Hacker, Verizon duel over customer record claims

Hacker, Verizon duel over customer record claims

Summary: A hacker said he has acquired more than 3 million Verizon customer records -- but leaks only 10 percent of them, after the phone and broadband giant fails to fix a security flaw. Verizon disagrees.

SHARE:
12

Updated on December 22 at 8:00 p.m. ET: Verizon spokesperson Alberto Canal told ZDNet in an emailed statement: "We have examined the posted data and we have confirmed that it is not Verizon Wireless customer data. Our systems have not been hacked."

The hacker said in a later tweet the data likely belongs to Verizon FiOS fiber customers, rather than Verizon Wireless cellular customers. We've updated the post to reflect these changes. We've put in more questions to Verizon and will update again once we hear back.

- - -

A hacker has posted around 300,000 database entries of Verizon customers to the Web, after exploiting a vulnerability in the cellular giant's network.

The hacker, going by the name @TibitXimer on Twitter, told ZDNet earlier this evening that the hack was carried out earlier this year on July 12, which allowed him to gain root access to the server holding the customer data. Tibit gained access to a server with little difficulty after working with another hacker to identify the security flaw.

Tibit downloaded more than 3 million customer entries from Verizon's database, including names, addresses, mobile serial numbers, the opening date of each account, and account passwords. However, he said that figure was an estimate and had "no clue" exactly how many records there were, and that it was a "low estimate based on the size of one record and the size of all the files."

A fraction of the downloaded data has been published to code-sharing site Pastebin after Verizon failed to fix the vulnerability in its network, Tibit said, noting that the data was stored in plain text and did not require decryption.

(Update on December 23 at 8:10 a.m. ET: The Pastebin link no longer works, though the cache of data remains in wide circulation around the Web.)

The hacker said that after he informed Verizon of the exploit, the company "ignored my report," and did not comment.

Tibit said he worked alone, and while he supports Anonymous, he is not directly associated with the hacking collective.

Verizon's spokesperson Alberto Canal said in a statement emailed: "We take any attempts to violate consumer and customer privacy and security very seriously."

"We reported this incident to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported."

"Nonetheless, we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified the FBI of this recent report as a follow-up to the original case." 

Before the customer records were published online, Tibit showed ZDNet a snapshot of some of the data, which appeared jumbled, but was in plain text and relatively easy to understand. It clearly showed account data, including names and addresses, and what appeared to be passwords.

Tibit said the unencrypted customer files were "split up by region," but said that he "won't publish all [of the records] as I believe one region [300,000 records] is enough."

The hacker said that the leaked customer data suggests it came from customers in "Pennsylvania and maybe two more states around it."

"I might leak the rest later," he noted.

While he did not explain the exploit used to acquire the data in full, he said that the company's current security set-up allowed him to "gain root access to the server these files were stored on." He also noted that the exploit "still exists."

"The worst part of it all, every single record was in plain text," he said. "I did not have to decrypt anything." He said he couldn't understand "why they still haven't fixed the exploits," months after informing the company of its poor network security.

Image credit: Sarah Tew/CNET.

Topics: Verizon, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • No sympathy for hackers from me

    How magnanimous of him to "only" release 10% of the record, so that "only" those would be exposed to additional vulnerabilities. And he threatens to release more if Verizon doesn't act? "Oh.. I've only stabbed you. If you don't bend over, I'll shoot you."

    Bastard

    This doesn't let Verizon off the hook by any means. They're inaction is probably even more dangerous than his actions. TibitXimer could have accomplished the goal by contacting a reputable tech-reporter with his verifiable evidence and let the reporter tie the noose around Verizon's neck.
    R.L. Parson
    • No sympathy for you

      I hope you are among the ten percent. I will change my password. I am glad I do not have my credit card information stored at Verizon.
      ByOnwuka
  • Meh

    A password being leaked is bad; there's no excuse for any company to have passwords stored in plain text ever. I wish there was a mandate of websites hosted within the US with over a certain number of accounts to securely store passwords using a strong hash or encryption technique or face stiff penalties if the system is compromised and you didn’t follow proper techniques.
    Barring that though, who cares if your name and address is leaked. There's nothing private about that. Open up any phone book. Look there's your phone number, name, and address. Your mobile device serial number ... I'm not so sure, but I somehow doubt that is very useful for most things.
    Yensi717
  • Verizon Data - Confirmed

    That's definitely Verizon account data because my name is on it.
    c33jd13s3l
  • why release the info?

    If the hacker really wanted to help, why even release the info of innocent customers?
    oaba10
    • apparently Verizon knew

      Verizon knew of the vulnerability and did nothing about it. If the guy who released it had access to it, anyone else who knew about it had access to it as well. That is a lot of people with access to the system. This is not good.
      ByOnwuka
  • Disgusting

    The ineptitude by corporate bureaucrats to not even take the time to properly secure data is ridiculous. And the apathy to not care when caught is appalling.

    If this hack into Verizon was accurate, I will change my providers.
    somervij
  • Hmmm....

    There seems to be a lot of CYA'ing going on here and elsewhere, which is always a bad sign (or good one, depending on your perspective.) While it isn't being explicitly stated anywhere that I can see, basically Verizon and others are claiming that the personal info that was leaked did not come from Verizon but from the UDID hack by Antisec that occurred some months back. The now accepted (if not quite entirely accurate [no, I'm not going to explain]) story is that the UDID info came from a Florida publishing company called Blue Toad.

    A simple test to see if Verizon is lying would be to have anyone who's personal info was leaked via this supposed Verizon hack to also check if that same info was included in that UDID hack & leak (a Google search on "UDID Leak Checker" will bring up some sites. The one at Dazzlepod seems to get the most recommendations.)
    JustCallMeBC
  • MY Credit CARD was stolen

    No one could figure out how they had my number and ordered tons of stuff.
    Verizon and I live in PA.
    They never contacted me that there was a breach.
    The bank does not have a clue.
    Bixbyte@...
    • Filed a Fraud Alert

      My Credit card info was stolen and someone charged up $1,000s in JULY.
      Verizon never contacted me that there was a possible security breach.
      I pay for Verizon FIOS and I live in PA.
      The credit card company could not explain how they accessed my credit card number but all the merch was purchased at online websites with my card number.
      I was told if any of the Merch showed up at my home to contact the CC companny.
      There is only one way they could have stolen my credit info would be by an unsecure site storing my private credit info.
      Bixbyte@...
  • No excuse Verizon

    The only thing worse than a business with appalling security is a business with appalling security that doesn't fess up to it when their security has been breached.
    eAbyss
  • lol

    Noob.
    Freedy kreegur