Vodafone wants customers with ‘1234’ password to cover up for $30,000 loss caused by breach

• Cybercriminals used the ‘1234’ password to gain access to a user’s account and order a new SIM card.
• The cybercriminals used stolen user accounts to purchase $30,000 worth of gambling services.

A court in Teplice, Czech Republic, has sentenced two hackers to prison for three years for compromising the accounts of Vodafone customers. They used stolen accounts to purchase $30,000 worth of gambling services.

According to Czech news site idnes.cz, the hackers gained access to several user accounts by brute-forcing the passwords. These user accounts contained weak passwords, specifically ‘1234’, enabling the attackers to easily place an order for new SIM cards to be picked up from various branches. These new SIM cards could then be activated without any further verification since the hackers already knew the phone number and name associated with each compromised account.

Once the SIM cards were activated, the cybercriminals used them to send premium messages to subscribe to various gambling services. The campaign began in April 2017 and allowed the hackers to accumulate $30,000 in their game accounts.

Affected customers to pay the stolen amount

In court, Vodafone argued that the customers were at fault for using weak passwords. The company has refused to pay for the damage and reportedly wants the affected victims to pay the stolen money back.

"If the account was misused by an unknown offender, the correct procedure is that the customer will report the situation to the Czech police and file a criminal complaint. Unfortunately, we cannot compensate for the charged amount," a Vodafone spokesperson said, ZDNet reported.

Meanwhile, customers impacted by the breach claim to have no idea as to how their accounts’ password was set to ‘1234’. They also denied knowing that there was even an online market that could be used to access personal details of customers.

Vodafone, however, defended its stance stating that even if one of their employees had configured a phone’s password during the time of purchase, it was still the responsibility of the users to have it changed to a stronger password.

Jiri Kropac, the head of Threat Detection Labs at ESET, tested Vodafone’s portal on behalf of Bleeping Computer and found that the string in the password field is limited to 4 to 6 characters. The hackers could have easily guess users’ passwords using a brute force attack, if there was ever a breach.

This is not the first time that Vodafone suffered a data breach. In 2015, sensitive information belonging to 1,827 UK customers were stolen after a cybercriminal accessed users’ email addresses and passwords.