THE HACKERS that exposed personal and financial information about personalities like Paris Hilton and Beyonce might have extracted it from credit agencies.
According to Bloomberg Equifax, Experian and Transunion have all confessed that they are in scurry mode and looking to see if any more clients are affected. We have contacted the agencies but so far they have not responded.
Only a limited number of people, albeit some very famous ones, have had their personal details including addresses and social security numbers leaked, but the fact that the credit companies might be the source suggests that more will follow.
We asked Sophos senior technology consultant Graham Cluley whether he thought, like we had, that this could have been a simple case of social engineering or password guessing.
"It's hard to say definitively what happened at the moment," he said. "My leaning, however, is that this is more likely to be a situation where the hackers were able to scoop up information off the net which then allowed them to impersonate the celebs and access the credit histories."
Cluley has also blogged about the revelation, says that prospective visitors to the website might add themselves to its list of victims.
"One word of caution - websites claiming to contain private information about celebrities are likely to receive a lot of traffic from curious members of the public, and some in the media may publish the web address," he wrote.
"Computer users, however, should be extremely careful about visiting such sites. After all, it would be trivial to plant a boobytrapped PDF on the site designed to infect visiting computers."
Yesterday, when we dipped a cautious toe into the Russian website it was displaying documents on about a dozen personalities including Beyonce, Hulk Hogan and Michelle Obama.
Transunion told us that its systems were not hacked or compromised. It called the attacks "sophisticated", saying that they had "considerable" amounts of their private information. Enough anyway, to pretend to be them.
"Nothing is more important to TransUnion than the security and accuracy of the information we maintain on behalf of consumers. TransUnion's systems were not hacked or compromised in any way," said a spokesman.
"The sophisticated perpetrators of these fraudulent activities had considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports."
He added that Transunion is taking steps necessary to help those affected, is conducting an internal investigation, and is working with the law on sorting this out.
Equifax is humming the same tune. "Nothing is more important to us than data security and we have stringent measures in place for protecting the data entrusted to us," said a spokesperson there.
Again the firm said that personal insider info was used to gain access to files that are gain accessible too. It too has launched an inquiry, and it too has called in the law.
"Our initial investigation shows the perpetrators had the Personally Identifiable Information of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter." µ
The top 10 stories from the past seven days
Meet the latest flagship killer from China
Plus, it's goodbye to Device Assist
Vulnerabilities in the iOS sandbox thankfully found by the good guys