After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm

After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm

Verizon is sharing more details about the alleged leak of customer data that occurred over the weekend. The company still insists there was no breach, but the carrier has now revealed to TNW that an unnamed third-party marketing firm is to blame.

On Saturday, a self-proclaimed hacker leaked some 300,000 records (including serial numbers, names, addresses, date they became a customer, passwords, and phone numbers) which he claimed belonged to Verizon Wireless customers, and then later Verizon FiOS customers. TibitXimer, as he called himself on Twitter, was worried about being banned on the social network for revealing private information, but he has disappeared from the social network.

Although he said he might be suspended, the account is simply not present on Twitter, suggesting he either deleted it or changed his handle. The Pastebin link he used to detail the leak is also no longer working. We are trying to get in touch with him, but in the meantime Verizon has been very willing to share its side of the story.

TibitXimer claims he downloaded an estimated 3 million customer entries from Verizon’s database on July 12, and leaked about 10 percent, or 300,000 of them, after the carrier allegedly failed to respond to his inquiries about its security issues. Again, here is Verizon’s statement about the alleged hack:

This incident was reported to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported. We take any and all attempts to violate consumer and customer privacy and security very seriously, so we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified law enforcement of this recent report as a follow-up to the original case.

Yet this leaves us with the very big question of where the data came from. An anonymous comment by ” Vzn Customer” suggested that at least some of the leaked customer records are legitimate:

I call BS – If this data isn’t from Verizon servers, why did it match my account number exactly? I found my name and address, and the “phone number” that only exists on Verizon servers because I don’t have a real home phone number.

Security researcher Adam Caudill weighed in on Twitter:

We asked Verizon for more information, and it turned out that Caudill’s theory holds. The company reiterated that its systems were not breached and explained where the data came from:

There was no hack, and no access gained. A third party marketing firm made a mistake and information was copied. As for wireless v. wired customers, some of the individuals listed were Verizon customers who are not wireless customers but wired/wireline customers or prospective customers.

Based on this information, it would appear that TibitXimer may have found the file online and decided to make a bit story out of it. Yet this new tidbit leads to even more questions, the biggest one being: Why did a “third party marketing firm” have access to this data in the first place?

We have contacted Twitter about TibitXimer’s account. We are also in touch with Verizon and will update this article as we learn more.

Update at 8:30PM EST: Twitter told us it does not comment on individual accounts for privacy reasons.

Image credit: Stephen Davies

Read next: VLC for Windows 8 reaches $65,000 funding goal on Kickstarter with five days to spare