Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telstra BigPond Passwords Leaked

Posted by ryuzaki0 on from the change-yer-passwords dept.

Lord Cyric writes: "Telstra, DownUnder's biggest and baddest telco, has had a major security breach yesterday when a sample of its BigPond Internet password list was posted on various newsboards. The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax. This hack exposes the passwords for most of Telstra's Internet services (dialup, cable & ADSL). With all the bad press Telstra has been receiving lately over it's shoddy ADSL rollout and download caps, they certainly didn't need this ..." This site is not exactly the Telstra P.R. department.

16 of 97 comments (clear)

  1. their security is a joke... by Anonymous Coward · · Score: 3
    I am a former employee of Telstra and I worked in their internal web development department. I have to say, as far as desktop PC's go, there's not any major security. People just come in fiddle with hardware and just leave.

    When someone has a problem they get person who looks good from 2 cubicles down to fix it and he/she just screwes up half the settings and services on the machine which compromise the security.

    Leave your housedoor open and intruders come in.

  2. Re:this is crazy by unitron · · Score: 3

    There seems to be a higher rate of crack-smoking moderators lately, but that's probably not related.

    --

    I see even classic Slashdot is now pretty much unusable on dial up anymore.

  3. Calm down people by hayden · · Score: 4

    Before I start I'll just say I am a Bigpond Cable subscriber.

    With out more info there is no way of knowing if this is a crack or PEBCAK. It's entirely possible that this was done with social engineering or trojan(s), not a 1337 4ax0r. So far all that's known that 70 accounts were comprimised by some method.

    To put it in perspective, recently somebody sent an email to a large number Bigpond users pretending to be from Telstra asking them for their password and credit card number just so they could check their records. A depressing number of people replyed. We're not talking about the most security literate people in the world here.

    Telstra uses pretty much standard PPPoE for ADSL although they do use the ADSL modems that had the security problem a while back.

    We've also heard that Telstra has already caught the person responsible.

    BTW the "Australian Broadband Users Group" are widely regarded among Australian broadband users to be a bunch of self-important tools who are pretty much out to make themselves look big. The only guy who's worth listening to is they guy that runs www.whirlpool.net.au The rest are just dead weight.

    --
    Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
  4. Thanks Telstra! by wct · · Score: 4

    As a BigPond ADSL user I have much to be thankful for. Thanks for the two-weeks downtime last month, changing the user agreement on download restrictions after the contract was signed, and forcing me to call every 4 days to reset my account when an authentication error on your end hangs the connection.

    But most of all, thanks for leaking the account passwords through poor security and having the foresight to keep the server down right now so I can't change mine.

  5. Which is why as a sysadmin by Velox_SwiftFox · · Score: 3

    I prefer to not know user's passwords. If they forget them I replace the password with one thay have to change immediately, with automatic checking for crackable ones.

  6. Re:Telstra in denial by szcx · · Score: 4
    To be more accurate, they're blaming user stupidity. They're saying that a password-ripping trojan is responsible (which is entirely possible).

    From NineMSN;

    Telstra retail corporate affairs manager Stuart Gray said the virus, which operated on broadband users, collected the user names and passwords, automatically sending them back to the person who had activated the virus.

    "BigPond has not been hacked. What has happened is a Trojan virus has been lodged on a number of BigPond users," he told AAP tonight.

    Mr Gray said the hacker responsible had placed the user names and passwords of 69 BigPond customers on websites.

    BigPond had contacted the customers, changing their passwords and closing down their sites so other people couldn't use their names.

    The virus had been found on the websites of the customers contacted.

    "It's a real warning for broadband customers how important it is for them to have the latest anti-virus software and firewall software and protect themselves as much as possible," he said.

    Telstra is evil, but this looks more like the work of idiot users.

    Keep the pitchfork and flaming torches handy though, they'll fuck up sooner or later.

  7. Who wants the pass anyway.... by Bryan_Crowl · · Score: 4

    with only 3 gigs a month (upstream and down) the adsl and cable *unlimited* accounts are just about useless. Maybe this will force someone in the Government (who still own 51% of telstra) to do something.

    --
    Someday, we'll look back on this, laugh nervously and change the subject.
  8. What they've been saying by bonoboy · · Score: 3

    Telstra's claiming that the 96 passwords published represented the entire list, not a sample. They've cancelled all the accounts concerned and re-provisioned (translation: re-generated random passwords) and contacted everyone concerned. They're saying it was the result of a trojan, which they've found installed on every one of the users' devices.

