Image: David Paul Morris/Bloomberg via Getty Images
A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone number of hundreds of Verizon employees.It’s unclear if all the data is accurate or up to date. Motherboard was able to confirm that at least some of the data is legitimate by calling phone numbers in the database. Four people confirmed their full names and email addresses, and said they work at Verizon. Another one confirmed the data, and said she used to work at the company. Around a dozen other numbers returned voicemails that included the names in the database, suggesting those are also accurate.
The hacker contacted Motherboard last week to share the information. The anonymous hacker said they obtained the data by convincing a Verizon employee to give them remote access to their corporate computer. At that point the hacker said they gained access to a Verizon internal tool that shows employee’s information, and wrote a script to query and scrape the database. “These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support,” they told Motherboard in an online chat. The hacker said they reached out to Verizon and shared the email that he sent to the company.“Please feel free to respond with an offer not to leak you’re [sic] entire employee database,” the hacker wrote in the email, according to a screenshot of it. The hacker said they would like Verizon to pay them $250,000 as a reward. A Verizon spokesperson confirmed the hacker has been in contact with the company. “A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further,” the spokesperson told Motherboard in an email. “As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”
While the database does not include information such as Social Security Numbers, passwords, or credit card numbers, the stolen information is still potentially dangerous. It could be useful by criminals who want to target the company employees—or impersonate an employee while talking to another one—to get access to internal tools. Such an attack would give the hackers the ability to impersonate Verizon employees and, if they’re able to trick them, have full access to systems that could allow them to look up users’ information and transfer their phone numbers in what is commonly known as SIM swapping.For years, hackers have taken control of victims’ phone numbers, which gives them the ability to reset the target’s email password, for example. That in turn gives the hackers access to the victim’s bank or cryptocurrency account. Hundreds, if not thousands, of people have fallen victim to this kind of hack in the last few years.Law enforcement agencies in the U.S. have arrested and indicted several people who allegedly participated in this kind of hacks, sometimes with the help of company insiders.Subscribe to our podcast, CYBER and to our new Twitch channel.
Do you have information about similar hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org