Dear Sirs

I am writing to you to highlight what I think you will agree is a major security lapse by Wanadoo, the UK's most popular internet service provider.

20,000 of Wanadoo's customers' "secure" details were left open to interrogation by any internet user until the problem was brought to the attention of their PR department. The lapse allowed anybody coming across these files access to usernames and passwords to customers' accounts. This basically allows unauthorised access to personal email accounts which obviously leads to an intrusion into customers personal and financial lives (if they bank on-line for example).

The security failure has been known for at least 3-4 months when they were contacted by one of their customers. Wanadoo did nothing to rectify the problem. However, after a post on the WanadooProblems.co.uk website at the weekend highlighted this issue, we contacted Wanadoo PR who have now stopped access to the pages, but have not secured the details... The details are still accessible.

Wanadoo PR are yet to get back to me to comment on this issue... Are they trying to brush this very serious breach of confidentiality under the carpet?


Full details can be found here:

http://www.wanadooproblems.co.....php?t=240


If you would like further details, please feel free to contact me on ***** *** ***

With kind regards


WanadooProblems.co.uk

www.wanadooproblems.co.uk

It has come to my attention through a disclosure on a forum that you keep customer data in plain view on a number of web servers.
This means that the email addresses, domains, names and passwords of a huge number of wanadoo / freeserve account holders are exposed and potentially open to harvesting by spammers and abuse such as using the account to perpetrate other fraud or exchange of illicit materials.
The post in question was pulled but was in the public domain for at least 45 minutes.
I felt it was quite important that you be made aware of this issue as a matter of urgency so that you can take appropriate measure to secure the servers in question.
They are currently open to a trivial, non-technical attack simply by using a browser, because directory listing has not been disabled, so anyone with malicious intent can easily browse the details of several hundred of your users.

The IP addresses of the servers are in Portugal according to RIPE records, though it is not clear what the connection is between them and Wanadoo (I assume a subsidiary company).

I trust you will protect the private details of your paying customers, and thereby help to prevent misuse of this data in an effort to remain good "net citizens".

Please feel free to contact me if I can be of further assistance. I am sure you would rather deal with this quickly rather than allow it to become a matter of public knowledge.
I do not know the identity of the original poster nor can I vouch for where else they may have posted this information. Search engines are currently coming up blank but this is to be expected if they have only revealed this today.

Unfortunately this will mean I will be forced to advise my own clients not to sign up for your services until such time as this breach is remedied.

who's been affected?

A small number of customer's who recently opened a Dial-up Any Time account, or retrieved their account settings have potentially been affected. We have emailed all affected customers, to let them know of the problem.

From Wanadoo Help

security issue - questions and answers

Article ID: kb9333

Below is a list of FAQs providing more information about a recent security issue.

what is the security issue?
As part of our Dial-up Any Time registration and account retrieval process we download information to your computer using an 'ins' file. The file allows your computer to connect to the Internet, and sets up Outlook Express so that you can check your email. These files are held on a server, and have been exposed to a security weakness. As such, unauthorised people may have been able to view customers 'ins' files over the Internet.

what details could have been accessed?
Each 'ins' file contains an Internet access username, password and email address, along with other information to help your computer connect to the Internet. As such, there's a risk that an unauthorised person could:

• connect to the Internet using your connection details
  
• view emails in the email account held with us
  
• enter your account through the Member Centre and view your address and direct debit details. Credit and debit card details have not been compromised.

how did it happen?
One of our systems had an issue with its security protection that we didn't know about.

what have you done to fix the problem?
The issue was identified and fixed on 16 May 2006 to prevent any further security issues. All other servers have been checked as a precaution.

who's been affected?
A small number of customer's who recently opened a Dial-up Any Time account, or retrieved their account settings have potentially been affected. We have emailed all affected customers, to let them know of the problem.

when did this happen?
We were made aware of the issue on 16 May 2006 and immediately took action to address the security weakness and began investigations into the impact and the cause of the problem.

which passwords do I need to change?
We suggest that you change your email and connection password immediately.

You'll find more help with this in the article how to change your password. Alternatively follow the instructions below:

1. go to www.wanadoo.co.uk
   
2. click on help
   
3. search for 'how to change your password'

We advise that you change your sign-in details for services you may have set up with other companies, where they've confirmed sign-in details to your email account

We also suggest that you use different passwords, for different services.

what should I do if I have forgotten my username and/or password?
When you joined us, you'll have received a welcome email containing your email address. If you can’t find this and would like a reminder of your email address, please call us on 0800 294 0330.

how do I know this won't happen again?
The security of our customers is vital to us, and we've taken immediate action to stop any further security compromise. We're also alerting affected customers of the issue as soon as possible with the steps required to secure information.

This is an isolated incident and although the issue has been fixed, we're continuing to carry out investigations to ensure this doesn't happen again.

what have you done to tell customers about this?
We've emailed all of our customers who we know may have been affected, and we are also following this up with a letter. If you’ve not been contacted, then you’ve not been affected.

where can I get more information on safety online?
Go to http://www.wanadoo.co.uk/commu...ate/safety for more information.

what can I do to find out more?
If you require any further information, please contact us on 0800 294 0330.

Hi spragger

Welcome to WanadooProblems.co.uk

Well, apparently, Wanadoo have said in a statement that they would contact all affected customers.

However, to be on the safe side, I would strongly suggest to change your Wanadoo password at the very least.

If, like thousands of others, you use the same password for all your accounts (e.g. email, banking, PayPal, ebay etc.) then you would be wise to change these passwords too - to be safe!

It is a hassle. Yes. But... Better safe than sorry!

Also: It is a hassle remembering lots of passwords, I know(!), but... you should have a unique password for all your accounts.



By the way - If anyone has received a letter or email from Wanadoo - can you let us know - there are at least 20,000 customers that should be contacted - one of them must have seen this website!