D-Link Confirms Data Breach after Employee Phishing Attack

Cyber Security Threat Summary:
Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO” (Bleeping Computer, 2023). According to the listing, the stolen data allegedly includes names, emails, addresses, phone numbers, account registration dates, and the users' last sign-in dates. The threat actors were able to provide samples of 45 stolen records with timestamps between 2012 and 2013, which has some experts suspecting that the data could be old.

While the stolen customer data is being viewed with scrutiny, the threat actors claims to have 3 million lines of customer information as well as source code to D-view network management software. Even if the customer records are old, the threat actors says the details include many government officials in Taiwan as well as CEOs and employees of the company.

The data has been available for purchase on the hacking forum since October 1st, with the threat actor demanding $500 for the stolen customer information and the alleged D-View source code.

Security Officer Comments:
D-Link confirmed the breach this week, stating that an employee fell victim to a phishing attack which granted the attacker access to the company’s network. The company says they immediately shut down impacted servers and disable all but two account during their investigation.

“While it confirmed the breach, D-Link specified that the intruder accessed a product registration system within what it described as a "test lab environment," operating on an outdated D-View 6 system that reached the end of life in 2015” (Bleeping Computer, 2023). Questions remain about why D-Link had an end-of-life server still operational and exposed to the Internet for seven years. While the attackers claims to have stolen user data in the millions, D-Link says the compromised system contained roughly 700 records going back at least seven years. "These records originated from a product registration system that reached its end of life in 2015. Furthermore, the majority of the data consisted of low-sensitivity and semi-public information."

D-Link also suspects the threat actor deliberately tampered with the recent login timestamps to create the illusion of a more recent data theft. Additionally, the company stated that most of its existing customers are unlikely to be impacted by this incident.