iiNet had 2 security hacks and failed to mention it, users spammed

iiNet is alleged to have attempted to cover up the breach, with an unnamed source forwarding to Australian tech news site Delimiter an internal iiNet email sent by iiNet Operations Centre Supervisor Paul Guidera, which instructed staff to put in place a communications block-out. It is not clear whether this was meant to only apply while an investigation was in place, but iiNet never publicly came forward to announce a breach of its systems.

iiNet declined invitations to respond to the media after allegations of a cover up, and when asked for an official statement about the breach of the systems, we were instead pointed to a comment made by iiNet CTO John Lindsay on Delimiter.

Lindsay’s comments confirm that a breach took place, stating that the attacked gained entry via “an unpatched hole in PHP.”

“Upon finding this, we shut down the forum immediately. No financial information was stored on this database. We didn’t handle the external communications well after this incident, and have made changes to our internal policies,” he said.

According to Lindsay, the forum was not connected to iiNet’s secure network and was a standalone system.

However, Lindsay’s comments also reveal a second security issue that iiNet failed to address. In recent weeks, iiNet users have been complaining on Whirlpool about spam being sent to their iiNet email addresses, even though in many cases, the accounts were never used and the usernames never posted.

An unused iiNet email account confirmed the issue, and revealed that iiNet users had begun to receive spam as far back as August 15 this year, however, it appears that only a subset of iiNet users are affected.

Lindsay confirmed that the breach of the 3FL forum has nothing to do with iiNet customers’ email addresses being harvested by spammers, and suggests that these may have been stolen by exploiting “a PHP mechanism for finding other customer usernames on the customer web server.”

“We suspect this is the likely origin of the mailing list. Many PHP installations allow this access, but we should have closed it off when the system was installed, and we have now.”

iiNet Managing Director Michael Malone has now also responded on Whirlpool, stating that iiNet’s team investigating the issue found “one way that usernames could be listed using a PHP script to do a directory listing.” However, it has not been confirmed as how spammers found customer email addresses.

“There are no logs that this actually occurred, but it does seem the most likely vector, based on the evidence being provided,” Malone said.

Malone also addressed the 3FL breach and the lack of information from iiNet.

“Our response was to take it offline, shut the system down entirely, and ask all registered users to move to games.on.net. That had been the plan, anyway, but this kind of hurried things along,” he said.

“I don’t believe it was adequately communicated at the time, and I apologise for that. Given the lack of evidence of any impact, I still don’t believe that it should have been the subject of a public press release or, more ridiculously, an ASX [announcement]. I do believe that all of the 3FL participants should have been given more information.”