Dodgy Windows Phone app pulled from Microsoft store after telco customers' details leak online
A dodgy Windows Phone app has been booted out of the Microsoft store after leaking the personal information of customers of Dutch telco Telfort.
The KPN subsidiary shut down the My Telfort section of its website — where customers can edit their personal information and change their tariffs — after being informed by a customer that the passwords and phone numbers of over one thousand Telfort customers had been posted online.
However, after a brief internal investigation into the leak, first reported this week by Dutch newspaper De Gelderlander, Telfort restored My Telfort. The telco released a statement claiming that the information had surfaced not because of a breach of its systems, but because users had entered their details into a malicious app that was masquerading as a genuine Telfort product.
The fraudulent app, which had been listed in the Windows Phone Store, was using the Telfort logo and asked Telfort users to check their subscription status by enter their login information.
"The My Telfort section was temporarily shut down as a preventative measure, after the company received a tip that customer details were listed on an external website… After an internal investigation, it was found the leak concerned information entered by customers into an external fraudulent app, downloaded from the Windows Store," Telfort's parent company KPN said in a statement.
"The access to My Telfort was proactively blocked for the affected customers. These customers will each be contacted shortly to reinstate their access to the My Telfort environment. Microsoft has notified Telfort that it will remove the app from the store as soon as possible, since the scheme used by the app developers is a clear violation of the general terms and conditions of the Windows App Store."
The Telfort incident is not the first time a fake app was released to trick telco customers into providing sensitive information. The same app developer appeared to also have released a similar app for KPN customers; however, KPN says the app was not used to leak login details.
Telfort is considering taking legal actions against the app's creator, but said it first wants to investigate why the customer details were collected. The telco has reminded users on its website never to download and use unofficial apps (although it doesn't specify how consumers can distinguish official app from a forged one).