Taiwanese networking giant D-Link has confirmed a data breach after an employee fell victim to a phishing attack.
D-Link discovered the data breach on October 2, 2023, a day after an attacker began selling the stolen data on BreachForums for $500.
The threat actor claims to possess 1.2 GB of D-Link’s stolen data, including personal information and the D-View network management software’s source code. Some leaked data allegedly contained information belonging to Taiwanese government officials and D-Link’s CEOs.
“I have breached the internal network of D-Link in Taiwan, I have 3 million lines of customer information, as well as source code to D-View extracted from system,” the hacker said. “This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company.”
Details leaked include names, office email addresses, phone numbers, and timestamps, including account registration and last login dates.
Hacker exaggerated the extent of the D-Link data breach
After detecting the breach, D-Link responded by shutting down affected servers, deactivating all except “two maintenance accounts,” and launching an investigation with an external cybersecurity firm, Trend Micro.
The probe determined that the attacker accessed a registration system in a “test lab environment” running an outdated D-View 6 system.
“These records originated from a product registration system that reached its end of life in 2015,” D-Link posted on its website.
Additionally, most records “consisted of low-sensitivity and semi-public information” and lacked “user IDs or financial information.”
Nevertheless, the data breach leaked some personally identifiable information that could be used for phishing, including names, email addresses, and phone numbers.
However, D-Link’s assessment found that the number of victims was far less than the hacker alleged, and the data was stale.
“Based on the investigations, however, it only contained approximately 700 outdated and fragmented records that had been inactive for at least seven years,” D-Link said.
The assessment also suggested that the data breach would not impact most of its active customers, and the hacker manipulated the dates to make the data appear more relevant.
“We have reasons to believe the latest login timestamps were intentionally tampered with to make the archaic data look recent,” D-Link noted.
However, Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4, warned that the data breach could not be discounted: “This seems like a full breach – source code plus details on employees and customers,” he said. “It doesn’t get much worse than this. The only saving grace is the potential age of the stolen data.”
Grimes explained that threat actors could leverage the information to craft compelling phishing messages, resulting in successful exploitation or malware distribution.
“Still, the stolen customer information could be used to form a sophisticated phishing campaign where customers are contacted with some sort of fake scheme, like a fake firmware update, which is then used to trick unsuspecting customers into installing malware,” said Grimes. “Hopefully, D-Link will be able to identify all the impacted customers and send them a warning about the heist.”
D-Link did not confirm or deny whether the leaked data included government officials’ personal information.
D-Link’s data breach stemmed from a phishing attack
The Taiwanese networking equipment manufacturer attributed the data breach to a phishing attack that compromised an employee account.
“The incident is believed to have been triggered by an employee unintentionally falling victim to a phishing attack, resulting in unauthorized access to long-unused and outdated data,” explained D-Link.
A phishing attack aims to trick the victim into disclosing sensitive information by impersonating a trusted entity. However, D-Link withheld details about the nature of the phishing attack.
Meanwhile, the networking company promised to review its access policies and implement additional controls to prevent similar data breaches in the future. D-Link also deactivated the compromised testing server to prevent potential exploitation and will audit and delete outdated users and data.
Outdated or abandoned information systems are rarely monitored and hardly receive security updates and configuration enhancements, making them attractive targets for exploitation.
“Despite the company’s systems meeting the information security standards of that era, it profoundly regrets this occurrence,” the company said.
The networking gear manufacturer advised customers to be vigilant of phishing attacks. D-Link reminded them that it does not request account, personal, or financial information through calls, text messages, or email.