Slashdot Mirror
ISP Emails Customer Database To Thousands
Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.
I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!
I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!
While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.
However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.
That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!
Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post