Yota - or how you can find out everything

All actions in this article are for informational purposes only. All characters of the work are fictitious, any coincidence with real people is random.

Introduction


It all started with the fact that I read these articles about Megaphone.

  1. How Megaphone slept on mobile subscriptions
  2. "Mobile content" for free, without SMS and registrations. Megaphone fraud details

I was a subscriber of this company for 12 years, I never personally caught these jokes and what I read led me to the state that I decided to change the operator.

My choice was not great ( MTS, Beeline, Tele2 ), but I realized that these companies are trading exactly the same as the above-mentioned company. And then it dawned on me that there is a company and its name is Yota .

But you say, after all, Yota belongs to Megaphone and I will answer, let the vicious circle begin.
Everything was fine, I came, I bought a SIM card and started using it.

All for what we are here


I needed to change the phone number in the personal account of Russian Post
And I ran into a problem that this number (purchased from Yota ) is already taken.

image

I have a question - why so? And I remembered that with Yot you can very easily change the phone number right in the application. And maybe the former owner of my number just simply forgot to "untie" him.

Screenshot from the Yota app
image

And I was attracted by curiosity for poor familiarization activities, and if I can log into the account of the person who had this phone number attached.

And I easily received a confirmation code and was able to enter a new password.

Verification code Mail Russia
image

When you enter your personal account, we see this "personal information"

image

And here we can understand that everything is "lame" when you change the phone number and forget about some mail there, someone can easily get your "personal information"

I did not stop at these actions and continued to search


I decided to simply drive the given phone number into the search engine “There is everything”

image

And we see the page of the former user of my number.

The link itself gives me a 404 error
image

I easily found a person’s page through the city given to me, now we know the “personal data”, the page on VKontakte and the Steam account of this person.

What could a bad person do with this information?
I will provide you with the answer options.

And we will continue, everyone knows about the public services portal? Yes, this is exactly what you thought.
We will try to restore access to the portal using my phone number and data, which politely provided my personal account of the Russian Post.

By entering the phone number and passport data, I was easily able to regain access to this portal.

And what do we see? We see all the most important documents of this person.

image

And also my phone number (+ mail of this person)
image

Since we now know the mail of this person, I decided to see if my phone number is attached to it (spoiler: yes).

Email Verification Code
image

And now we already have mail!

As far as we know, if we have a Russian Post , we own everything that is tied to it, I saw that the mail is tied to the following accounts: Blizzard, Google, VKontakte, AliExpress, GOG.

image
the end.

Conclusion


Before changing your phone number, make sure that you untie everything you can.

I can’t even imagine what would happen if this information came to attackers or people who know more than me what to do with this information.

Who is to blame? It's hard to say, let's share an opinion.
And what would you do in this situation?

PS I apologize for all the flaws, spelling mistakes. My first article is not to judge strictly.

Also popular now: