Verizon Communications has revealed an attacker exploited a security vulnerability on its enterprise client portal to steal the contact information of 1.5 million enterprise customers.
Attackers were discovered selling the database on an online black market by Brian Krebs of Krebs on Security.
The seller priced the entire package at US$100,000 (A$132,535), but offered to sell it off in parts of 100,000 records for US$10,000 apiece, according to Krebs. The seller also was offering information on security vulnerabilities found on Verizon's website.
The company said the attacker did not gain access to customer proprietary network information (CPNI) or other data.
CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.
Verizon said it was aware of and had fixed the vulnerability when Krebs alerted the telco to the security issue. It is yet to reveal detail of the vulnerability.
Ir said no consumer customer data was leaked, and it is currently notifying customers impacted by the breach.
The attackers “apparently offered to sell information about vulnerabilities within the website. This initially leads me to believe that the most likely cause of the break-in was probably a SQL injection vulnerability,” said Deral Heiland, global services research lead at security and analytics firm Rapid7.
“If [database platform] MongoDB was being used, this is known as a NoSQL database and traditional SQL injection attacks will not work, although NoSQL databases are still subject to injection attacks, which can be leveraged to extract data from the MongoDB.”
Krebs noted in his post that the underground online forum offered the Verizon database in multiple formats, including MongoDB.
“So it seems likely that the attackers somehow forced the MongoDB system to dump its contents,” he wrote.
While the perpetrator may not have been able to pilfer Verizon Enterprise's most sensitive customer information, the stolen contact information would allow cyber criminals to launch phishing attacks against employees at affected organisations.
“Customers who have been exposed are now prime targets for targeted phishing attacks. They must be careful not to click on suspicious links or authenticate themselves to anyone who contacts them, lest they become unwitting co-conspirators in the theft of their own identities," said Adam Levin, chairman and founder of identity protection firm IDT911.