Questions still need to be answered on the Verizon ‘hack’

According to a report in ZDnet, a hacker calling himself TibitXimer “downloaded more than 3 million customer entries from Verizon's database, including names, addresses, mobile serial numbers, the opening date of each account, and account passwords.” He then posted around 10% (about 300,000) of them on Pastebin. Verizon quickly responded to ZDnet by email: “"We have examined the posted data and we have confirmed that it is not Verizon Wireless customer data. Our systems have not been hacked.”

TibitXimer’s twitter account has since been removed, and the Pastebin dump is no longer available. Both companies have become more active in cleaning up their darker side; Twitter has recently suspended a number of Anonymous accounts, while Pastebin has become proactive in removing files that contain personal information.

The data dump itself seems to have been genuine, but the source is queried. In an interview with BetaNews, the hacker insisted, quite explicitly, that the data came from Verizon. While both Verizon Wireless and FiOS were compromised, “FiOS is the only portion in the leak.” (Note that Verizon’s statement says that “it is not Verizon Wireless customer data”).

The alleged hacker told ZDnet that he informed Verizon of the breach when it happened, but the company “ignored my report.” In an email to DataBreaches.net, Verizon has subsequently said, “Some were Verizon customers, most were not. In regards to the number of individuals, the total was about 10% of what was originally reported. In answer to your question about a vulnerability: No there was not. There was no vulnerability exploited. The data posted was related to 3rd Party Telemarketer Sales Lead Lists. That issue was addressed immediately once we were made aware of the issue.”

If this is true, there is another serious question that still needs to be asked and answered. ZDnet reported, “Before the customer records were published online, Tibit showed ZDNet a snapshot of some of the data, which appeared jumbled, but was in plain text and relatively easy to understand. It clearly showed account data, including names and addresses, and what appeared to be passwords.” What, then, was a third-party marketing company doing with Verizon (or other companies’) customer passwords?

What’s Hot on Infosecurity Magazine?