Hackers used a software tool to retrieve personal data collected by LexisNexis, Dun &
The personal data was pilfered by the operators of ssndob.ms, a website that has marketed itself on underground cybercrime forums as a reliable and affordable provider of
LexisNexis said Wednesday in a statment that it has contacted the
A LexisNexis spokesman declined to say when the intrusion was discovered or whether the company could assure clients that personal data was not stolen.
Krebs said an
Krebs wrote that "a tiny unauthorized program called 'nbc.exe' was placed on (LexisNexis) servers as far back as
Krebs said the hackers' program was designed to open an "encrypted channel of communications from within LexisNexis's internal systems" to a botnet controller. A botnet is a network of computers infected with harmful software or "malware" and controlled by hackers.
The botnet was tiny, fewer than a dozen computers in "strategically placed" locations, he said.
This summer, ssndob.ms was itself attacked by multiple hackers and its database plundered, Krebs wrote. Krebs said his review of the ssndob database showed that the site's 1,300 customers have spent hundreds of thousands of dollars looking up personal data and obtaining unauthorized credit and background reports on more than 4 million Americans.
Krebs wrote that he traced the sources of the stolen information to the botnet controlling servers at LexisNexis,
What sets this intrusion apart is that hackers were able to infiltrate an internal LexisNexis network and install at least one file within that network, Rasch said.
Also, the hackers were using botnets to pull data from multiple data aggregators, he said. And they were targeting data that is intended to be used for identity theft and fraud.
"The question for LexisNexis is: Can you assure the public that no personal information was taken?" Rasch said.
In an interview with the
This is not the first time LexisNexis has been hacked. In 2005, the company acknowledged that identity thieves misused passwords to tap the personal records of more than 300,000 Americans, fraudulently acquiring data from company databases, according to national reports.
(c)2013 the Dayton Daily News (Dayton, Ohio)
Visit the Dayton Daily News (Dayton, Ohio) at www.daytondailynews.com
Distributed by MCT Information Services