Hundreds of thousands of CenturyLink customers’ personal information reportedly was exposed online in a database that’s since been closed.
The records making up the database were logs from a third-party notification platform used by CenturyLink. In all, 2.8 million records were exposed in the CenturyLink data leak, according to a Comparitech report,
The personal information included names, email addresses, phone numbers and physical addresses, along with account-specific information.
Comparitech said it discovered the exposed MongoDB database in collaboration with security researcher Bob Diachenko on Sept. 15. Diachenko notified CenturyLink that day, but the database already had been exposed for many months by that point. It was closed as of Sept. 17.
CenturyLink spokesman Mark Molzen sent Channel Partners the following statement:
“Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident. The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. We will continue to work to protect customer information. CenturyLink takes the protection of our customers’ information seriously, and we will work to ensure that we earn our customers’ trust.”
The database appears to have been exposed for 10 months, according to Comparitech.
CenturyLink referred the matter to the Federal Communications Commission (FCC) before notifying its customers, and the Commission this week said it has concluded its investigation.