Hacker Steals Database of Hundreds of Verizon Employees

An anonymous reader quotes a report from Motherboard: A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone number of hundreds of Verizon employees. It's unclear if all the data is accurate or up to date. Motherboard was able to confirm that at least some of the data is legitimate by calling phone numbers in the database. Four people confirmed their full names and email addresses, and said they work at Verizon. Another one confirmed the data, and said she used to work at the company. Around a dozen other numbers returned voicemails that included the names in the database, suggesting those are also accurate.

The hacker contacted Motherboard last week to share the information. The anonymous hacker said they obtained the data by convincing a Verizon employee to give them remote access to their corporate computer. At that point the hacker said they gained access to a Verizon internal tool that shows employee's information, and wrote a script to query and scrape the database. "These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support," they told Motherboard in an online chat. The hacker said they would like Verizon to pay them $250,000 as a reward. A Verizon spokesperson confirmed the hacker has been in contact with the company.

"A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further," the spokesperson told Motherboard. "As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems."

cheaper than insurance

[kyoko21]

$250k is cheap considering how much they are paying for cyber insurance. Granted, this probably isn't doing their premiums any good when they renew next time around....

Stupid anyway. john.smith@verizon.com = $1,000

[raymorris]

The kid got employee's name and Verizon email address.
In other words, he knows that john.smith@verizon.com is John Smith. No shit, Sherlock. Moron is demanding $1,000 / person for this obvious fact.

When I have a security problem to report, one way I'll try to reach the right person is to look up the name of their director of security and then I just email first.last@company.com and flast@company.com. Because no shit, that's how companies do employee email addresses. That's not a hack; that's a shortcut yo

Re: Stupid anyway. john.smith@verizon.com = $1,000

[NagrothAgain]

They also got the employees' corp ID number, which is likely to be their tax ID number.

"does not include Social Security numbers"

[raymorris]

"the database does not include information such as Social Security Numbers, passwords, or credit card numbers"

Re:

[JackieBrown]

I haven't worked at a place that used SS# for employee numbers in decades. Do you?

Shoot them

[quonset]

he anonymous hacker said they obtained the data by convincing a Verizon employee to give them remote access to their corporate computer.

The employee, not the hacker. This is security circus 101: verify who is asking for access. In fact, Verizon's own website warns their customers about people doing this very thing.

If your own employee(s) fail miserably at this simple task, get rid of them.

Re:

[drinkypoo]

If your own employee(s) fail miserably at this simple task, get rid of them.

But then they would have to pay enough to get people who can think, and that would affect executive compensation.

Re:

[Anonymous Coward]

With all of the internal education on these topics that we had to sit through when I used to worked there...

I figure that all of the silent layoffs that have taken place at Verizon have left it with 3 categories of current employees:

1 - Overpaid management types that are more focused on self-promotion than doing the right thing for the company and the customers

2 - Union members that have contracts that will protect their jobs into the After-Life, assuming they have been on the job for 25 years or more.

3 - W

Just missed the 2022 edition of their DBIR..

[bodog]

Just missed the submission deadline..

https://www.verizon.com/busine... [verizon.com]

But they said our data was safe in the Cloud :[

[takionya]

But they said our data was safe in the Cloud. Why wasn't this data encrypted. With access only granted with the presence of a hardware dongle.[

Phew

[Richard_at_work]

Thankfully, these employees are not classified as NFTs, so no transfer of ownership happened.

When asked to comment, one unnamed employee said "for a moment there we didn't know where we would be working tomorrow, but then someone clarified that what was stolen is unrelated to our status at Verizon, so I guess we keep turning up for work as usual - I was sort of hoping for a better job..."

The real news is...

[Ichijo]

"We do not believe the fraudster has any sensitive information...," the spokesperson told Motherboard in an email..

[The stolen information] could be useful by criminals who want to target the company employees [to gain] full access to systems that could allow them to look up users' information and transfer their phone numbers in what is commonly known as SIM swapping.

So the real news is Verizon doesn't understand why social engineering is so dangerous.

Of course this is the same company that can't even do simple math [slashdot.org]!

They should hire him in IT

[rainer_d]

After all, he got a user to do exactly what It wanted him to do.

Achievement unlocked.