Sometimes it seems like no one's keeping your data safe; this is one of those times. A hacker just leaked 300,000 Verizon customer records, and that's only a sample of the 3 million he claims to have gotten in his little raid.
The hacker, who goes by TibitXimer, told ZDNet about his exploits this evening, despite claiming to have actually executed the attack way back on July 12. TibitXimer says he'd warned Verizon of the exploit he used, but they didn't take any action, so he did and snagged around 3 percent of Verizon's nation-wide customer data.
The records include information such as names, addresses, mobile serial numbers, the opening date of each account, and account passwords. And of course, it was all stored in—sigh with me, everyone—plain text. TibitXimer, despite supporting Anonymous, is claiming this hack as his own personal project,
and is currently making his mind up about whether or not he'll leak the rest of the data
(he decided against it). He described his frustration to ZDNet saying "The worst part of it all, every single record was in plain text. I did not have to decrypt anything."
Will this finally convince everyone to stop storing sensitive information in plain text? Sigh with me again. Probably not. [ZDNet]
Update: Verizon denies that a leak occurred and said the following in an emailed statement:
"The ZDNet story is inaccurate. We take any attempts to violate consumer and customer privacy and security very seriously. This incident was reported to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported. Nonetheless, we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified law enforcement of this recent report as a follow-up to the original case."
Update 2: Verizon has explained to The Next Web that the data actually came from a third party marketing firm:
There was no hack, and no access gained. A third party marketing firm made a mistake and information was copied. As for wireless v. wired customers, some of the individuals listed were Verizon customers who are not wireless customers but wired/wireline customers or prospective customers.
So Verizon's servers remained secure, but there is real data out there thanks to someone else's mistake. Where it came from or how Tibitximer (whose Twitter account is now suspended) came across it is still anyone's guess.