Acer inadvertently releases 40,000 customer details
According to a report from The Hacker News, the personal data of approximately 40,000 Acer customers were made available online via the company's Acer-Euro.com FTP server. The 13 MB ZIP archive contained an Excel spreadsheet with the various customer details, including first and last names, country of residence and email addresses, as well as product model and serial numbers owned by these customers.
The attack was reportedly carried out by the "Pakistan Cyber Army" (PCA), a known hacking group, which told the online news site that it intends to publish the data online. In addition to the stolen customer data, source code was also said to have been obtained by the group and will be made available at a later date. In a follow up post, The Hacker News notes that it found valid FTP credentials for the company's servers in the Acer ASP support forums dating back to January 2008. A quick search by The H Security shows that the FTP credentials are still available online.
It's unknown if the access rights for the FTP account were configured incorrectly or if the forum was not intended to be publicly viewable. It is also unclear as to how old the private data obtained by the group is. Meanwhile, Acer has blocked FTP access to its servers and the company's forums are now down for maintenance. When contacted by The H's associates at heise Security, Acer said that it would not comment. However, an official statement from Acer is expected to be released soon.