A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of its customers.

Security researcher Eric Taylor discovered the cable provider’s vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details about Charter’s Internet subscribers. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.

The vulnerability could reveal personal information of “millions” of the company’s subscribers, claimed Taylor, chief information officer for Cinder, an Internet startup. But a spokesperson for Charter told Fast Company that “the vast majority of Charter customers use a version of the site on which this security vulnerability was not an issue,” and that the number of customers affected was less than one million. The company is auditing its systems, he said, and has so far “seen no evidence of any password or data hacks.” The exposed data did not include credit card numbers.

Taylor, 18, discovered the issue with his colleague Blake Welsh, after recently finding a similar vulnerability in Verizon’s online customer service system. Luckily for Verizon, he said, that flaw “only exposed user IDs, phone numbers, and device names.” But the amount of user information exposed in Charter’s case, Taylor said, was “way way way more.”

Sensitive account information exposed by the simple hack includes payment details, modem serial numbers, device names, account numbers, home addresses, and more.

With 4.7 million residential Internet customers, Connecticut-based Charter is the nation’s fourth-largest cable operator. The company announced Monday it’s going through with a $10.4 billion deal to acquire Si Newhouse Jr.’s Syracuse, N.Y.-based Bright House Networks, the nation’s sixth-largest cable company. The deal will expand Charter’s customer base by more than 2 million, bumping its rank to the third-largest cable operator in the country.

Charter’s site identified its customers through their IP addresses, akin to the way automated customer support hotlines identify customers by their phone numbers when they call. Thus, obtaining a subscriber’s IP address is all an attacker would need to see their account details. (IP addresses are the unique numbers for all Internet-connected devices and applications, and are increasingly easy to gather.)