Hacks Come at Difficult Time for DoubleClick

Reports allege DoubleClick has been hacked a third time, following two admitted server break-ins earlier in the week — developments that raise the concerns of some privacy advocates, and which come as the firm prepares new consumer information-based initiatives.

According to French hacking site Kitetoa, which first discovered the earlier break-ins, a portion of the New York-based company’s DARTmail system was the target of a defacement sometime Wednesday evening or Thursday morning.

Attrition.org, a Web site that monitors hacker activity, concurred, reporting that machine at login.dartmail.com displayed the message “prime suspectz owned one of doubleclick servers hohohooohhoho.”

Prime Suspectz is believed to be the culprit behind the defacing of a Microsoft site in New Zealand, as well as foreign sites belonging to eBay and Visa International, and a U.S. site belonging to Nasdaq.

It is not known whether the hackers were able to do anything more than post the message on DoubleClick’s server. Spokespeople for the company, including the chief privacy officer Jules Polonetsky, did not return repeated calls for comment.

As of press time, however, DoubleClick displayed the following message on the DARTmail login server:

“DoubleClick’s Ad Management system is temporarily down due to system maintenance. Please note that during this time, ad serving will not be affected. We sincerely apologize for the inconvenience. Should you have any questions, please contact DoubleClick Customer Support at (212) 655-7600 or email [email protected].”

If the latest reports are true, then this is the third time that DoubleClick has been the subject of a hack attempt.

On Tuesday, the company admitted to reports that machines at www.doubleclick.net and abacusonline.doubleclick.net had both experienced hack attempts. In the first case, hackers had placed a program that would have given them unlimited, “backdoor” access to the server, but had been unable to execute the file, DoubleClick said.

The abacusonline.doubleclick.net machine, which hackers gained access to through an operating system hole, similarly thwarted attempts to gain access to restricted data, because it was a development server that hosted no live consumer information, according to DoubleClick.

Patches that would have secured its Windows NT-based servers had been available since last year from Microsoft. However, DoubleClick apparently had yet to install the fixes — though Polonetsky said that the company was doing so following the hacks’ discovery.

French hacking site Kitetoa, which broke the story of the DoubleClick hacks earlier this week, maintains that the company faces additional security flaws, in the form of development servers connected to “live” Web servers.

While DoubleClick asserted that no consumer information had been at risk in the earlier attacks, the question does raise concerns about the company’s own security measures.

With lists of about 40 million email addresses under its control, and a separate database owned by its Abacus subsidiary containing data from 3.5 billion transactions from more than 90 million U.S. households, DoubleClick houses a wealth of consumer information.

And while the ad network maintains that it safeguards consumer privacy from unethical commercial use, the new developments would appear to call into question DoubleClick’s ability to safeguard that data from criminal exploitation.

In an interview with Internetnews.com earlier this week, Kitetoa suggested that the recent hacks might have been enough to allow a hacker to secretly plant a “password-sniffer” that could capture usernames and passwords of people logging into DoubleClick’s systems.

Kitetoa, who spoke on condition of anonymity, also alleged that hackers could have easily gained access to DoubleClick machines other than the two feature-limited servers reported. DoubleClick has vehemently denied that the hackers would have had such an opportunity.

The recent developments come at an unfortunate time for DoubleClick, which is gearing up for new product and division launches that hinge heavily on consumer data — historically, touchy public relations areas for the firm.

DoubleClick spent much of last year facing down a public relations debacle that stemmed from its planned integration of Abacus data with its own online profiling information — plans that the company abandoned following a hailstorm of criticism from consumer and privacy advocates.

Now, with plans quietly in the works for a revamped online research unit called Diameter, and new products that will incorporate the company’s research and consumer data divisions, concerns about DoubleClick’s handling of security would seem to be especially unwelcome.

Already, one privacy advocate is calling for some answers. In an open letter to Polonetsky, Junkbusters president Jason Catlett criticized the online ad firm and called for it to publish all existing auditors’ reports and attestations on DoubleClick privacy and security. Those auditor records include a quarterly study begun last year by PriceWaterhouseCoopers.

“The recent series of security holes found on DoubleClick’s computers is scandalous,” Catlett wrote. “It is intolerable that DoubleClick keeps such vast amounts of data — trillions of page view records and billions of offline purchases on hundreds of millions of people — all secret, hidden from the people they concern, but is apparently incapable of keeping its systems secure from foreign hackers.”

On his site, Catlett also called for a specific independent investigation of this week’s hacking incidents, and the current state of DoubleClick’s security, and for the company to publish the report.

Catlett said he hadn’t heard “a peep” from Polonetsky since posting his letter on Tuesday, and he still considers them “the biggest and baddest.”

Another privacy advocate said he felt the issue was less troubling, as long as one of DoubleClick’s databases wasn’t violated.

“It’s not great for DCLK, but overall, it doesn’t look like anything bad is going on,” said the Privacy Foundation’s Richard Smith. “As long as [hackers] kind of stay away from any place that has any data in it, I don’t see any problem. “But they hold information about people, in databases like Abacus Direct. I would assume none of those are online, but you can never be sure.”

“It would be bad if someone saw what Robert Redford had been buying for the last three years,” he joked. “If it’s corporate stuff, it’s more of a PR issue.”