Porn billing leak exposes 18 million buyers

 
Customers of the online payment service iBill have had their names, phone numbers, addresses and e-mail addresses released onto the Internet, where it's been bought and sold in a black market made up of fraudsters and spammers.

TOP STORIES Government intervenes in warrantless wiretapping lawsuit Commtouch unveils image-based spam defense Verizon sued over NSA surveillance US spy agency building database of every call ever made Email bomber heads back to court Zombie master Jeanson Ancheta sentenced to 5 years in prison New York man to settle in Washington's first spyware case US demand for college wiretaps questioned Russian virus distributor convicted Corporate instant messaging on the rise Court slams former spam king over spyware Hacker charged with stealing information from military MPAA releases new piracy loss data Spam King Alan Ralsky not jailed Consumers in the dark about latest tech buzzwords more

Other fields in the compromised files appear to be IP addresses, logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.

The transactions are dated between 1998 and 2003.

Two caches of stolen iBill customer data were discovered separately by two security companies.

Secure Science found the first data file containing records on 18 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office.

Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries on a spamming website. Sunbelt found the file by tracing zombie computers as they connected to the Internet to refresh their list of spam targets.

The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's Internet connection.

The breach has all the markings of an inside job, say Lance James of Secure Science and Adam Thomas of Sunbelt Software.

Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market.

"The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas.

Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims.

An FBI spokeswoman says the bureau wouldn't investigate the breach unless the source of the leak comes forward to make a complaint.

The stolen data has been on sale since 2003 on a number of boards.

Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in Internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15% off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85% of the business.

UPDATE: Porn biller denies data leak

 
Save to Yahoo! My Web

Submit to Fark

Add to Del.icio.us

Add to Ma.gnolia

Submit to Reddit

Submit to Slashdot

Submit to NowPublic
 

E-mail this story     Printer-friendly version     Bookmark this page