Hackers reportedly stole the details of 1.5 million Verizon Enterprise customers after exploiting a vulnerability in the company’s website.
Verizon Enterprise Solutions is a division of Verizon Communications that specializes in designing, building and operating networks, IT systems and mobile technologies for businesses and governments.
According to security blogger Brian Krebs, a prominent member of an exclusive underground forum has been offering to sell a database storing the contact information of roughly 1.5 million Verizon Enterprise customers.
The complete database is offered for $100,000, but interested parties can also acquire sets of 100,000 records for $10,000. The seller has also offered information on vulnerabilities in Verizon’s website, Krebs said.
The database is available in multiple formats, including MongoDB. There have been many incidents over the past period where misconfigured MongoDB databases exposed a large number of records of sensitive information.
Verizon Enterprise representatives have confirmed that their website had been plagued by a vulnerability that allowed hackers to steal customer contact information, but has not specified how many are affected. The company noted that the attackers have not gained access to customer proprietary network information or other data. Affected clients will be notified.
“Today’s news highlights how much a priority application security is – particularly managing the web perimeter as this is almost always the easiest way to gain access to a company. It’s encouraging to see that Verizon Enterprise found and remediated the problem so quickly, however, the issue for most companies is the lack of insight into how large their perimeter actually is. In fact, over the last two years, we’ve found more than 350,000 websites that our customers didn’t even know they owned,” Chris Wysopal, co-founder and CTO of Veracode, told SecurityWeek.
“Most companies have a very difficult time managing this issue as it generally falls somewhere between the web team, marketing, regional teams and the security team … and that basically means no one is looking after it. This really is an area where expertise is required and often comes in the form of partnering with experts to manage,” Wysopal added.
Adam Levin, chairman and founder of IDT911, pointed out that it’s ironic how Verizon Enterprise, which usually investigates data breaches suffered by others, has now itself become a victim.
“Because of Verizon Enterprise’s security vulnerability, approximately 1.5 million customers of the company— which include some of the top Fortune 500 companies— are now at the mercy of cybercriminals who can sell stolen customer data on the black market,” Levin said via email. “As Verizon Enterprise is typically the one notifying the public how breaches take place, and the top security experts frequently recommend Verizon’s annual Data Breach Investigations Report, it’s extremely ironic, and unfortunately another sign of our times—as breaches have become the third certainty in life—- that Verizon had a security vulnerability on their enterprise client portal. Customers who have been exposed are now prime targets for targeted phishing attacks.”