FC: Ziff Davis, Playboy websites give up credit card numbers

From: Declan McCullagh (declanat_private)
Date: Tue Nov 20 2001 - 19:04:36 PST

  • Next message: Declan McCullagh: "FC: Free expression update: Victoria's Secret, libraries, Safeweb"

    The Ziff Davis Media address in question that was taken offline but went 
    back up today even after my article appeared:
    http://www.zdmcirc.com/formcollect/ebxbegamfile.dat
    
    ---
    
    http://www.wired.com/news/ebiz/0,1272,48525,00.html
    
        A Tell-All ZD Would Rather Ignore
        By Declan McCullagh (declanat_private)
        2:00 a.m. Nov. 20, 2001 PST
    
        If you subscribe to any of Ziff Davis' computer magazines, you may
        want to double-check your credit card bill next month.
    
        Ziff Davis Media, which publishes such popular tech titles such as
        Yahoo Internet Life and PC Magazine, accidentally posted the personal
        information of about 12,500 magazine subscribers on its website.
    
        On Monday, Ziff Davis removed the data, which included hundreds of
        credit card numbers, and said its engineers had taken steps to prevent
        additional security leaks.
    
        [...]
    
    *********
    
    http://www.cnn.com/2001/TECH/internet/11/20/playboy.hacked/index.html
    Hackers access Playboy.com's credit card data
    2001-11-20 15:40:07
    
    NEW YORK (CNN) -- Computer hackers broke into the Playboy Enterprises'
    Web site -- playboy.com -- gaining access to the credit card numbers
    of several customers, a company spokeswoman said Tuesday. The
    company's technology team discovered the breach last weekend before
    the hackers sent threatening e-mails to the company's customers, said
    Playboy spokeswoman Laura Sigman.
    [...]
    
    ---
    Delivered-To: *******@POWERSURFR.com
    Date: Mon, 19 Nov 2001 20:56:23 GMT
    From: hefat_private
    
    
    To: *******@POWERSURFR.COMFrom: Hugh Hefner <hefat_private>
    Subject: ingreslock 1524 security announcement
    
    
    dear user,
    
    
    since the summer of 1998, a shady hacker group known as 'ingreslock 1524' have
    maintained full access to the playboy enterprises inc. (pei) corporate network.
    even when the pei websites were defaced by BoW/H4G1S and were 'secured', we
    retained our full access (no, installing ssh doesn't make you secure).
    
    
    we did have some very big plans to use the hundreds of thousands of customer
    details (names, addresses, order history & credit card information) harvested
    to automatically purchase hundreds of different products from different online
    companies (amazon, barnesandnoble, qvc, yahoo, even playboy) to be sent to each
    playboy customer, thus resulting in over 10 million dollars worth of fraud
    claims being made to credit card and in turn, insurance companies globally.
    
    
    incase you think this is some kind of hoax, we have included your personal
    details below -
    
    
    Name - ******* Credit Card Number & Expiry - *******
    
    
    your details are currently circulating the underworld of anarchists and
    credit card fraudsters, so we highly recommend that you contact your bank
    before much fraud is committed. we have also distributed over a million e-mail
    addresses to marketing and 'spam' organisations, so you will certainly have a
    lot of fun deleting unwanted e-mail into the future!
    
    
    online companies can learn many lessons from this compromise -
    1. do not use the same root or administrative (oracle, webserv, etc.) user
        passwords across different hosts on the same network.
    2. never assume that by installing the latest security patches and installing
        ssh, that you are secure.
    3. do not use insecure authentication methods, including nis, nis+ or .rhosts.
    4. do not protect your passwords with des in your shadow files, use md5.
    
    
    end users can learn an important lesson from this compromise -
    1. do not trust companies with your details online.
    
    
    its been emotional. we'd like to thank the playboy systems team for providing
    us with an interesting and challenging target. i'm sure that a big security
    company will make easy money auditing their systems and hopefully deploying
    a more secure network - although we'll be back to test it again.
    
    
    - m4rty
    
    
    martyn luther ping
    minister of information
    ingreslock 1524
    
    
    ---
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 20:22:58 PST