Trojan exposes Oz broadband passwords
The batch of BigPond usernames and passwords were posted on the www.apcmag.com forum, as well as a number of other chat sites, Friday evening by a group calling itself Oxyg3n.
Telstra, which became aware of the violation on Saturday, immediately changed the passwords involved, cancelled the compromised accounts on Sunday and sent the following email to affected users.
“Big Pond security have reason to believe that your BigPond Advance username and password may have been intercepted by unauthorised parties. Please change your password immediately. It is a good idea to regularly change your password in any respect and please, be careful to whom you disclose your account details.”
Speculation arose immediately that the BigPond database had been hacked, but Telstra denied the claim.
“It’s absolutely not true that Telstra’s BigPond database has been hacked into,” Telstra spokesperson Stuart Gray told ZDNet.
Broadband.org.au webmaster Adrian Sobotta said the fact that only 69 account details had been disclosed backed up Telstra’s claim that the security breach was the result of a trojan.
“To hack into Telstra’s database would be a mammoth task,” he said, adding that a hacking would have turned up thousands of passwords rather than around 70.
“A lot of broadband users use firewalls,” Sobotta added, “therefore many would be safe if [Oxyg3n] was running a Trojan”.
Telstra admitted that it couldn’t be certain that more password and username combinations have been compromised and “we don’t know if they [breached accounts] were accessed by people yet,” Gray said.
However, according to Sobotta, “people have tried to use them [usernames/passwords], just to check out if they would be successful and they have been”.
Telstra, which has been whipped by a backlash of bad press after it restricted its broadband data downloads to three gigabytes a month, said it didn’t know the culprit’s motivation behind the attack.
It seems to be some sort of publicity stunt, according to Gray.
“It’s illegal for those usernames and passwords to be posted,” Gray said.
“There will be a full investigation into the whole event…we will try and chase down the person who did it and take every action possible,” Gray added.