Hacker grabs net providers' user file

By MICHAEL FOREMAN

Auckland company Attica Communications, owner of internet service providers i4free and Slingshot, has warned its customers to change their passwords following a security breach.

Executive director Wayne Toddun said his company had received an anonymous telephone call last week from a man who claimed to have exploited a server security loophole to obtain user information.

Mr Toddun believed the hacker had obtained a file of user names and passwords but as the passwords were protected by MD5 one-way encryption, it would be impossible for the hacker to unscramble them.

"It's so secure that when a customer rings us up and says they have lost their password, even we can't tell them what it is. We have to issue a new one."

But Mr Toddun said the hacker might be able to access some customers' internet accounts by guessing passwords or by running a dictionary program to generate commonly used words.

"If someone's got a password like 'bob' or 'house,' he might be able to get into it, but the same could be said of anyone in a large corporation who uses an insecure password. User names are not difficult to obtain."

Mr Toddun would not reveal how the hacker had obtained the file but said "a few security gaps" in the company's servers had since been closed.

No demographic information collected from people who had signed up to i4free was involved in the breach.