A German web-hosting firm has suffered a severe data breach because one of its customers reportedly owed money to the attacker. The company only learned of the breach when the hacker announced it himself, on its support forum.
On Jan. 29, the attacker compromised customer names, company names, various addresses, telephone numbers, DomainFactory passwords, dates of birth, bank names and account numbers, and Schufa scores (German credit score).
However, the company and its customers only learned of the breach six months later, on July 3, when he made an entry on the DomainFactory support forum to break word of his deed. As proof, he published the data of a number of customers for everyone to see.
The reason behind the attack, according to German news outlet Heise Online, was to obtain the credentials of an customer who owed the attacker money. When he noticed that DomainFactory was reluctant to acknowledge the breach, he decided to make it public.
DomainFactory’s explanation, however, differs a bit. In a forum post, the web hosting firm explains (machine-translated from German):
“The result of an initial investigation was that after a system change that took place at the end of January, certain customer information was unintentionally accessible to third parties via a data feed. This data feed was triggered when customers made changes to their DomainFactory accounts, but they caused system errors when they were saved.”
DomainFactory said it quickly shut down the forum to prevent further access to the leaked data. The firm then hired an unnamed security company to focus additional resources on mitigation.
The firm urges all customers to change their DomainFactory passwords as soon as possible. These include customer passwords, phone passwords, e-mail passwords, FTP / live disk passwords, SSH passwords and MySQL database passwords. Detailed instructions on how to do that can be found here: blog.df.eu/pw.
Update: news story updated to replace “employee” with “customer” in the paragraphs mentioning the reasons for the attack. Thanks to @SecurityCharlie on Twitter for clarifying that.