy as ace has pointed out, if you do an interview can you quote me too? Something like… “Mike Hock is huge on BW” or “I think Mike Hock has a massive purple helmet” or the “ladies love Mike Hock” or “I walked into BW office one day and slapped Mike Hock on the desk” or ” I have lots of pictures of Mike Hock” something like that yeah?
Love you too Chris, ‘thumb up’ ‘wink’ and also ‘gunslinger type point’ whilst grinning
@acecatcher…kiss arse, btw I’ve joined the suspended clique
Chris, when I said the “hole should’ve been closed at 09:05″ I meant that the db should’ve just been shut down whilst it was investigated. That would be the responsible response once you are alerted to the problem. Patching it can come later at their own leisure.
I guess we agree, you just took my post to mean something different.
Looks like the offending folder and files have finally been removed, although they can still be accessed if you’ve got a direct link URL. More soon….
lumoruk, bad times, just b good when u come bk, i dont even know what it was for, im not suspended tho am i lol!!
lol mike i asked first :@
no more news on this andy or paul…or vince if ur there???
also paul im sure ull read this as this is quite a big article for the site, please contact me thru my hotmail plz bout hukd.
damn just seen ur reply andy lol soz
more reasons to think that 3 are the worst mobile operator out there, this should definetly be reported to the Information commission who I am sure will see this as a serious breach of data protection laws and confidentiality.
80,000? That’s nothing! I have the names and addresses of hundreds of thousands of people at home. I call it, a phone book.
If its just names and sddresses what is the problem – once again you have a shit story bitter wallet – set of tossers
Personally I don’t want my name and address given out to anyone (which is why like many people I opt out of phone books) and secondly the are breaking the law, what they have done is straight out illegal under dataprotection laws as this information has to be encrypted and stored securely, so yes it is a big deal and a very worth story for BW.
3 hide their customer database again. Sensible really. | BitterWallet
lol the details are still all over the google cache. In the wrong hands money could be made selling these details on.
Looking at the data blacked out, I’m guessing at worst it’s just names and addresses, not mother’s maiden names, blood types, religious beliefs and bra sizes. I can go to my local council and get 10 times that amount from the electoral register! And anyway, I’m sure most of the people on here harping on about data protection are the same idiots that leave their unshredded bank statements and mobile phone bills in a black sack on their doorstep. What a pile of crap!
Comes down to what you control or knowingly give as public info though Mike P. If you choose to be included on the electoral register (you can select to remain anonymous you know) then you have chosen to give that info out. Likewise if you choose to be in a public phone listing.
When you give your data to a company, in this case it appears to be marketing, it is under the assumption that it is to be used “privately” by that company and not in the public domain.
BTW there was more info on each line than name and address. There were some references and codes which are likely internal Three data? No idea. But that’s kind of the point…
A pinch of curiosity, a few clicks of a mouse and hoorah! Access to 3 Mobile's database and 80,000 personal details! | Gaj-It.com - UK Gadget and Tech News, Reviews and Shopping