Hacker claims to have gained access to Visa and MasterCard details; mass bank breach

A hacker going by the name of Reckz0r, claims to have targetted over 79 banking companies in a three month period, apparently gaining details to thousands of Visa and Mastercard customers. Overall, he boasts to have gained over 50GB of data from customers in the United States and further aboard, including the United Kingdom and Canada.

A section of the data has been posted up on the internet, with some details included such as customer names and card types, but the actual details of cards have been removed. A pastebin post by Reckz0r explains that such details were not included due to security reasons.

The hacker claims to have attempted to gain the data only because he was curious and wanted a challenge. If this is indeed confirmed, we are sure the majority of customers would prefer that curiousity be put to better use. Earlier this year, Neowin reported a story to which Visa and Mastercard confirmed that they may well have been victims of a "massive" data breach. Whether these two incidents are related, remains unclear.

It's important to remember this has yet to be confirmed by the banks in question and there are those on twitter that claim the details were gained through a phishing form on the internet, rather than through gaining unauthorised data. The fact that some of the data appears to be 'unnormalised' supports that claim.

Reckz0r or "Jeremy", has posted several tweets which talk about vulnerabilities in various software, including Norton Antivirus, cPanel and has even posted account details for an online porn website.

Source: Twitter | Via ZDNet

Report a problem with article
Previous Story

Ballmer's memo to employees is passionate, optimistic

Next Story

NeoGamr Podcast 024 - June 19, 2012

39 Comments

Commenting is disabled on this article.

banks rule the world.... more powerful than the mafia.... i fear for this hacker's life if he ****es the banks off....

Ehhh...not sure I believe it.

Most hackers like to boast about things like this after the banks have announced their data has been compromised. And so far..I haven't seen any news stories saying their data has been hacked into.

It's like putting the cart before the horse.

My initial inclination is to agree with the phishing concept. Everyone is so quick off the bat to say its poor bank defense; which, granted, a few months ago it apparantly was (I will familiarise myself with that article shortly). And thats not to say it isn't now - but what if there WAS a phishing email that is grabbing peoples data? What if it wasn't him who grabbed it in the first place? Who hacks a bank out of boredom? And above all, how does that have anything to do with a porn site's details being leaked? I'm thinking more a problem on the consumer side, and they so happen to have mastercard and visa as if it WAS a phishing email, they're more likely to read it and become infected than someone who doesn't own one. The same email then has the capability to steal data from potentially any site requiring a non-ssl login. As mentioned, I'm not saying its not the case, but maybe dial back on the "Holy crap I can't trust mastercard or visa; I own both so I'm screwed!" nonsense. At least for now

I once said I had a car because I was holding a car magazine, doesnt mean I had one.

Plus like someone else said, unless they have the security code, 3 digit number on the back of THE CARD then the details are useless for most online purchases, 3 of the companies I deal with, in the last 6 months have started requiring this number. Meaning, even with the credit card details they wouldnt have these security numbers, so it makes them null and void.

Odom said,
Where are the account details for the online porn site? Need to verify that claim...

Yep same here. Verify the claim and then some.

kInG aLeXo said,
Do not post such links in future!

//nabz0r


Atleast you could have deleted the link only and kept the fact that this data was leaked >= 2 weeks ago on some "place". Apologies, didn't knew posting first hit from google search was forbidden here

kInG aLeXo said,

Atleast you could have deleted the link only and kept the fact that this data was leaked >= 2 weeks ago on some "place". Apologies, didn't knew posting first hit from google search was forbidden here

Just post the search results link on google.

The Teej said,
<Deleted!>
You have big heart.
I like myself.

//nabz0r

Well gee that edit just makes me sound like a complete douche

fake,
another script kiddie idiot.
the dump included NO legit data. it was all auto-generated.
lol another fail, shows you annmoys is .....

.air said,
fake,
another script kiddie idiot.
the dump included NO legit data. it was all auto-generated.
lol another fail, shows you annmoys is .....

I know, another fake thing being posted as a story.

Is credibility ever considered? I feel like these "hacks" are more often fake than real.

.air said,
fake,
another script kiddie idiot.
the dump included NO legit data. it was all auto-generated.
lol another fail, shows you annmoys is .....
The only way it could have contained "legit" data is if he/she had posted full card details. Of course then you would complain about that. So tell me, how do you know this was a "script kiddie" that posted auto-generated information?

Personally I'd rather assume it is fake but if it's not I'm glad the important info wasn't posted. Yes I'm mad the my info may have gotten breached, nobody should hack this kind of info just to prove a point or alleviate boredom. However, it also means the companies need to stop putting so much money towards BS algorithms to 'predict' my action and put more money into security.

.air said,
fake,
another script kiddie idiot.
the dump included NO legit data. it was all auto-generated.
lol another fail, shows you annmoys is .....

source on being fake ?

Overall, he boats...

I presume you mean, "boasts" that he has collected 50GB of data..

People of his ilk are such pathetic excuses for human beings, really!

Farstrider said,

People of his ilk are such pathetic excuses for human beings, really!

It gets companies to actually pay attention to data security. Next time it might not be someone just looking for a challenge, and instead be a syndicate that sells credit card info to whoever wants it.

