One single misconfigured server left US broadband service provider Excite@Home’s internal network open to hackers for three months. Among the gems exposed to the world, its entire customer list of nearly 3 million cable modem users.
Excite@Home won’t confirm the level of intrusion but has confirmed that an outsider could surf the company’s internal network with as much access as an employee.
Online security news site SecurityFocus reports that the 20-year-old hacker who discovered the hole had managed to add his name to a list of employees on the corporate network by exploiting an open proxy server.
"It wasn't anything resembling rocket science," says Adrian Lamo, who had already helped expose a bug allowing hackers access to AOL’s Instant Messenger accounts.
Excite@Home's technical staff familiar with the incident said the proxy was set up automatically during a default install of a network management tool. But even after the system was shut down, other holes appeared.
"We have 3000 employees," says the staff member. "There have been other machines popping up with proxy servers on them."