D-Link Confirms Breach, Rebuts Hacker's Claims About Scope

Taiwan-based network equipment vendor D-Link this week confirmed that it was the victim of a recent data breach, but dismissed the seeming perpetrator's claims about the severity of the incident as inaccurate and exaggerated.

On Oct. 1, an individual using the handle "succumb" claimed on the BreachForums online community for cybercriminals about having breached the internal network of D-Link in Taiwan. The individual claimed to have exfiltrated some 3 million lines of customer information and source code pertaining to D-Link's D-View network management software.

The self-proclaimed hacker's post identified the stolen data as including names, emails and physical addresses, phone number, and company information on D-Link's customers. 

"This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company," the hacker's BreachForum post went on to add.

Nowhere Near in Scale As Hacker's Claims?

According to D-Link, an investigation of the incident that it conducted with its internal team and with experts from Trend Micro showed that while a breach happened, it was nowhere near the scale the hacker portrayed on BreachForums.

For one thing, D-Link said the data that the hacker obtained was outdated, and did not contain any personally identifiable information (PII) or financial data. The number of records that the attacker appeared to have accessed was also just 700 or so — not remotely near the 3 million records the hacker claimed.

Available evidence suggests that the intruder most likely exfiltrated "archaic" registration related data from a D-View system that reached end of life in 2015, D-Link claimed. None of the records that the hacker obtained appear to be currently active. "However, some low-sensitivity and semi-public information, such as contact names or office email addresses, were indicated," D-Link said.

D-Link said it believes the attacker gained access to the "long-unused and outdated data" via a successful phishing attack on one of its employees." 

Following the incident D-Link noted that it has reviewed its access control mechanisms and will implement additional controls as necessary to mitigate against similar threats. "D-Link believes current customers are unlikely to be affected by this incident. However, please get in touch with local customer service for more information if anyone has concerns," the company advised.

Signal Breach Claims: A Similar Incident in Recent Days

The incident is the second in recent days where a company has been forced to initiate a review of its security measures, after a breach claim that turned out to be false of exaggerated. 

Earlier this week, the security team at Signal had to respond to rumors about an alleged zero-day vulnerability in the secure messaging service that allowed for full device takeover. After what the company described as a "responsible investigation" of the claims, it determined the claim was just a viral rumor. 

"We have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels," Signal said on X (formerly known as Twitter). As part of its verification efforts, Signal said it checked with people across the US government to see if anyone had encountered issues with the service.

In D-Link's case, the hacker's claims prompted an immediate shut down of servers that its security team thought might be relevant. 

"We blocked user accounts on the live systems, retaining only two maintenance accounts to investigate any signs of intrusion further," the company said. The company also scoured its software test lab systems to determine if any sensitive data had leaked into the environment. During the process, D-Link's security team disconnected the test lab from the company's corporate network.