Hacker claims Comcast breach linked to unpatched Zimbra vulnerability noted by NullCrew
There’s a new claim in the Comcast breach first reported by Steve Ragan. Darren Pauli reports that a hacker claiming responsibility for the breach notes that it was NullCrew’s hack and taunting of Comcast in 2014 that set the stage for the theft of hundreds of thousands of users’ information. Well, that and Comcast’s failure to have patched promptly when a fix for the vulnerability had been issued prior to the hack. And of course, storing passwords in plain text didn’t help.
The hacker, using the handle “Orion,” reportedly told The Register:
“So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ,” Orion says.
“NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords.”
The Zimbra vulnerability that NullCrew allegedly exploited, CVE-2013-70911, had been disclosed in December, 2013, and a fix was already available prior to the hack.
The Comcast hack was first disclosed on Twitter in February, 2014, as I had reported here. At the time, Comcast did not seem to respond immediately to the claimed hack, and Violet Blue noted that the lack of immediate response might have consequences:
During that 24 hours, Comcast stayed silent, and the veritable “keys to the kingdom” sat out in the open internet, ripe for the taking by any malicious entity with a little know-how around mail servers and selling or exploiting customer data.
Comcast customers have not been not told to reset their passwords. But they should.
Violet Blue’s comments seem spot on, as Orion claims to have taken advantage during the period that Comcast did not respond to the February 6 announcement by NullCrew. And unlike NullCrew, who seemed more interested in embarrassing companies and making a point instead of actually stealing tons of data and misusing it for commercial gain, Orion may have had a different intent.
Whether “Orion’s” disclosure and claims pose additional problems for Timothy French, now in federal prison awaiting trial for his hacking activities with NullCrew, remains to be seen, but the claims call into question Comcast’s statement that they were not responsible for the breach and that perhaps their customers had downloaded malware from somewhere. If Orion’s claims are accurate, Comcast would appear more responsible for failure to fix the Zimbra vulnerability and failure to respond faster when NullCrew taunted them and then started posting some data to show that they had access.
So yes, Comcast may not have had a recent hack/breach of their system that accounts for a lot of the stale data for sale, but they may have been more responsible than they have acknowledged so far.