Bell Canada, the country's largest communications firm, is alerting its small business customers that 22,421 usernames and passwords were posted online.
On Sunday, Bell Canada announced via a press release that the breach occurred after a third-party supplier's system was hacked.
“The posting results from illegal hacking of an Ottawa-based third-party supplier's information technology system,” the statement said. “In line with our strict privacy and security policies, Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies.”
In addition to thousands of usernames and passwords, the breach resulted in five valid credit card numbers being exposed, the company revealed.
The communications giant is working with federal officials, law enforcement and the hacked supplier to investigate the incident. According to the company, the breach does not impact its residential, mobility or enterprise business customers.
Before Bell Canada's weekend announcement, a hacker group, called “NullCrew,” took responsibility for the hack via a Saturday Twitter post. The group eventually revealed that the information had been accessed through a SQL injection attack, and that it informed a Bell customer support employee weeks ago of the compromise.
On Sunday, a researcher and curator for the nonprofit Open Security Foundation, who goes by the online name “Dissent Doe,” posted an interview with the hacker group at databreaches.net.
In the interview, the group claimed it had access to Bell's server for months, and provided a screenshot of the online conversation had with customer support.
SCMagazine.com reached out to Bell Canada, but did not immediately hear from the company.