    On some of the Australian mailing lists, we've had individuals claiming that whatever it is, it must be Telstra's fault. Come on, they're not particularly nice guys as far as responsible corporations go, but poor security must be the fault of the software vendors and lack of vigilance on the users' parts.

    Just trying to install some sanity before all of this stuff gets repeated here once again....

    --
    toeslikefingers.com - because
  9. Not a hoax? by wolvie_ · · Score: 5
    The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax.

    What? The site which originally broke the story (CORE) have now posted another article saying Telstra's servers were probably not cracked. Specifically:

    Sub7 or some other "netbus" program has been used to leech the accounts of the users machines. This is at the moment the scenario I favour...

    Sure, Telstra fucked up their ADSL network and extremely pissed off many users with their download caps, but there isn't proof yet that they screwed up on this too.

  10. liable? by rneches · · Score: 5
    Does the law in Australia allow companies to be held liable for breaches in security? It seems to me that it would be bad faith at the very least. On the other hand, I can't think of an example where a company
    • had crappy security
    • got hacked, hurting their users and customers in a tangable way
    • were sued by thier customers
    • lost/settled with their customers
    As far as I can tell, the hackers are the ones considered culpable, not the incompitant admins who let them in. Is there a legal basis for this, or is it just the way things work? Or am I being paranoid?

    --

    --
    In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
  11. Re:routine changes by ckedge · · Score: 3

    Allright, I'll bite.

    What specific circumstances does "changing passwords regularly" protect against?

    Assume that my passwords are all "very strong", they are not written down anywhere, and they're never transmitted in the clear over an un-secure network.

    The only circumstance I can forsee this "helping" with (besides idiotic ones like people loosing the pices of paper they have their passwords written on), is where it's already in the hands of a "criminal". But AFAIK if someone already has a single user account, further user accounts (existing and specially-created) and the root account isn't far behind.

    Can anyone point me to a scholarly analysis of the exact merits of regular password changing?

    Why? Because I don't do it. If I were, with 20 different passwords and all of them of the "Strong" type, I'd be forced to write them down, or spend hours and hours figuring out 'mind games' to try and remember them, and even worse it would (and did in past years) result in an ever increasing number of "confused and forgotten" passwords. (Frequently occurs within 1-2 weeks of a change, when you just happened to not use that account, and so now you're mind is groping in among not only all your current passwords but the previous 1-3 rounds of passwords, and suddenly you're screwed. No fun.)

  12. And the luck 69 users are... by 0x00 · · Score: 3

    This is the forum where the usernames were posted. Apparently it only affects teltra bigbond ADSL users.
    --
    0x00
    l33t cl0wnZ

  13. Telstra in denial by James+Foster · · Score: 4

    As you can read here Telstra are in fact denying any crack taking place. They're blaming it on the users!

  14. Re:And... by Scoria · · Score: 3

    I forgot:

    The proper encryption method would be double ROT13. Then they could sue under the DMC... wait, too bad Australia isn't the the United States, eh Telstra? ::sigh::

    --
    Do you like German cars?
  15. telstra's problem has been solved by circletimessquare · · Score: 4

    luckily telstra has embraced the obvious future of authentication on the internet and decided on a unilateral capitulation to microsoft's passport service. resistance is futile! duh!

    all of their subscribers have been sent an email saying to get a new user name and password by just sending the following simple http request to www.passport.com ;-)

    GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff% u0078%u0000%u00=a HTTP/1.0

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  16. Not a Hoax by justinf · · Score: 4

    There is a good article, and a good discussion thread available at http://www.whirlpool.net.au. It outlines the fact that the passwords would never be stored in plaintext (the passwords are stored on industry-standard enterprise servers), and that many of the released passwords were extremely strong (suggesting the passwords were not cracked).

    It seems only natural to assume someone has spent some time collecting logins and passwords via another method, and is posting their results with the view of creating FUD over Telstra's service. Just because 69 passwords have been obtained, doesn't mean there exists a vunerability for the tens or hundreds of thousands of subscribers of the service.

    I don't particularly like Telstra, nor do I use their internet, but I dont believe they are this stupid.