Greetings. This message is basically a heads-up warning. I have discovered a serious and easily exploited security flaw in the operations of a major commercial Web services provider, which exposes the street address and/or billing address information for (apparently) a very large proportion of U.S. landline phone numbers, even if those numbers are unlisted.

While such "reverse lookups" for listed numbers are common, unlisted number information is supposedly held to the highest security standards of telephone company customer premises information -- though third party mining of this data has been of increasing concern. How this unlisted number data has found its way into this publicly accessible database is a very interesting question indeed.

Most people must pay extra for unlisted numbers, and often have them for security reasons. With numbers so widely exposed by calling number identification systems (CNID) and in the course of routine business transactions, the easy availability of the addresses associated with these unlisted numbers is a very serious matter.

I am still attempting to reach responsible parties at the firm involved. I will not expose the technique for obtaining these addresses here and now for obvious reasons, but I will consider providing more details upon request to bona fide security experts and media -- under appropriate confidentiality guidelines to protect this data until the breach has been closed.

More later.

--Lauren--

Blog Update (December 20, 2007): Psst! Wanna Know the Street Address for an Unlisted Number?