Following just days after Tango's servers were compromised, the Syrian Electronic Army(SEA) has hacked another calling and messaging service, Viber. E Hacking News is reporting that this time SEA was able to acquire a partial database backup containing phone numbers, UDIDs (Viber generated, not Apple UDIDs) and IP addresses, among other user information for some of Viber's more than 200 million subscribers.
In addition to the database, SEA was also able to deface Viber's support page. The defaced page told visitors that the service was designed for spying and tracking, but has since been taken down. The hackers also told E Hacking News that they still have access to the system and have deleted the Viber system that was used for managing accounts.
TechCrunch has posted an official response from Viber. It reads in part:
It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.
Another statement elaborated further on the types of data that were compromised:
The data is quite basic – we want to know when user registered, where from (country), device type (helps us understand who uses Viber, detect problems, etc), UDID is an internal ID (not the Apple UDID), push token is used to communicate with users (but cannot be used by a 3rd party), etc. While this is not the most sensitive data (message content, address book, etc), we are disappointed that hackers were able to gain access to these systems. We are working, as we speak, to make sure that this will not happen again.
The system that was breached is our CSR (Customer Support). Supporters need access to this data to help users with various technical issues. Most app developers would provide their supporters with similar data.
Viber also responded to accusations that their service was for spying:
Viber, like many other companies such as Microsoft, Cisco, Google, and Intel maintains a development center in Israel. It seems like this caused some people to come up with some pretty bizarre conspiracy theories.
It goes without saying, that these claims are completely without merit, and have no basis in reality whatsoever.
If Viber's reports are accurate, while it may be distressing to see some of the company's systems breached, it should be at least somewhat reassuring to users that their truly sensitive information was not compromised. While Viber's word may not be enough to go off for many users, the Syrian Electronic Army has yet to provide any evidence to the contrary.
