Updated Samsung has admitted that what it calls a "small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification.
Several Register readers wrote in to tell us that, after last Thursday's mystery push notification, they found strangers' personal data displayed to them.
Many readers, assuming Samsung had been hacked, logged into its website to change their passwords. Now the company has admitted that a data security breach did occur.
A spokeswoman told The Register: "A technical error resulted in a small number of users being able to access the details of another user. As soon as we became of aware of the incident, we removed the ability to log in to the store on our website until the issue was fixed."
She added: "We will be contacting those affected by the issue with further details."
From the not-insignificant number of emails El Reg received about the website snafu, it remains to be seen whether Samsung's definition of "small number" is the same as that of the rest of the world.
Of potentially greater concern is the mystery 1/1 push notification from Find my Mobile, a baked-in app on stock Samsung Android distributions. Although the firm brushed off the worldwide notification as something to do with unspecified internal testing, many of those who wrote to El Reg said they had disabled the app. Stock apps cannot be uninstalled unless one effectively wipes the phone and installs a new operating system – unlocking the bootloader and reformatting with a new third-party, customised ROM.
Samsung did not answer our questions as to how a "disabled" app was able to receive and display push notifications. Nor did it say what other functions this "disabled" app was capable of executing. ®
Updated to add
A Samsung rep later told us, referring to the data breach on its UK customer account pages: "Less than 150 customers were affected, and we are contacting them directly."