Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.
KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.
A redacted screen shot of one Sprint customer support thread exposed to the Web.
A Sprint spokesperson responded that the forum was indeed intended to be a private section of its support community, but that an error caused the section to become public.
“These conversations include minimal customer information and are used for frontline reps to escalate issues to managers,” said Lisa Belot, Sprint’s communications manager.
A review of the exposed support forum by this author suggests that while none of the posts exposed customer information such as payment card data, a number of them did include customer account information, such customer names, device identifiers and in some cases location information.
Perhaps more importantly for Sprint and its customers, the forum also included numerous links and references to internal tools and procedures. This sort of information would no doubt be of interest to scammers seeking to conduct social engineering attacks against Sprint employees as way to perpetrate other types of fraud, including unauthorized SIM swaps or in gleaning more account information from targeted customers.
