Hackers
reportedly stole the details of 1.5 million Verizon Enterprise
customers after exploiting a vulnerability in the company’s website.
Verizon
Enterprise Solutions is a division of Verizon Communications that
specializes in designing, building and operating networks, IT systems
and mobile technologies for businesses and governments.
According to security blogger Brian Krebs,
a prominent member of an exclusive underground forum has been offering
to sell a database storing the contact information of roughly 1.5
million Verizon Enterprise customers.
The
complete database is offered for $100,000, but interested parties can
also acquire sets of 100,000 records for $10,000. The seller has also
offered information on vulnerabilities in Verizon’s website, Krebs said.
The database is available in multiple formats, including MongoDB. There have been many incidents over the past period where misconfigured MongoDB databases exposed a large number of records of sensitive information.
Verizon
Enterprise representatives have confirmed that their website had been
plagued by a vulnerability that allowed hackers to steal customer
contact information, but has not specified how many are affected. The
company noted that the attackers have not gained access to customer
proprietary network information or other data. Affected clients will be
notified.
“Today’s
news highlights how much a priority application security is –
particularly managing the web perimeter as this is almost always the
easiest way to gain access to a company. It’s encouraging to see that
Verizon Enterprise found and remediated the problem so quickly, however,
the issue for most companies is the lack of insight into how large
their perimeter actually is. In fact, over the last two years, we’ve
found more than 350,000 websites that our customers didn’t even know
they owned,” Chris Wysopal, co-founder and CTO of Veracode, told SecurityWeek.
“Most
companies have a very difficult time managing this issue as it
generally falls somewhere between the web team, marketing, regional
teams and the security team … and that basically means no one is looking
after it. This really is an area where expertise is required and often
comes in the form of partnering with experts to manage,” Wysopal added.
Adam Levin, chairman and founder of IDT911, pointed out that it’s ironic how Verizon Enterprise, which usually investigates data breaches suffered by others, has now itself become a victim.
“Because
of Verizon Enterprise’s security vulnerability, approximately 1.5
million customers of the company— which include some of the top Fortune
500 companies— are now at the mercy of cybercriminals who can sell
stolen customer data on the black market,” Levin said via email. “As
Verizon Enterprise is typically the one notifying the public how
breaches take place, and the top security experts frequently recommend
Verizon’s annual Data Breach Investigations Report, it’s extremely
ironic, and unfortunately another sign of our times—as breaches have
become the third certainty in life—- that Verizon had a security
vulnerability on their enterprise client portal. Customers who have been
exposed are now prime targets for targeted phishing attacks.”