A misconfigured server left U.S. broadband service provider Excite@Home Inc.'s internal network open to hackers for three months and among the gems exposed to the world: its entire customer list of nearly 3 million [M] cable modem users.
Excite@Home won't confirm the level of intrusion but has confirmed that an outsider was able to surf the company's internal network with as much access as an employee.
Online security news site SecurityFocus reports that the 20-year-old hacker who discovered the hole had managed to add his name to a list of employees on the corporate network by exploiting an open proxy server.
"It wasn't anything resembling rocket science," says Adrian Lamo, who had already helped expose a bug allowing hackers access to AOL's Instant Messenger accounts.
Excite@Home's technical staff familiar with the incident said the proxy was set up automatically during a default install of a network management tool. But even after the system was shut down, other holes appeared.
"We have 3,000 employees," says the staff member. "There have been other machines popping up with proxy servers on them."