Members of the NullCrew hacker group recently stole and published more than 20,000 Bell Canada customers’ user IDs, encrypted passwords, e-mail addresses and partial credit card information (h/t DataBreaches.net).
In an announcement on its Web site, Bell acknowledged that 22,241 user names and passwords and five credit card numbers of Bell small business customers had been posted online. “The posting results from illegal hacking of an Ottawa-based third-party supplier’s information technology system,” the company stated.
Bell says all those affected have been contacted, and all affected passwords have been disabled. “Bell’s own network and IT systems were not impacted,” the company said.
The hackers, however, told DataBreaches.net that they had leveraged a SQL injection vulnerability on Bell’s own Web site, not at a third-party supplier, to access the information.
As security researcher Adam Caudill points out, they may both be right — the affected bell.ca subdomain points to an IP address registered to Ottawa’s Magma Communications Ltd., a subsidiary of Primus Telecommunications.
Even if that’s the case, as?a commenter at DataBreaches.net put it, “Bell allows this third party hosted server to be used in their network infrastructure, including storing their customers’ sensitive information here — they are responsible for this.”