NullCrew, a hacking group that has been relatively quiet for some time (in late 2012 it dumped data stolen from a DoD site, defense.gov, NSA, Mastercard and BB&T) has returned. On 10 January it announced, "We have hidden ourselves for far to long, and it's time to show these fucktards that we're still here." Five days later, 15 January, it tweeted, "Successful day hacking internet service providers is successful."
It is now thought that this was the first reference to what followed. On 31 January NullCrew tweeted, "Re-tweet for a rather large leak on a Canadian ISP. #NullCrew and it begins!" Two days later Bell released its statement confirming that it had lost at least 22,421 user names and passwords, but denying that it had been hacked.
Databreaches contacted NullCrew to learn more. NullCrew provided a screenshot of a chat it had with Bell Support "weeks ago" where it informed Bell of the breach. Derek (Bell support) said, "Bell Internet service is a secured one." The hacker responded, "If that's true, why do I have access to several.. and I mean SEVERAL user accounts."
The lack of any response from Bell could be taken as the support engineer assuming it was a prank call. But NullCrew went further. "I informed them they didn’t have much time, and the world would soon see their failure," the hacker told Databreaches. "Their response was exactly what you see in their article, bullshit. “Bell Internet is a secure service.” They did not even say they would look into it, they did not try and assess the exploit.. it was up, for two weeks. And only taken down after we released our data."
The domain concerned is https://protectionmanagement.bell.ca/. At the time of writing this report the domain is unavailable. Bell says the server concerned belongs not to Bell, but to a third party provider (which it did not name). Databreaches tweeted, "The IP for the subdomain in question is registered to Magma Communications."
NullCrew is suggesting that this is just the beginning of its campaign. "NullCrew is far from done, we want to make it evident that just because we lurked in the shadows; it does not mean we left. That we are here to stay. Simply put? Stay tuned," it told Databreaches. The question now is whether it managed to traverse from the third party supplier to Bell's own servers.