Hacker, Verizon duel over customer record claims

A hacker said he has acquired more than 3 million Verizon customer records -- but leaks only 10 percent of them, after the phone and broadband giant fails to fix a security flaw. Verizon disagrees.
Written by Charlie Osborne, Contributing Writer and  Zack Whittaker, Contributor

Updated on December 22 at 8:00 p.m. ET: Verizon spokesperson Alberto Canal told ZDNet in an emailed statement: "We have examined the posted data and we have confirmed that it is not Verizon Wireless customer data. Our systems have not been hacked."

The hacker said in a later tweet the data likely belongs to Verizon FiOS fiber customers, rather than Verizon Wireless cellular customers. We've updated the post to reflect these changes. We've put in more questions to Verizon and will update again once we hear back.

- - -

A hacker has posted around 300,000 database entries of Verizon customers to the Web, after exploiting a vulnerability in the cellular giant's network.

The hacker, going by the name @TibitXimer on Twitter, told ZDNet earlier this evening that the hack was carried out earlier this year on July 12, which allowed him to gain root access to the server holding the customer data. Tibit gained access to a server with little difficulty after working with another hacker to identify the security flaw.

Tibit downloaded more than 3 million customer entries from Verizon's database, including names, addresses, mobile serial numbers, the opening date of each account, and account passwords. However, he said that figure was an estimate and had "no clue" exactly how many records there were, and that it was a "low estimate based on the size of one record and the size of all the files."

A fraction of the downloaded data has been published to code-sharing site Pastebin after Verizon failed to fix the vulnerability in its network, Tibit said, noting that the data was stored in plain text and did not require decryption.

(Update on December 23 at 8:10 a.m. ET: The Pastebin link no longer works, though the cache of data remains in wide circulation around the Web.)

The hacker said that after he informed Verizon of the exploit, the company "ignored my report," and did not comment.

Tibit said he worked alone, and while he supports Anonymous, he is not directly associated with the hacking collective.

Verizon's spokesperson Alberto Canal said in a statement emailed: "We take any attempts to violate consumer and customer privacy and security very seriously."

"We reported this incident to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported."

"Nonetheless, we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified the FBI of this recent report as a follow-up to the original case." 

Before the customer records were published online, Tibit showed ZDNet a snapshot of some of the data, which appeared jumbled, but was in plain text and relatively easy to understand. It clearly showed account data, including names and addresses, and what appeared to be passwords.

Tibit said the unencrypted customer files were "split up by region," but said that he "won't publish all [of the records] as I believe one region [300,000 records] is enough."

The hacker said that the leaked customer data suggests it came from customers in "Pennsylvania and maybe two more states around it."

"I might leak the rest later," he noted.

While he did not explain the exploit used to acquire the data in full, he said that the company's current security set-up allowed him to "gain root access to the server these files were stored on." He also noted that the exploit "still exists."

"The worst part of it all, every single record was in plain text," he said. "I did not have to decrypt anything." He said he couldn't understand "why they still haven't fixed the exploits," months after informing the company of its poor network security.

Image credit: Sarah Tew/CNET.

Editorial standards