You don't think it's sad that in 2012 banks in America still use a pathetic 4 digit pin for accounts? Or how visas amazing card security is just a there digit code on the back of your card?

-Razorfold said,

It gets companies to actually pay attention to data security. Next time it might not be someone just looking for a challenge, and instead be a syndicate that sells credit card info to whoever wants it.

You don't think it's sad that in 2012 banks in America still use a pathetic 4 digit pin for accounts? Or how visas amazing card security is just a there digit code on the back of your card?

verified by visa is a secure system and your litle troll about the 3 digit number from the back of the card is the CVV2 or CVC2 is also used on master cards and other types of bank cards such as debit cards its not a "security" feature its just there to prove you have the card in hand when using it online. some places dont ask for it when your ordering over the phone but most places do ask for it when a Customer not present transaction is taking place.

Farstrider said,

I presume you mean, "boasts" that he has collected 50GB of data..

People of his ilk are such pathetic excuses for human beings, really!

Unfortunately an individual's personality, actions or abilities doesn't matter if a major financial services provider is unable to keep customer data secure.

I for one will be ****ed as hell as I own both debit and credit cards provided via VISA.

xSuRgEx said,

verified by visa is a secure system and your litle troll about the 3 digit number from the back of the card is the CVV2 or CVC2 is also used on master cards and other types of bank cards such as debit cards its not a "security" feature its just there to prove you have the card in hand when using it online. some places dont ask for it when your ordering over the phone but most places do ask for it when a Customer not present transaction is taking place.


Ah verified by visa. And how many sites actually use it? I buy quite a bit of things from the internet (Amazon, Steam, Woot, Newegg etc etc) and NONE, absolutely NONE of them use verified by visa. There are three reasons for this

1. Visa charges for it, so sites don't really care since at the end of the day they still get their money.

2. At the end of the day its upto the site to make sure the details entered are correct. Amazon, for one, doesn't give a **** about the billing address. So it doesn't matter what amazing security Visa / MC / AE put into their cards if its dependent on the merchant.

3. Its upto your bank to set up the stuff for it, NOT visa. For example, Chase DOESN'T use it.

---

And please your thing about the CVV code is bull****. The credit card number and expiry date should prove you have the card in hand. You may be able to generate a CC number but not a matching expiry date. It's pretty much useless, just like verified by visa.

The other thing to keep in mind, is most of the information is obtained by phishing scams. Things like verified by visa can't protect you against this since the scammer can just make a fake verified by visa page. Yes I agree that at the end of the day its the customers fault, but would it be that hard to have a simple authenticator? Hell HSBC has had one for years now in HK, paypal uses them, Blizzard even has them. Use that and make it mandatory (and free) for any sites that accept CC payments to use it, that way even if someone gets hold of the credit card information they wouldn't be able to use it anywhere since the authentication codes won't match.

-Razorfold said,

Ah verified by visa. And how many sites actually use it? I buy quite a bit of things from the internet (Amazon, Steam, Woot, Newegg etc etc) and NONE, absolutely NONE of them use verified by visa. There are three reasons for this

1. Visa charges for it, so sites don't really care since at the end of the day they still get their money.

2. At the end of the day its upto the site to make sure the details entered are correct. Amazon, for one, doesn't give a **** about the billing address. So it doesn't matter what amazing security Visa / MC / AE put into their cards if its dependent on the merchant.

3. Its upto your bank to set up the stuff for it, NOT visa. For example, Chase DOESN'T use it.

---

And please your thing about the CVV code is bull****. The credit card number and expiry date should prove you have the card in hand. You may be able to generate a CC number but not a matching expiry date. It's pretty much useless, just like verified by visa.

The other thing to keep in mind, is most of the information is obtained by phishing scams. Things like verified by visa can't protect you against this since the scammer can just make a fake verified by visa page. Yes I agree that at the end of the day its the customers fault, but would it be that hard to have a simple authenticator? Hell HSBC has had one for years now in HK, paypal uses them, Blizzard even has them. Use that and make it mandatory (and free) for any sites that accept CC payments to use it, that way even if someone gets hold of the credit card information they wouldn't be able to use it anywhere since the authentication codes won't match.

Amazon and Newegg both use Verified by Visa.

bob_c_b said,

Amazon and Newegg both use Verified by Visa.


They do? My bank (Chase) doesn't use it, so I never see the verified by Visa stuff.

I thought BOA supported it but I have a CC with them and its the same story.

But if they do, then my bad. My point still stands though, it should be a mandatory thing for all banks and websites that accept CCs. Adding in an authenticator would make it extremely secure since there's no way to generate the correct codes (only way would be man in the middle attacks).

warwagon said,
I think someone should really create a photo from the movie BattleShip with Rihanna saying "BOOM!"

did you just admit to watching battleship?

Som said,

did you just admit to watching battleship?

The movie was popcorn entertainment. Not good, not bad. Fun to watch.
A movie doesn't have to be "Citizen Kane" to be enjoyable.

I hate how they remove things from Pastebin. It was just him talking about things.. And even if he had posted the info, I want to know if I'm in the breach >.>.