The Register® — Biting the hand that feeds IT

Feeds

Hack on e-commerce co. exposes records for 200,000

'Highly unusual search command'

By Dan Goodin, 4th June 2010
  • print
  • alert

Agentless Backup is Not a Myth

E-commerce company Digital River exposed data belonging to almost 200,000 individuals after hackers executed a “highly unusual search command” against its secured servers, according to a news report.

The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data for as much as $500,000, The Minneapolis Star-Tribune reported Friday. After Eric Porat made repeated attempts to persuade a company called Media Breakaway to buy the information, company officials alerted their counterparts at Digital River, the paper reported, citing court documents. A federal grand jury is investigating the matter with help from the FBI.

The data contained names, email addresses, websites, and unique user-identification numbers for 198,398 individuals. It was originally gathered by affiliated marketing companies using software offered by Digital Rivers subsidiary Direct Response Technologies and stored on password-protected servers.

It was stolen in late January using a “highly unusual” search command. The report didn't elaborate.

Porat, who lives at home with his parents, allegedly claimed to offer the data to the highest bidder. He told the CEO of Media Breakaway he obtained it from a former Digital River consultant, who managed to siphon it off the servers when security systems were taken down temporarily.

Orders filed under seal last month block Porat from selling, destroying, altering, or distributing the data. Documents in the case were unsealed on Wednesday, but court documents weren't available online at time of writing. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (15)
Highly Rated
Destroy All Monsters
Reply Icon

But of course

Bobby Tables strikes again.

7
0
Christoph
Reply Icon

Stored queries only

If you need to run any reasonably secure system you should only allow pre-stored queries to be run, with the parameters fully checked.

On things like banking systems even the programmers aren't allowed to generate queries - they can only call stored procedures, written by a different group and *thoroughly* checked.

If you allow the user to generate a query you are handing them the keys and hoping they won't use them.

3
0
Anonymous Coward

Or like % :D

A percentage sign in the right field, perhaps? I suppose blaming the problem on 'OMG haxx0rz!' rather than third-world rent-a-coders doing stuff on the cheap makes more sense from a damage limitation perspective.

3
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17