Telstra Leaves BigPond User Details Exposed

On Friday, an unsecured search page left account information for Telstra users completely accessible to anyone who cared to look. The breach was discovered by a Whirlpool user, who came across it simply by searching for a "Bundles" support number on Google provide to him by a customer service representative.

Telstra was quick to shut the page down, along with its email network, which was shuttered for close to 24 hours, according to reports.

While it was active — and at this stage no one is sure who long the page was unsecured for — it was possible to search for customer names, plan details and usernames, comments on specific users and even passwords.

The leak was first identified — almost by accident — in this post on the Whirlpool forums, but it has since spawned its own discussion thread.

The Australian reported that credit card details were also available, but was unable to confirm it, while SMH is saying that credit card data was not only encrypted, but not displayed. Hopefully we'll have clarification on this point in the near future.

A story regarding the incident in the Sydney Morning Herald states that Telstra is investigating the issue and will make the Privacy Commissioner aware of the details. If the Commissioner's views on the Sony data breach from earlier this year are anything to go by, Telstra had best do it sooner rather than later.

It appears some 60,000 account passwords were reset, but I'm sure we've yet to find out the full ramifications of the breach. Let us know if your password was reset, or Telstra has been in contact personally regarding the breach.

[SMH, with The Australian and Herald Sun]

[Thanks to everyone who sent in tips]


Comments

    Telstra was saying on their twitter that no credit card details were open to the public so who knows.
    It kinda took you a long time to get this up on Giz....

    By the response, looks like most Telsta big pond users are still out of action...?

    Darwin is isolated enough without yet another stuff up by Telstra.
    According to news updates the email service is back on line - but all I can see is a request to resend my password - which I have tried several times only to be
    told it is not recognised! How do I change my password other than joining the queue of the other 59,999 who are experiencing the same problem!
    And when will Telstra come clean about just who caused this problem?

    Darwin Is that in sydney?

    is one of the responses i got when i called them when ADSL went down.

    I've since moved.

    to another Isp. :P

    "and at this stage no one is sure who long the page was unsecured for" great english right there!

    First Vodafone, Now telstra, when will companies learn, People's personal details are not secure on online media, sure your server may be secure but all it takes is someone to find one leak, someone guessing a staff's password and it opens a world to a series of crimes, court cases and so on.

      Well no amount of technology can prevent someone from being lax with their personal password, what would you have them do?

    It's quite funny, I read the initial new reports of this, and all of them were very kind and forgiving to Telstra, a big difference from when it happened to Vodafone and they grabbed the flames and pitchforks.

    Every time I hear of a server storing passwords I cringe, every time I hear of large companies doing it I die a little inside.

    Take password, add user name and other static string, SHA512 some number of times, store the hash.
    When someone logs in do the same. No storing passwords EVER. It's not that complicated.

      Yep, actually storing passwords in a recoverable form is 1970s IT security at best...

Join the discussion!

Trending Stories Right Now