CORR and UPDATE: Nl: E-mail via Dutch KPN suspended after data theft
Hundreds of clients of Dutch telecomprovider KPN are still unable to use their e-mail accounts after servers at the company were hacked.
Unknown digital intruders stole personal data such as user names, home addresses, phone numbers and bank account numbers. A list with the names of 500 KPN users was posted on file sharing site Pastebin, presumably by the hackers.
As a precautionary measure KPN then disabled some 2 million accounts of private users, cutting them off from their e-mail and their personal webpages. On Saturday morning KPN announced that its clients’ ability to send messages would be restored in the course of the day, but incoming mail would remain blocked for security reasons.
Read more on ExPatica. The Pastebin dump that I saw, which appears to be a re-posting on February 10, contains records on 537 customers and is prefaced by a comment that Google translates as “KPN insists: No customer data stolen.” I do not see any bank account numbers in the paste. Previous pastes and proof of hack were not accessible on Pastebin as of the time of this posting. (Update: see correction at bottom of this post)>
Royal KPN NV was aware of the hack on January 27 but reportedly decided not to inform the public so as not to interfere with the criminal investigation (see their news updates, which are translated here). Fred Pals of Bloomberg Businessweek reports that they are now under investigation for their security:
Opta, the Dutch telecommunications regulator, will investigate whether KPN has done enough to protect the data, Cynthia Heijne, a spokeswoman for the Hague-based Opta, said by phone today. “This is standard procedure when such an event happens.” The public prosecutor has also started a probe, spokesman Wim de Bruin said by phone.
In this case, “standard procedure” should lead to some follow-up as there was a lot of data – including passwords – stored in plain-text (update: that is still true, regardless of whether the data were from Baby Dump). Chester Wisniewski of Naked Security provides an analysis of the plain-text passwords exposed. Chester writes:
What did I find? The average password was 8.3 characters long and most of them abysmally weak. The shortest password was only 4 characters, while the longest (2) were 13 characters.
Password complexity isn’t really the problem in this case, rather it is not having your password database stolen to begin with.
No matter how long your password is it does you no good if it is stored in plain text and stolen by a cybercriminal.
But what motivated this particular attack? Most of the coverage is, predictably, in Dutch. You can find links to a number of news sources on vRRitti.com. Here’s an English-language recap of an interview with the hackers. From what’s provided and from translated snippets of other coverage I’ve been reading, this does not sound like a politically motivated attack but one intended to explore and then expose inadequate security. It’s also not yet clear (to me, anyway) how much data was actually acquired by the hackers.
Update: Thanks to @FBorgesius who pointed me to an article that claims the data in the paste I saw were not from the KPN breach but were from another data leak involving a firm that sells baby items. The Baby Dump leak reportedly affected 134,000. According to one of the hackers involved in the KPN attack, those data have not been dumped on the Internet at this time.