Bitterwallet reader stumbles upon 80,000 name 3 Mobile database

26 March 2009

We’re never surprised by the myriad of ways in which various large, so-called professional organisations misuse the personal information of their customers. You know, ordinary folk like you, us, that man over there in the hat, that woman with the wonky eye and that strange tall chap in the corner who looks like he wants to be sick.

It’s only gone and happened again and the guilty party this time are 3 Mobile. We’ve received an email from Bitterwallet reader Dan who told us how with a smidgeon of curiosity, some basic snooping and a few clicks of his mouse, he’d found himself staring at a 3 database containing almost 80,000 names and addresses of UK citizens.

We’ve seen the list ourselves (excerpt above) and it’s for real. We don’t know if the people on it are 3 customers but we assume they are. Likewise, we’re not going to tell you how Dan found the list or how you can see it – that would be insane as it is literally an identity thief’s paradise.

We’ve alerted 3 and hopefully they’re working hard to secure the leak – you know, a spot of encryption, maybe just a password, anything really that might stop any one of us from looking at the names and addresses of 79,035 people. The bloody idiots.

Once we've heard that they've plugged the leak, we'll update this one and let you know just how childishly simple it was to get to see such a vast and supposedly confidential database.

EDIT: Update to story HERE...

TOPICS:   Mobile

49 comments

  • Jakg
    Where is this again? :P
  • Tom
    Could be another BNP members list, instead of 3 customers data base.
  • Garry
    You should have definitely blackmailed them with going to The Sun. "Give ME £100k, or my story goes to The Sun! Muahahahaha!"
  • Stolendiagram
    If this rumored "list" is indeed true, then 3 would be liable for a fairly massive lawsuit on account of their customers (including me) wanting to file said lawsuit against them. Bitterwallet reader "Dan" would be most irresponsible for informing this site of such a list, and this site would be most selfish to brag about being informed of it, when there are plenty of concerned 3 customers out there who might have just had their personal details compromised!
  • Andy D.
    We've emailed 3's press people about it last night and as of 10.15am this morning, the database is still accessible. We've revealed nothing that would show people how to get to see the database. We'll do that once they've plugged the leak.
  • Stolendiagram
    How considerate of you. At least you got to scan your beady little eyes over the details, presumably before you found a free minute or two over wanking over a pot noodle or whatever it is that you do with your days to let 3 know of this. This is bullshit of the purest form!
  • Stolendiagram
    And who exactly moderates these posts? A lame monkey?
  • Paul Nikkel EDITOR
    I'd suggest saving your anger for Three if they don't fix this asap...
  • magicjay
    Stolendiagram - quite the potty mouth, aren't you?! Let us just wait for a response. BW have not done anything wrong here. Great article.
  • Fred E.
    Mr Diagram, why so angry? You got some details on your 3 account that you don't want Bitterwallet to know about? All those chatlines you've been calling for example?
  • Stolendiagram
    Strangely enough no, I'm more concerned about my phone number and address being used for unscroupulus purposes
  • -=Mike H.
    Stolendiagram - What if 'Dan' hadn't brought this to anyones attention? BW have actually done something about it before anyone can potentially use/abuse the information it contains, I see this as quite resposible. Oh, I want my diagram back you thief!
  • Stolendiagram
    Chances are, if BW hadn't reported it (and ultimately not had the decency to post "na na na naaaa, we've got a list of private details, we'll tell you how easy it is to access but only after we've taken our fill and 3 have fixed the shit") then it would end up being reported to a news body, such as one of the papers or the BBC.
  • Andy D.
    We're talking to two newspapers about covering the story at the moment. They increasingly use blogs like this as sources you know. Are we not acting responsibly by withholding the info about how to access the database? Maybe you should be on the phone to 3 yourself, insisting they look into this. We've contacted them and they've done nothing to plug the leak yet.
  • -=Mike H.
    ... same difference innit?...
  • Stolendiagram
    Oh believe me, 3 will be finding out just how angry I am regarding this, surely this goes against the contract I signed - what do I direct them to however in terms of proof to support my claim? And you probably are acting responsibly by witholding the info, were you acting responsibly however when you read the list, realising what it was? How do any of us know what you intend to do with it? You said it yourself "an identity thief's paradise"!
  • Chris H.
    @Andy, if the list is as easily accessible as you say then I'm fairly sure someone looking for such flaws will appreciate the tip-off and be able to find the same loop-hole pretty damn quickly and pilfer any useful information. Its like telling a burglar theres a unprotected house full of valuable goods on 'Brookside close' but you're not going to tell them which house it is. How long do you think it'd take them?
  • Andy D.
    Chaps, we assumed that, as we contacted them with a heads-up last night, that the gimps at 3 would have plugged this leak at some point before, let's see, what time is it now, ah... 11.17am this morning. Unbefuckinglievable.
  • Full R.
    Chris - then Three should fix it ASAP. They were informed about it yesterday, the hole should've been closed at 09:05amtoday. If it still isn't fixed later today then full disclosure is the best way to get a company to take notice and sort the problem out (such as when Be* internet refused to close the backdoor in their routers).
  • Andy D.
    LATEST: Just heard from 3 and their investigations team are looking into the leak now. Should be plugged very shortly we'd expect.
  • Chris H.
