Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.
The attacker claims to have stolen source code for D-Link’s D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company’s CEO.
The stolen data allegedly includes names, emails, addresses, phone numbers, account registration dates, and the users’ last sign-in dates.
The threat actor provided samples of 45 stolen records with timestamps between 2012 and 2013, which prompted another participant in the thread to comment on the fact that the data looked very old.
“I have breached the internal network of D-Link in Taiwan, I have 3 million lines of customer information, as well as source code to D-View extracted from system,” the attacker said.
“This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company.”
The data has been available for purchase on the hacking forum since October 1st, with the threat actor demanding $500 for the stolen customer information and the alleged D-View source code.
Data stolen from a “test lab” system
D-Link said the security breach occurred due to an employee falling victim to a phishing attack, granting the attacker access to the company’s network.
In response to the breach, the company immediately shut down potentially impacted servers and disabled all but two user accounts used during the investigation.
While it confirmed the breach, D-Link specified that the intruder accessed a product registration system within what it described as a “test lab environment,” operating on an outdated D-View 6 system that reached the end of life in 2015.
The reason why an end-of-life server was still operational on D-Link’s network, potentially remaining exposed to Internet access for seven years, remains unclear.
Contrary to the attacker’s claim of stealing millions of users’ data, D-Link said the compromised system contained roughly 700 records, with info on accounts that have been for at least seven years.
“Based on the investigations, however, it only contained approximately 700 outdated and fragmented records that had been inactive for at least seven years,” D-Link said.
“These records originated from a product registration system that reached its end of life in 2015. Furthermore, the majority of the data consisted of low-sensitivity and semi-public information.”
D-Link also suspects the threat actor deliberately tampered with the recent login timestamps to create the illusion of a more recent data theft. Additionally, the company stated that most of its existing customers are unlikely to be impacted by this incident.