Has Verizon Exposed Your Call History? What To Know

Millions of Verizon customers may have been at risk of having their call histories exposed through a security flaw in the company’s Call Filter app, according to a new report by ethical hacker Evan Connelly.

The vulnerability allowed anyone to access detailed incoming call logs of any Verizon number, raising significant privacy concerns for journalists, politicians, law enforcement officers and other potentially high-profile targets.

The flaw was discovered in February 2025 and affected the iOS version of Verizon’s Call Filter app, which is pre-installed on many Verizon phones and used by millions to block spam calls and identify unknown numbers. Verizon confirmed the issue was resolved in March, but experts warn the potential for misuse was immense.

“This wasn’t just a data leak. It was a real-time surveillance mechanism waiting to be abused,” Connelly wrote in his original report.

The bug allowed unauthorized users to query the app’s backend server and retrieve the call history for any Verizon number.

As Connelly explained in his blog, the app’s server failed to verify that a phone number in a request matched the user authenticated via a JSON Web Token (JWT). This misconfiguration meant that an attacker could input any Verizon number and obtain a list of recent incoming calls, complete with timestamps.

What Does the Verizon Call Filter App Do?

Verizon’s Call Filter app is a core part of its mobile ecosystem, designed to protect users from robocalls, spam, and unknown callers. The app is installed on both Android and iOS devices sold through Verizon and includes features such as spam detection, caller ID, personal block lists, and high-risk call blocking. A premium version of the app offers even more tools, like spam lookup and caller ID for previously unknown numbers.

Because of its widespread distribution and integration into Verizon’s network services, the impact of the flaw could be extensive. “Given Verizon’s large subscriber base, the app likely has millions of users,” reported TechRadar.

The vulnerability was specific to a data endpoint used by the app, hosted at a domain that appears to be operated by Cequint, a third-party telecom technology provider. “Interestingly, the domain name that hosts the API for this app is registered at GoDaddy, which is a bit unusual for a large company, especially one as big as Verizon,” Connelly said in his report.

He added that Cequint “specializes in caller ID services” and is likely the third-party vendor managing this functionality for Verizon. Cequint’s own website was down at the time of the investigation, raising further questions about how user data is managed and protected.

How Many Verizon Customers Were Vulnerable to Hacking?

Though Verizon has not confirmed whether any users were affected by the vulnerability, Connelly estimated that the flaw “impacted either nearly all, or all customers” who had the Call Filter service enabled. The service may be active by default for many users, according to Verizon’s own documentation.

“Call metadata might seem harmless, but in the wrong hands, it becomes a powerful surveillance tool,” Connelly said. “With unrestricted access to another user’s call history, an attacker could reconstruct daily routines, identify frequent contacts, and infer personal relationships.”

In a statement to Cybernews, Verizon acknowledged the vulnerability and confirmed that a patch was issued in mid-March. “Verizon was made aware of this vulnerability and worked with the third-party app owner on a fix and patch that was pushed in mid-March. While there was no indication that the flaw was exploited, the issue was resolved and only impacted iOS devices,” a Verizon spokesperson said.

Security experts caution that even without evidence of exploitation, the nature of the bug and the sensitivity of the data exposed warrant serious attention. “Seeing someone’s call log might not seem like much at first,” said TechRadar journalist Sead Fadilpašić. “But Connelly warns that it could be a ‘powerful surveillance tool,’ especially against high-profile targets such as journalists, government opponents, dissidents, and similar.”

The flaw was reported to Verizon on February 22 and confirmed to be fixed by March 25. “I do want to credit Verizon for a quick response and fix,” Connelly wrote. “They were also prompt to acknowledge my report.”

Still, the incident raises larger questions about the security oversight of third-party partners handling user data and whether carriers are doing enough to protect consumer privacy in a growing threat landscape.

“How much data does this obscure company without a website of their own have? And how well secured is it?” Connelly asked in his post.