Tell me everything about me. (Image: BuzzFeed)

Since April 22, a website programming error has been responsible for exposing the personal information of up to nine million Verizon broadband customers.

BuzzFeed News reported a vulnerability in Verizon’s account portal allowed anyone capable of spoofing an IP address of a current customer to get instant access to account information and arrange a password reset to take full control of the customer’s account.

BuzzFeed was able to verify the vulnerability with the help of cooperating Verizon customers and immediately notified Verizon about the problem before publishing the story. The vulnerability has since been corrected, but not before three weeks of ‘open access’ to Verizon customer account information to those proficient at manually changing their IP address:

Within a few hours of the tip, and despite having no technical background, with the explicit permission of several Verizon account holders, I was able to convince Verizon customer service to reset an account password, giving me total control of a Verizon account. It was surprisingly easily done.

It took me only two downloads, copy and pasting some information from an email, and a few interactions with Verizon customer support. It was just a matter of following step-by-step instructions. In other words, if you can follow a recipe, you could have probably gotten a Verizon password reset.

[…] These pieces of information — name, telephone numbers, and email — were all I needed (and more frighteningly, all a malicious hacker would have needed) to convince Verizon customer service that I was a customer in need of a password reset.

Even worse, customer support gave me that reset information despite the customer having a security PIN set up.

With that information, a hacker could gain enough personal insight to trick other businesses into giving up additional personal information.

“Once it was brought to our attention, our experts immediately investigated the issue and repaired the error within hours,” a Verizon spokesperson told BuzzFeed. “We appreciate the responsible manner in which Buzzfeed brought this matter to our attention. Addressing issues like this collaboratively is a constructive addition to our continuous actions to safeguard the security of customers’ information.”

Verizon hoped to reassure customers the security damage was minimal, telling BuzzFeed. “We have no reason to believe that any customers were impacted by this, other than those who’s information was used by Buzzfeed. If we discover that any were, we will contact them directly.”