U.S. cell carrier Assist Wireless left tens of thousands of personal customer documents on its website by mistake.
Assist provides free government-subsidized cell phones to low-income households across Oklahoma through the Lifeline program, set up by the Federal Communications Commission in 1985. Lifeline helps households on federal assistance programs, like food stamps or public housing, get access to cheap cell phone plans.
But part of the carrier’s website was leaking customer documents — including driver licenses, passports and Social Security cards — which customers submit to verify their eligibility to sign up for a free phone and a plan.
The documents are dated between 2019 and 2020.
Security researcher John Wethington found the exposed documents through a simple Google search result, and asked TechCrunch to alert the carrier to the leak. Assist removed the exposed documents from its website a short time later.
Assist told TechCrunch that it traced the issue to a third-party plug-in, Imagify, which the carrier uses to optimize images on its website. Assist said that the plug-in by default puts a backup of uploaded images in a separate folder, but that the backup location in Assist’s case was not secure.
“We have resolved the issue by turning the backup off and removed the folder from public view,” said Assist.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
The carrier told TechCrunch it also submitted an “urgent request” to Google to remove the documents from its cached image search results. (TechCrunch held this story until the images were scrubbed.)
Assist said it is investigating if anyone else found the exposed data before the issue was fixed.
“Assist Wireless takes security and consumer data very seriously. We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward,” the carrier said.
The carrier also said it would notify customers if their data was exposed in the security lapse.
