iBill leaks 17,000,000 customer records

iBill leaks 17,000,000 customer records

iBill leak info found via Boing Boing

iBill, a company that handles credit-card transactions for porn sites (and others) has leaked the personal information of 17 million customers, information that’s being used by phishers, mortgage companies, and others:

Independently, Wired News found that entries from the smaller cache are listed as mortgage leads on a spammer community site, specialham.com. (The website’s homepage offered no contact information and Wired News was unable to reach the registered owner of the domain, one “Juice Wobble.”) This suggests that the database was marketed as a lead list for outside businesses. “I can attest to the fact that this goes on with phishing groups,” says James. “They break in and steal leads and then sell those leads to (black market) leads companies, who resell them to legitimate companies, and sometimes the same companies they stole them from.”

“The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers,” says Thomas.

Link for full article at wired

Update! – A day after posting the info here, ther appears to be a rebuttal… From AVN Online:

DEERFIELD BEACH, Fla. – Despite a salacious March 8 report by Wired that two lists containing personal information from more than 18 million former iBill clients escaped into the wild, both the Federal Bureau of Investigation and the beleaguered payment processor say there’s nothing to worry about.

The lists contain names, phone numbers, addresses, e-mail addresses, Internet IP addresses, and credit card types, and although they appear to be from online transactions, no one yet has been able to tie them to iBill. Seemingly, no one is trying.

“[We’re not looking into it] because the information is two to three years old. It’s too old for us to be able to investigate. No one keeps records for that long,” says Special Agent Judy Orihuela, a spokeswoman for the FBI’s Miami Division. “We gave [the list] to iBill, and they are the ones who have to look at it to determine whether it was valuable or not.”

Apparently, it is not.

“This leak, as far as we’re concerned, is total bullshit. There is no documentation,” says Gary Spaniak Jr., president of IBD, the parent company of iBill.

San Diego-based Secure Science Corporation, a technology firm specializing in protecting online assets, reportedly discovered the first list, which contains 17 million records, on a website set up by scammers. The list reportedly was discovered in February 2005.

The FBI learned of the list two weeks ago, according to Orihuela. iBill first saw it on Wednesday.

“Basically, it’s an Excel spreadsheet with names, addresses, and supposed IP addresses. Then it says the date and [type of credit card]. There’s no card information, no social security numbers, no nothing,” Spaniak says. “The only thing on the entire list [to link it to iBill] is in the upper left corner: One of the boxes has the word iBill in it.”

The list contains listings for Diner’s Club and Chinese credit cards, two forms of payment iBill never processed, according to Spaniak.

Before receiving a copy of the list from the FBI, iBill received an offer of help – for a fee – from Secure Science.

“In my mind we were blackmailed,” Spaniak says. “They said, ‘We found this information, and we can help [you] not have this information ever get out again. Hire us,’” Spaniak says. “My attitude is ‘No, we don’t have any data leaks. I don’t need to pay somebody.’”

Secure Science did not return a request for comment.

The second list, containing more than 1 million entries, reportedly was found on a spamming site last month by Clearwater, Florida-based anti-spyware firm Sunbelt Software.

Representatives from Sunbelt also failed to return a request for comment.

Admittedly, the current iBill can’t guarantee the lists didn’t originate from the company’s previous owners. In fact, there have been rumors that “iBill lists” were floating around the online adult world for years.

“What was always talked about, but never really proven, is how the sales guys at iBill were selling the iBill email lists out the back door,” says a rep for another billing company.

InterCept Payment Solutions sold iBill to Media Billing, a Penthouse company, in March 2004, while iBill was in serious financial debt and being sued by its own shareholders. In January 2005, IBD finalized the purchase of iBill and Media Billing from Penthouse.

The representative from another billing company says the rumored back-door sales were happening even before the InterCept era, when iBill was owned by its founders.

In the present, iBill claims to have no security issues.

“First of all, we have a brand-new, state-of-the-art Cisco firewall system,” Spaniak says. “We have data officers. There’s no way for this information to get out. Not one employee in the company has the ability to print a list like this.

“We went through a Visa inspection less than six months ago,” he adds. “We passed with flying colors.”

So what’s next? The FBI’s Orihuela says there is nothing for the FBI to investigate, so apparently lawsuits are all that remain to mark the passing of what iBill and the FBI consider a non-event. iBill plans to file suit against Secure Science, Sunbelt, and Wired, Spaniak says.