Hacker, Verizon duel over customer record claims
Summary: A hacker said he has acquired more than 3 million Verizon customer records -- but leaks only 10 percent of them, after the phone and broadband giant fails to fix a security flaw. Verizon disagrees.
Updated on December 22 at 8:00 p.m. ET: Verizon spokesperson Alberto Canal told ZDNet in an emailed statement: "We have examined the posted data and we have confirmed that it is not Verizon Wireless customer data. Our systems have not been hacked."
The hacker said in a later tweet the data likely belongs to Verizon FiOS fiber customers, rather than Verizon Wireless cellular customers. We've updated the post to reflect these changes. We've put in more questions to Verizon and will update again once we hear back.
- - -
A hacker has posted around 300,000 database entries of Verizon customers to the Web, after exploiting a vulnerability in the cellular giant's network.
The hacker, going by the name @TibitXimer on Twitter, told ZDNet earlier this evening that the hack was carried out earlier this year on July 12, which allowed him to gain root access to the server holding the customer data. Tibit gained access to a server with little difficulty after working with another hacker to identify the security flaw.
Tibit downloaded more than 3 million customer entries from Verizon's database, including names, addresses, mobile serial numbers, the opening date of each account, and account passwords. However, he said that figure was an estimate and had "no clue" exactly how many records there were, and that it was a "low estimate based on the size of one record and the size of all the files."
A fraction of the downloaded data has been published to code-sharing site Pastebin after Verizon failed to fix the vulnerability in its network, Tibit said, noting that the data was stored in plain text and did not require decryption.
(Update on December 23 at 8:10 a.m. ET: The Pastebin link no longer works, though the cache of data remains in wide circulation around the Web.)
The hacker said that after he informed Verizon of the exploit, the company "ignored my report," and did not comment.
Tibit said he worked alone, and while he supports Anonymous, he is not directly associated with the hacking collective.
Verizon's spokesperson Alberto Canal said in a statement emailed: "We take any attempts to violate consumer and customer privacy and security very seriously."
"We reported this incident to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported."
"Nonetheless, we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified the FBI of this recent report as a follow-up to the original case."
Before the customer records were published online, Tibit showed ZDNet a snapshot of some of the data, which appeared jumbled, but was in plain text and relatively easy to understand. It clearly showed account data, including names and addresses, and what appeared to be passwords.
Tibit said the unencrypted customer files were "split up by region," but said that he "won't publish all [of the records] as I believe one region [300,000 records] is enough."
The hacker said that the leaked customer data suggests it came from customers in "Pennsylvania and maybe two more states around it."
"I might leak the rest later," he noted.
While he did not explain the exploit used to acquire the data in full, he said that the company's current security set-up allowed him to "gain root access to the server these files were stored on." He also noted that the exploit "still exists."
"The worst part of it all, every single record was in plain text," he said. "I did not have to decrypt anything." He said he couldn't understand "why they still haven't fixed the exploits," months after informing the company of its poor network security.
Image credit: Sarah Tew/CNET.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
No sympathy for hackers from me
Bastard
This doesn't let Verizon off the hook by any means. They're inaction is probably even more dangerous than his actions. TibitXimer could have accomplished the goal by contacting a reputable tech-reporter with his verifiable evidence and let the reporter tie the noose around Verizon's neck.
No sympathy for you
Meh
Barring that though, who cares if your name and address is leaked. There's nothing private about that. Open up any phone book. Look there's your phone number, name, and address. Your mobile device serial number ... I'm not so sure, but I somehow doubt that is very useful for most things.
Verizon Data - Confirmed
why release the info?
apparently Verizon knew
Disgusting
If this hack into Verizon was accurate, I will change my providers.
Hmmm....
A simple test to see if Verizon is lying would be to have anyone who's personal info was leaked via this supposed Verizon hack to also check if that same info was included in that UDID hack & leak (a Google search on "UDID Leak Checker" will bring up some sites. The one at Dazzlepod seems to get the most recommendations.)
MY Credit CARD was stolen
Verizon and I live in PA.
They never contacted me that there was a breach.
The bank does not have a clue.
Filed a Fraud Alert
Verizon never contacted me that there was a possible security breach.
I pay for Verizon FIOS and I live in PA.
The credit card company could not explain how they accessed my credit card number but all the merch was purchased at online websites with my card number.
I was told if any of the Merch showed up at my home to contact the CC companny.
There is only one way they could have stolen my credit info would be by an unsecure site storing my private credit info.
No excuse Verizon