Wednesday, September 23, 2009

EXCLUSIVE: Demon Internet/Microgen distributes 3000+ usernames and passwords

This morning, it appears that Demon and/or a third party supplier have made a serious security breach. An email has been sent out relating to Demon's new e-Bill system, which is provided by a company called Microgen. The email advises what appear to be business customers of their new username and passwords for the system and states,
We have attached an easy guide on how to access your documents.
Sadly, they also included another attachment along with the "easy guide on how to access your documents". It's a comma separated value file (csv) called thurs.csv which contains 3681 customer records detailing - amongst other things - names, phone number, email addresses and user IDs and passwords.

These include accounts such as the Foreign and Commonwealth Office, the Audit Commission. and a large number of local councils. Someone using the details would, potentially, be able to login into the billing set-up for these organisations and gain detailed sensitive information.

I believe the phrase "whoops" applies.

I am currently trying to contact Demon about this, and have spoken to Microgen and waiting for a callback. I am still trying to establish if this cock-up occurred on the Demon or the Microgen side.

UPDATE: The above has been corrected as the "easy guide" was also attached and this file appears to be an additional attached file.

Update II @ 10:06am: Microgen are currently looking into this with Demon.

Update III @11:45: The Register is reporting that Demon are changing people's usernames and password.

No comments: