Vodafone My Account login flaw puts emails and numbers at risk

A security flaw in the My Account login system of the Vodafone website left email addresses and possibly phone numbers at risk. The issue has now been fixed.

It was found last week that if you went to the company's My Account login page and clicked on a link to get a reminder of a username or password, you could obtain private email addresses if you typed in the associated username or phone number. Customers on the company's user forum also reported numbers being revealed.

A script which tried random usernames and numbers could easily have harvested these emails for spamming purposes. Some Vodafone forum users tried to test this simply by typing the user names of other forum users, and found their private email addresses were revealed.

Vodafone eventually took the offending page down because of the issue, although some forum members were concerned about the length of time it took for the company to do this. Some even said they had reported the incident to the Information Commissioner's Office as they viewed it a serious security breach.

In a statement today, a Vodafone spokesperson said a "small number" of customers had been in touch to report an increase in spam and other unsolicited emails, which they believed was due to this problem.

"Hopefully you'll have seen that the issue reported last week regarding the login reminder page for My Account has now been resolved and the site is working as normal," he said. "Thank you again to customers who flagged this to us and have supported us as we sorted this out.

"We also want to apologise to those people who may have been concerned due to the site's previous functionality. We fully appreciate the seriousness of this issue to customers but you can rest assured that no unauthorised access to your My Account data would have been possible at any time."