Yesterday, Unu made another posting on the hackersblog website, illustrating a succesful compromise of BT.com, through the broadband competitor comparison section of their web site, htp://www.comparebroadband.bt.com.
The compromise appears to have resulted in the exposure of the personal information of BT customers, password data, email address, credentials for access to further databases and system functions.
Hackersblog contacted BT who, at the time of posting, have removed the sections of website in question while the code is fixed, they also note BTs politeness and professionalism in dealing with the event.
Unu signs off with a note of caution though, which hints at further compromises to come…
Dont rush to conclusions and start pointing figers before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we dont take sides, but rather, want to show that the above mentioned vulns cand be found almost everywhere.
For recommendations on password & database security please have a look at the earlier blog article on the Spotify compromise.
You know though, the really worrying thing about these sites being found as vulnerable is that of course, there is no way to guarantee that they haven’t been compromised in the past by less ethical hackers.
UPDATE: According to an article on The Register, BT have stated that this intrusion only affected “a test database” and that “no customer details were released at any time“. Well I certainly don’t have any visibility of which systems or databases were compromised, but I can confirm, through my own research, that the information made visible through the compromise is real, valid and belongs to individuals not directly employed by British Telecom.