Extortionist posts credit cards online Numbers exposed after CD Universe refuses to pay $100,000 By Mike Brunker MSNBC Jan. 10  Sending shockwaves through the e-commerce world, an intruder who claims to have plundered 300,000 credit card numbers from an Internet music retailer's computers posted thousands of numbers on a Web page after failing to force the company to pay him $100,000. The FBI on Monday was investigating the theft and attempted extortion, and the company, CD Universe, said it was advising customers that their credit card data could have been compromised. An estimated 25,000 credit card numbers were posted on the Web site before it was taken down Sunday morning. WORD OF THE extortion plot surfaced Friday, when the thief contacted a California computer security firm and directed employees to the Web site where he apparently had been posting the credit numbers since Christmas Day.

Brad Greenspan, chairman of eUniverse, the parent company of CD Universe, said Monday that company officials and an outside security firm it had hired were still attempting to determine how the thief had made off with the financial information. But he said there reasons to believe that other online retailers also could be vulnerable.

OTHER SITES COULD BE VULNERABLE "The hacker has said that there's a flaw (in the ICVerify software that CD Universe was using to process its transactions) ... in a general sense, not just that he found that flaw in our system," he told MSNBC.

Representatives of the software maker, CyberCash of Reston, Va., did not return calls Monday seeking comment.

The New York Times reported that the extortionist, a self-described 19-year-old from Russia using the name Maxim, claimed in e-mails that he used some of the credit card numbers to obtain money for himself.

On the Web site, which was shut down Saturday, the thief said e-mail and faxes had been sent to the company warning that he would publish the credit card numbers and other information obtained through an unspecified "security hole" in the company's e-commerce software.

"Pay me or I publish it," the thief claimed to have warned the Wallingford, Conn.-based company by e-mail and fax.

CD Universe and its parent, eUniverse, said they were working with the FBI to track the intruder.

UNAUTHORIZED PURCHASES DETAILED The company said it had not received any reports that customers' credit card numbers had been used to make unauthorized purchases.

But APBNews.com, an Internet publication focused on crime, said it obtained 32 credit card numbers before the Web site was removed and had verified at least two fraudulent purchases  one for $1,000 of computer equipment and another for $1,250 worth of unspecified goods  from the more than a dozen victims it was able to reach. One of those charges occurred on Saturday, the day the extortionist's Web site was shut down and two weeks after he posted his first credit card numbers.

APBNews also reported that two of the cardholders said the card numbers that were posted on the site were replaced and cancelled months ago, indicating the stolen database may have been old. Also, all of the credit cards were due to expire between February and April 2000, it said.

CUSTOMERS CONTACTED Greenspan, the eUniverse chairman, said the company was in the process of contacting its customers and advising them of the theft.

"We're working with the credit card companies and we will be and are in the process of informing our users and giving them the appropriate information so that they can make an informed decision (on whether to cancel the cards)," he said.

To view this story: http://www.msnbc.com/msn/355593.asp

-- Jennifer Bunker (Salt Lake City, Utah) (jen@bunkergroup.com), January 10, 2000