Hack at Amazon-owned service exposes thousands

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1007-200-5031805.html?tag=lh

By Troy Wolverton
Staff Writer, CNET News.com
March 5, 2001, 4:50 p.m. PT

Amazon.com-owned book service Bibliofind.com restarted its Web site
Monday in the wake of a hacker attack that compromised some 98,000
customer records and forced the company offline.

Waltham, Mass.-based Bibliofind, which links buyers and sellers of
hard-to-find and out-of-print books, discovered last week that a
hacker had broken into its Web servers sometime in October and had
continued to access the company's site since then, Bibliofind
spokesman Jim Courtovich said. The hacker downloaded customer records
from the site, including customers' names, addresses and credit card
numbers, Courtovich said.

In response to the discovery, Bibliofind, a wholly owned subsidiary of
Amazon, shut down its Web site Friday and removed customers' credit
card information and addresses from its servers, he said. Courtovich
declined to say whether Bibliofind had identified a suspect in the
attack, saying only that the company notified the Federal Bureau of
Investigation, which is looking into the matter.

"Bibliofind has just learned of a security violation on its site that
compromised the security of credit card information used on
Bibliofind's servers," the company said in an e-mail message to
customers. "We are working to bring the Bibliofind service back into
operation shortly. We apologize for any inconvenience this may cause
you."

Although Bibliofind has notified credit card companies of the attack,
the company does not have any indication that the numbers have been
used, Courtovich said.

The fact that a hacker had access to Bibliofind's records for four
months without Bibliofind discovering the breach is simply a case of
the company not keeping a good eye on its site, said Richard Power,
editorial director of the Computer Security Institute. With that much
time and access to Bibliofind's systems, the hacker could possibly
have found much more than customer records; he might have been able to
find a backdoor into Amazon.com, Power said.

"It's going to take awhile for them to figure out how much damage was
really done and who else may have been compromised by being connected
by their sites," Power said.

Amazon spokeswoman Patty Smith said the Seattle-based e-tailer's
servers were not affected by the attack on Bibliofind. Amazon does not
share customer information with Bibliofind and no Amazon customer
information was compromised by the breach, she said.

"They operate on different platform than what our serer is running
on," Smith said. "The integrity of Amazon's systems was never in
question."

The Bibliofind breach is only the latest in a string of security
breaches at leading e-commerce sites. A breach at Columbia House's Web
site left open some 3,700 customer records last month. And in January,
a security hole at Travelocity.com exposed the personal information of
up to 51,000 customers.

Meanwhile, a breach at Egghead.com in December potentially exposed all
of its 3.7 million customer database.

By shutting down its Web servers, Bibliofind also closed down access
to Musicfile.com, which shares the same server as Bibliofind.
Musicfile's customer records were not affected by the breach,
Courtovich said. Bibliofind went back online Monday afternoon.

Amazon acquired both companies when it bought Exchange.com in April
1999.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".