Attackers have breached the servers at Verizon Enterprise Solutions and made off with professional-contact information for about 1.5 million individuals employed by companies that use Verizon for telephone and/or Internet service. The entire data package was posted for sale online earlier this week, for a total of $100,000, but the seller is reportedly also offering to sell packets of 100,000 records for $10,000 each.
Verizon has said only that "basic contact information" was stolen. An email sent by one affected company to employees suggested that names, business email addresses, business phone numbers and company names and mailing addresses were accessed by the attackers.
In a statement emailed to independent security reporter Brian Krebs, Verizon said that its "customer proprietary network information (CPNI)" — which includes metadata such as call dates, call duration and parties to a call — was not "accessed or accessible."
The identity of the thieves has not been revealed, but Krebs notes that the data is being offered for sale by "a prominent member of a closely guarded underground cybercrime forum." Verizon has not revealed how the records were pilfered, stating only that it "recently discovered and remediated a security vulnerability" in its "enterprise client portal."
Krebs hypothesizes that the attacker "somehow forced" the Verizon servers to dump their contents, because one format the data is being sold in is that of database platform MongoDB. That platform was recently patched to fix a widely publicized vulnerability that left it open to remote attackers.
While this news may give privacy-minded users a case of the shivers, what we know so far about the compromised information is that it's identical to what you'd see on a business card. (That may change if more news about the breach emerges.)
Affected individuals may see an uptick in email spam and cold calls at their workplaces. But to keep it in perspective, remember that your LinkedIn page reveals your name, current position and employment history — information that's arguably more useful to an identity or data thief.