    @Full Disclosure as a Last Resort thats assuming the fix is a 5min job, which I doubt. I suspect its a SQL injection 'hole' which is the result of poor coding, but can be a pain to fix depending where there system is. What 3 should have done is turn off the website to public access until a plug was found.
  • The c.
    Hi BW, we'll fix the loophole backdoor thing when we can be arsed and when we've finished our breakfast, it's also Thursday, so we were out last night and can't see to well, so it might take a bit longer than usual, expect it to be done about next Tuesday afternoon. Thanks guys. P.S. Don't tell anyone bout this will you?
  • Mike H.
    Thanks Chris for letting us know your such a bell end with your technical know-how, but we already knew you were a bell, thx bai
  • Mike H.
    Aww Andy!
  • Lumoruk
    Don't worry andy I support you, these will teach the f**kers for using 3 ;)
  • Stolendiagram
    Sadly I wasn't too aware of 3 and their epic fail network coverage before I signed up for a 12 month contract with them - I was, at the time trying to work out why they wanted to give me a free phone (nokia 6500 slide) unlimited texts and 600 mins. Now that I know better, I won't be going back to them again when my contract expires next month.
  • Chris H.
    @Mike Love you too, big hugs! x
  • Song b.
    Anyone reported this to the Information Commissioner's Office? http://www.ico.gov.uk/complaints.aspx
  • acecatcher3
    lol what have i missed here!!!! if ur in the big papers and u have to do an interview, can u name drop me andy thanks.
  • tino
    Wow! this is crazy... i usually dont tell u guys off :) But I think u guys should tell 3 and give them more time before posting it here. A lot of hackers will try to do the same thing and I am sure things can get complicated really quick. Now, do the right thing and pull this post out before you guys do any more damage. I love your bitching about dead shopping carts.
  • acecatcher3
    omg this is great stuff, andy this is ur best article, u must b quite excited!!!! well done dan for stopping it also!! keep us updated, any more news???
  • rash
    i suspect the search bar of 3 is executing PL-SQL code
  • acecatcher3
    well done dan for spotting it, not stopping lol
  • Mike H.
    Yeah me too Andy as ace has pointed out, if you do an interview can you quote me too? Something like... "Mike Hock is huge on BW" or "I think Mike Hock has a massive purple helmet" or the "ladies love Mike Hock" or "I walked into BW office one day and slapped Mike Hock on the desk" or " I have lots of pictures of Mike Hock" something like that yeah? Love you too Chris, 'thumb up' 'wink' and also 'gunslinger type point' whilst grinning
  • Lumoruk
    @acecatcher...kiss arse, btw I've joined the suspended clique
  • Full R.
    Chris, when I said the "hole should've been closed at 09:05" I meant that the db should've just been shut down whilst it was investigated. That would be the responsible response once you are alerted to the problem. Patching it can come later at their own leisure. I guess we agree, you just took my post to mean something different.
  • Andy D.
    Looks like the offending folder and files have finally been removed, although they can still be accessed if you've got a direct link URL. More soon....
  • acecatcher3
    lumoruk, bad times, just b good when u come bk, i dont even know what it was for, im not suspended tho am i lol!! lol mike i asked first :@ no more news on this andy or paul...or vince if ur there??? also paul im sure ull read this as this is quite a big article for the site, please contact me thru my hotmail plz bout hukd.
  • acecatcher3
    damn just seen ur reply andy lol soz
  • Mark
    more reasons to think that 3 are the worst mobile operator out there, this should definetly be reported to the Information commission who I am sure will see this as a serious breach of data protection laws and confidentiality.
  • WBRacing
    80,000? That's nothing! I have the names and addresses of hundreds of thousands of people at home. I call it, a phone book. :D
  • Dave T.
    If its just names and sddresses what is the problem - once again you have a shit story bitter wallet - set of tossers
  • Mark
    Personally I don't want my name and address given out to anyone (which is why like many people I opt out of phone books) and secondly the are breaking the law, what they have done is straight out illegal under dataprotection laws as this information has to be encrypted and stored securely, so yes it is a big deal and a very worth story for BW.
  • 3 B.
    [...] on from our earlier story where we revealed how the personal details of almost 80,000 3 Mobile customers could easily be [...]
  • btw
    lol the details are still all over the google cache. In the wrong hands money could be made selling these details on.
  • Mike P.
    Looking at the data blacked out, I'm guessing at worst it's just names and addresses, not mother's maiden names, blood types, religious beliefs and bra sizes. I can go to my local council and get 10 times that amount from the electoral register! And anyway, I'm sure most of the people on here harping on about data protection are the same idiots that leave their unshredded bank statements and mobile phone bills in a black sack on their doorstep. What a pile of crap!
  • Paul Nikkel EDITOR
    Comes down to what you control or knowingly give as public info though Mike P. If you choose to be included on the electoral register (you can select to remain anonymous you know) then you have chosen to give that info out. Likewise if you choose to be in a public phone listing. When you give your data to a company, in this case it appears to be marketing, it is under the assumption that it is to be used "privately" by that company and not in the public domain.
  • Paul Nikkel EDITOR
    BTW there was more info on each line than name and address. There were some references and codes which are likely internal Three data? No idea. But that's kind of the point...
  • A S.
    [...] Image Source: Bitterwallet.com [...]

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment