Shostack + Friends Blog Archive


Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data.

“According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through hacking of encrypted passwords.”

“Evidentially,” indeed. Do you really want to let these people decide when a breach is a threat to their customers? What if they’d accidentally configured their IDS with the same password?

One comment on "Acxiom, 8.2 gb of love, Bad Password"

  • Chris Walsh says:

    I suspect this isn’t the same password for many customers, but the same home dir perms (755) and umask (022) for many customers.

Comments are closed.