From Spam Daily News
Customers of the online payment service iBill have had their names, phone numbers, addresses and e-mail addresses released onto the Internet, where it's been bought and sold in a black market made up of fraudsters and spammers.
Other fields in the compromised files appear to be IP addresses, logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.
The transactions are dated between 1998 and 2003.
Two caches of stolen iBill customer data were discovered separately by two security companies.
Secure Science found the first data file containing records on 18 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office.
Last month, Sunbelt Software found an additional list of slightly over
1 million individual entries on a spamming website. Sunbelt found the file by tracing zombie computers as they connected to the Internet to refresh their list of spam targets.The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's Internet connection.
The breach has all the markings of an inside job, say Lance James of Secure Science and Adam Thomas of Sunbelt Software.
Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market.
"The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas.
Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims.
An FBI spokeswoman says the bureau wouldn't investigate the breach unless the source of the leak comes forward to make a complaint. The stolen data has been on sale since 2003 on a number of boards.
Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in Internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15% off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85% of the business.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at