Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acxiom Hacking Details Made Public

Posted by michael on from the may-not-need-new-credit-cards-after-all dept.

pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."

10 of 142 comments (clear)

  1. So what? by zifty · · Score: 3, Interesting

    If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.

  2. Keep going by Pig+Hogger · · Score: 5, Interesting

    Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...

  3. Employee of Data Mining Company? by perimorph · · Score: 2, Interesting

    This was done by an employee of a data mining company? To gather information about consumers? Hmmmm.. The RIAA been hiring some of those lately.. This could be a fun little conspiracy...

  4. Re:Question by rainer_d · · Score: 5, Interesting
    According to one of the the articles, he broke the encryption on the passwords

    When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?
    This is ridiculous - if I'd encounter one, I'd ask myself if it was a honeypot.

    Also, the various journalists' view (and the subsequent picture created by them for their readers) of "hacking", "cracking", "security" etc. is sometimes so distorted, so far-off from the reality of the people closer involved with the subject that reading a mainstream-press article about it is often only marginally better than just making-up the facts from slashdot-postings !

    Rainer

    --
    Windows 2000 - from the guys who brought us edlin
  5. Re:Disturbing by garett_spencley · · Score: 1, Interesting

    I disagree.

    Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?

    What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick both locks? In this case I shouldn't be arrested because I had "adequate" security and was victimized by a "skilled" robber who had the proper knowledge that surpassed my own in lock technology?

    The fact is that the hacker got a password. It was a weak password, but in my analogy that's the equivalent of having a single handle lock and no dead bolt. He simply kicked the door open. It's still breaking and entering. What happens if the server was "adequately" secured but the hacker managed to gain access via a remote exploit in the FTP server that he himself discovered and no one else knew about? How will the law define that they "adequately" secured the server?

    --
    Garett

  6. jaded by dpletche · · Score: 4, Interesting

    My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.

    "But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.

    If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.

    1. Re:jaded by Anonymous Coward · · Score: 2, Interesting
      If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.
      I don't know about other states, but here in Tennessee, when you fill out a drivers license application/renewal, there is an option to opt out of datasharing by initialing a few boxes on the form. The same option is present on the license plate renewal form they send each year.

      Granted, most people probably skip over it, but if you read the fine print and initial in the right places, the DMV is prohibited from sharing your information with anyone but law enforcement agencies.

      Read those forms! This is especially true with banks and credit cards. All of them are required to give you the option to opt-out of datasharing, though the process usually involves sending an extra letter to a special address. It's worth it, doing so will majorly cut back on your financial related postal junk mail, and also keep you out of a few databases.
  7. Re:ftp server? by DrSkwid · · Score: 4, Interesting

    then you'd like plan9's ftp

    it doesn't even use passwords

    it uses a kind of public key encryption called NetKey

    ftp DrSkwid@plan9ftp
    Welcome DrSkwid to the plan9 ftp server
    challenge : 345345
    response :

    And you have to run netkey locally and encrypt the challenge using your password.
    The server checks to see if its encrypted version matches and if so you're in.

    You can't replay it and good luck cracking it.

    If you don't want to be broken into don't use insecure things, oh and "root" is considered harmful. If you there is nothing to escalate privileges to then what point that rootkit?

    Makes me laugh people talking security with such a single point of failure waiting for exploitation.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  8. That guy is my cousin by Synithium · · Score: 2, Interesting

    The guy they arrested, Dan Baas, is my cousin. This is super funny and not the first time he's been involved in stuff like this.

  9. Re:yeah, that's what they said . . . . by Anonymous Coward · · Score: 1, Interesting

    What is this: anarchist capitalist neo-nazi samuray ninja rebel yapi hippy fighter?

    Fight for my protection?
    I'm not a stupid consumer, I always give as much false information as I can on the internet, and I sure as hell don't give personal data to stupid companies.

    If stupid lusers are damaged by these, I laugh. I support the hackers 100% on this one.