D-Link confirms data breach caused by phishing attack on employee
Learn More
D-Link, the Taiwanese networking equipment manufacturer, has officially acknowledged a data breach that was linked to information taken from its network and subsequently offered for sale on BreachForums earlier this month.
The breach is connected to an attacker who claims to have stolen both the source code for D-Link's D-View network management software and a substantial volume of personal information belonging to customers and employees, including details pertaining to the company's CEO.
The compromised data reportedly encompasses
- names,
- email addresses,
- physical addresses,
- phone numbers,
- account registration dates,
- last sign-in dates of users.
The attacker shared samples of 45 stolen records from as far back as 2012-2013, which led to commentary within the forum thread suggesting that the data appeared to be quite old.
The threat actor stated, "I have breached the internal network of D-Link in Taiwan, I have 3 million lines of customer information, as well as source code to D-View extracted from the system. This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company."
The stolen data has been available for purchase on the hacking forum since October 1st, with the attacker demanding $500 for both the stolen customer data and the alleged D-View source code.
Update - D-Link disclosed that the number of stolen records was found to be approximately 700, significantly less than initially reported. Te data was not taken from the cloud, but rather originated from a test lab environment of an old D-View 6 system, dating back to 2015. The data mainly consisted of registration information and did not contain user IDs or financial data. However, it did include low-sensitivity and semi-public details like contact names and office email addresses. D-Link also suspects that some of the leaked data, such as last login timestamps, had been altered to appear more recent than it actually was.
D-Link attributed the security breach to an employee falling prey to a phishing attack, which granted the attacker unauthorized access to the company's network. In response to the breach, D-Link promptly shut down potentially affected servers and deactivated all but two user accounts for the purpose of investigation.
While D-Link confirmed the breach, it clarified that the intruder accessed a product registration system within what was described as a "test lab environment."
This system operated on an outdated D-View 6 system that had reached the end of its operational life in 2015. The reason why an end-of-life server remained operational and potentially exposed to the Internet for seven years remains unclear.
