A computer hacker stole credit-card numbers from an Internet music retailer and released thousands of them on a Web site when the company refused to pay a $100,000 ransom, raising fresh concerns for consumers who want to shop online.
The espionage will have a minimal effect on pocketbooks of customers of the Internet retailer, CD Universe. But it will likely dissuade some novices from buying online and may strike fear into other online retailers, analysts said today.
The New York Times reported that the hacker claimed to have taken 300,000 card numbers. The parent company of CD Universe, eUniverse of Wallingford, Conn., had not yet determined how the Web site was compromised or how many customers may have been affected.
Internet security specialists worked to shore up CD Universe's Web site as the FBI tried to track down the hacker.
The hacker, a self-described 19-year-old from Russia using the name Maxim, sent an e-mail to the Times boasting that he exploited a flaw in the software used to protect financial information at CD Universe. He said he sent a fax to the company last month offering to destroy his credit-card files in exchange for $100,000.
After he was rebuffed, he used a Web site called Maxus Credit Card Pipeline to distribute up to 25,000 of the stolen numbers, said Elias Levy of SecurityFocus.com, a computer security firm. The site was shut down Sunday.
CD Universe said it did not know whether any of the credit-card numbers had been used to make unauthorized purchases, though the Times said the extortionist claimed in e-mails that he used some of the numbers to obtain money.
EUniverse got credit-card companies to cancel customer numbers that had been stolen and is notifying those cardholders by e-mail, Brewer said. He said the credit-card companies will automatically give those customers new cards.
E-commerce analysts said it was only a matter of time before a case of hacker blackmail was made public, contending that many other attacks go unreported.
"It is a public relations disaster . . . for the company," said Charles Rutstein, an analyst at Forrester Research Inc. "In terms of the actual consumer, their liability is at most $50 or zero. The problem is the loss in consumer confidence."