The Romanian cyber security company Bitdefender recently acknowledged that “a very limited number” of its customers’ usernames and passwords were exposed due to a security issue with a single server (h/t Softpedia).
The company was quick to stress in an emailed statement that “the server was not penetrated, but a vulnerability potentially enabled exposure of a few user accounts and passwords.”
“The issue was immediately resolved and additional security measures were put in place in order to prevent it from reoccurring,” Bitdefender said. “As an extra precaution, a password reset notice was sent to all potentially affected customers, representing less than one percent of our SMB customers.”
“This does not affect our consumer or enterprise customers,” the company added. “Our investigation revealed no other server or services were impacted.”
Bitdefender chief security strategist Catalin Cosoi told PCWorld that the vulnerability was the result of human error — a single server had been deployed with an outdated software package containing a known vulnerability.
Still, Travis Doering and Dan McPeake of Hacker Film Blog last week noted that a hacker using the handle DetoxRansome had contacted Bitdefender demanding $15,000 to protect the disclosed credentials — “i want 15,000 us dollars or i leak your customer base,” the hacker tweeted on July 24, 2015.
The following day, DetoxRansome published a list of plain text usernames and matching passwords for more than 250 active Bitdefender accounts at pastee.org, many of which Doering and Bitdefender were able to confirm as active accounts.
On Tuesday, July 28, 2015, DetoxRansome claimed to have used some of the usernames and passwords to access several Bitdefender customers’ enterprise security solutions pages.
Fortscale CEO Idan Tendler told eSecurity Planet that the presence of employee usernames and passwords from Bitdefender customers in the stolen data is of particular concern. “Hackers using stolen credentials are responsible for over 80 percent of all data breaches,” he said.
“Hijacked employee credentials make it very difficult for traditional security solutions to detect whether an employee’s actions are actually being perpetrated by that employee or by an outside source,” Tendler added. “Moving forward, Bitdefender customers will need to maintain vigilant monitoring of their employees’ behavior to identify suspicious activity and mitigate any further repercussions.”