ISP Emails Customer Database To Thousands

Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."

They shouldn't even have the passwords

[danlip]

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.

Re:To err is human...

[MichaelSmith]

A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.

Re:Free market will fix this

[MrBandersnatch]

Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).

Anyways, http://forums.thinkbroadband.com/ [thinkbroadband.com] is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.

On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......

Anyways, yes, if someone finds a decent ISP let us know please.

Another reason...

[SlashDev]

... why emails originating from ISPs, should be audited first then approved / denied.

Re:They shouldn't even have the passwords

[danlip]

Ummm. Where I work spreadsheets are called "databases".

But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.

(and spreadsheets aren't databases, you can't write SQL queries against them)

Re:Free market will fix this

[Anonymous Coward]

I remember when Demon was THE ISP for knowledgeable users. Hell their Welcome Pack used to include instructions for Amiga users!

Then they got bought by THUS and, well...you can read the story for how that worked out.

Anyone else with horror stories with Demon?

[Fredde87]

I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!

Passwords are needed - CHAP

[mortonda]

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.

However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.

That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!

Re:To err is human...

[mortonda]

Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post [slashdot.org]

Re:Free market will fix this

[digitig]

There are a lot of ISPs available in the UK, so there's plenty of choice [thinkbroadband.com] for fleeing customers.

Re:Free market will fix this

[Anonymous Coward]

"Standard practice is that NOBODY, not even sysadmins can see it."

Damn, I guess I won't mention which big webhosting company I just stopped working for then...but suffice to say they just merged with another big webhosting company... fellow slashdotters, if you have webhosting at a large hosting company that has recently undergone a merger, and you value the secrecy of your passwords, tread carefully.

Re:Free market will fix this

[Anonymous Coward]

There are quite a lot of ISPs for DSL in the UK, if you can get BT DSL then you can get the competition. There is a range of small-large ISPs which gives the UK a pretty good selection.

http://www.dslzoneuk.net/isp_ratings.php

Re:Notice the words carefully...

[geekoid]

intent.

A hacker didn't accidentally get into a system,

I wonder...

[BrokenHalo]

I wonder how rare this situation actually is. The same thing happened to me in about 1998 when I was a customer of Q-net, which later got absorbed by Eftel [eftel.com]. Some certifiable cretin emailed out the ISP's entire customer contact list to every one of its customers. The managing director of Q-Net was a total creep, and rather than admitting responsibility and eating crow, his letter of "apology" was more of an exhortation to customers to secure their passwords. Needless to say, I was unamused, and changed ISPs shortly after.

Re:To err is human...

[PiSkyHi]

Which is why a CHAP password is not a unified billing password.