backtop


Print 8 comment(s) - last by ClownPuncher.. on Dec 26 at 2:49 PM


  (Source: Jason Mick/DailyTech LLC)
ISP says no "breach" occurred, but that a small, mostly harmless leak did happen

The mystery is growing in the case of a hacker named TibitXimer, who claimed to have copied (probably illegally) 3 million records from Verizon Wireless's customer database (records which included passwords, names, home addresses, email addresses, and device serial numbers all of which was stored in plaintext).

Initially, TibitXimer posted a subsection of the cache -- 300,000 entries -- to a Pastebin in typical hacker fashion.  But the plot thickened when the Pastebin post was deleted, as noted by The Next Web, and the hacker's Twitter account was no longer listed as registered on Twitter (this indicates he deleted his account, or changed his name, as typically Twitter account suspensions yield a different error).

But then it came out that some of the accounts -- initially attributed to Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD) -- were actually Verizon FiOS subscribers.

And Verizon comments:

This incident was reported to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported. We take any and all attempts to violate consumer and customer privacy and security very seriously, so we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified law enforcement of this recent report as a follow-up to the original case.
....
There was no hack, and no access gained. A third party marketing firm made a mistake and information was copied. As for wireless v. wired customers, some of the individuals listed were Verizon customers who are not wireless customers but wired/wireline customers or prospective customers.

A security expert named Adam Caudill backs Verizon's claims, pointing out that much of the information first popped up in August, so the release last weekend was just a regurgitation of an old leak.

To be fair, TibitXimer himself/herself openly acknowledged in later posts that some of the data set came from FiOS subscribers, and the hacker always made it clear that the set was first obtained in July.

Tbit on Twitter

At this point there's not much to do, as there's no official route to seeing if your details were leaked.  And to be fair to Verizon, whatever damage was done, was not directly its own doing.  But hopefully the incident serves as a wakeup call to Verizon Communications/Verizon Wireless not to callously hand customer records or data to third party contractors without demand rigorous security compliance.

Sources: The Next Web [1], [2]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Oh, did we forgot to mention the imporant bit?
By drycrust3 on 12/24/2012 3:14:01 PM , Rating: 5
quote:
A third party marketing firm made a mistake and information was copied.

So why does a marketing company need the email account passwords? I can accept that a marketing company would want email addresses, but why give them the passwords as well?




RE: Oh, did we forgot to mention the imporant bit?
By spread on 12/25/2012 6:50:44 PM , Rating: 5
You just don't understand the way modern business works and frankly, I don't think you have the synergy or core competency to work in such a bleeding edge business environment. You need to give 110% and solutioneer problems with granularity everyday. Verizon is a fast paced and dynamic environment and sometimes they think outside of the box.


By geddarkstorm on 12/26/2012 12:57:31 PM , Rating: 2
And thinking "outside the box" includes giving access to our passwords to third party groups? Ok.


By Solandri on 12/26/2012 1:53:03 PM , Rating: 2
A good security system doesn't even store your password. It stores a hash - the result of a one-way mathematical function performed on your password. You type in the password, it runs it through the hash algorithm, and compares that hash with the one it has stored. If they match, then you typed in the correct password.

A better security system salts the password (adds some unique characters) before hashing. So unless you also know the salt, you can't even brute force the passwords with a rainbow table attack (that's where you do something like run every word in the dictionary through the hash algorithm and compare the resulting hashes with the those you've stolen).


By ClownPuncher on 12/26/2012 2:49:25 PM , Rating: 2
Awesome.


"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki