HackrNews

Hackers have posted personal information on 1,200 Ebay customers to an Ebay forum, dedicated, ironically, to fraud prevention. The information was up for around an hour this morning before Ebay shut the forum down and displayed email details, CVV2 numbers, telephone numbers, home addresses and possibly credit card details to visitors.Ebay says the information was not acquired through a breach of its security and suggests it was likely obtained through phishing or account takeovers. The company also says that the credit card details displayed do not match those on either its own or PayPals servers.

The auction site is currently trying to contact the users whose details were posted and the Trust and Safety board on which the information was shown has since been reopened.

“Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users,” the company reports in its blog.

“The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid.”

“We’re in the process of reaching out by phone to these members so that if the information is valid somehow, regardless how this fraudster acquired the information, these members can take the steps they need to take to protect themselves.”

Source: PC Pro UK

Online brokerage TD Ameritrade Holding Corp. announced today that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. An online advisory and letters to account holders disclosed that names, e-mail addresses, phone numbers and home addresses were taken in the data breach. Client assets, along with user IDs, personal identification numbers and passwords, were not stored in the compromised database.

However, the advisory noted that it’s unclear if account numbers, dates of birth and Social Security numbers were stolen. The company said there is no evidence that any customers were the victim of identity theft because of this security breach.

TD Ameritrade did not say when the hackers got into the database or how long they remained there.

“While the financial assets our clients hold with us were never touched, and there is no evidence that our cleints’ Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them,” said Joe Moglia, chief executive officer of TD Ameritrade, in a statement. “We sincerely apologize for that and any added concern this may have caused.”

TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered “unauthorized code” in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system.

Moglia, speaking in an online video-taped message to customers, said he is “confidant” that they have figured out how the information was taken.

“This is an issue of the global e-commerce that will be with us the rest of our lives,” he said in the video message. “You have my promise that we will remain totally committed to protecting the trust you’ve placed in us.”

According to the Privacy Rights Clearinghouse’s list of data breaches, TD Ameritrade lost a backup tape in 2005 that contained 200,000 records. And in December of 2006, a missing laptop contained unencrypted information, including names, addresses, birthdates and Social Security numbers. That incident affected about 300 current and former employees.

Today, the company is telling customers that they don’t have to do anything with their accounts. They can change their passwords, but it’s not necessary, according to an advisory.

Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company’s products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers.

Earlier versions of Oracle’s database software included well-known default passwords and user names, for example “scott / tiger”. These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles

    The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. “This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems.”The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. “This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems.”

This page is the home for the Oracle default password list that we have collated. The list can also be thought of as a list of Oracle default password hashes.

The full details of the release can be found from Oracle Here (Oracle Critical Patch Update – April 2006).