Can't be mad at the speed and outcome of the response. I'm sure they would have preferred the incident not be published at all...
In any case, we've all had "oh shit!" moments before. I'd love to think this would be a wake up call about quality control, but Verizon is just so freakin' big, that I can't imagine the number of vendors that have contributed to the amount of code Verizon is running at any given time. I can't imagine the chore of vetting it all at delivery time, let alone having to go back now, realizing how bad that bug was and assuming other sloppiness likely exists.
And that's the problem in the industry. Unless you close up shop, a breech doesn't really impact your business that much. Linode, for example, had several security incidents where they did not tell their customers in any reasonable time, or in some cases, lied to their customers until they were forced to tell the truth. After one such incident where card numbers were reportedly stolen (but Linode said they weren't), I closed my account, cancelled the card I was using, and moved to DigitalOcean. And whenever I mention this, I get a hundred people saying "Linode is awesome and all of that was in the past!". I don't care. They screwed me over multiple times, were dishonest with me as a paying customer, and proved to me they can not be trusted. Sorry Sony. You get breached once, I might forgive you. You get breached twice, you're doing something wrong. You get breached again and again, you no longer exist in my mind.
Security is not a game, and it's not an afterthought. But some days it seems I am the only person who feels that way. I still don't shop at Target or Home Depot. They need to feel the impact of their business decisions, instead of putting the cost of security onto their customers or the customer's bank.
Just as another datapoint, I used to keep a couple of virtual machines at Linode.
After seeing how they acted after their security breaches, I left for DigitalOcean. I've also recommended DO over Linode to other people for that reason.
I should note it wasn't the fact they had a security incident, that happens. It was the way they 'communicated' it.
I'm not generally a fan of Verizon as a corporation, but they deserve kudos for fixing the issue quickly and rewarding the OP for reporting it! This should be the norm. Too many nightmare stories of companies prosecuting users who find and report vulnerabilities.
I don't think that having two days between the contact and the fix is acceptable for something as crucial as reading anyone's e-mail. I wish they had locked down access while investigating the bug once they confirmed it (which should have taken minutes). Leaving such access open for any time after knowing about it is grossly irresponsible in my eyes.
When I stumbled across a Verizon Wireless security problem last year, their security team was the silver lining in what was otherwise a terrible experience.
(I was a bit disappointed that it took so long to find that team -- only found them through unrelated news stories asking the public to report any signs of infrastructure sabotage during a labor negotiation breakdown.)
They ultimately weren't able to help me, and I had to resort to other more drastic means to reach the right people.
It's really difficult and nerve-racking to have to deal with this type of run-around under the threat of possible prosecution.
Really glad this ended well for the OP and not with a prosecution for violating the Computer Fraud & Abuse act (something I was deathly scared of last year when testing Virgin Mobile's ability to brute force logins).
Though there are smart people at Verizon, much of their software is outsourced with limited oversight. I once interviewed for what I thought was a dev position but at the end of the interview them tried to slide in that I was really going to be "managing" the outsourced team and would not be allowed to write anything myself. I said no.
In any case, we've all had "oh shit!" moments before. I'd love to think this would be a wake up call about quality control, but Verizon is just so freakin' big, that I can't imagine the number of vendors that have contributed to the amount of code Verizon is running at any given time. I can't imagine the chore of vetting it all at delivery time, let alone having to go back now, realizing how bad that bug was and assuming other sloppiness likely exists.