14 DAY TRIAL // Two separate incidents have come to light and forced Optimal Payments, a UK payments processor, to acknowledge that two of its subsidiaries, Moneybookers (now Skrill) and Neteller, were hacked in 2009 and 2010, respectively.
The company issued a public statement on October 29, after Troy Hunt (owner of the haveibeenpwned.com website) and Thomas Fox-Brewster (Forbes reporter) contacted the company and provided samples of the two databases.
The two received the databases from an unnamed third-party, which discovered them on the Dark Web, available for sale.
Optimal Services acknowledged the incidents
Optimal Services did not deny the hacks ever took place and revealed that it alerted authorities at the time of the Netteller incident (2010), a service that it founded in 1999.
In Moneybookers' case, a service that Optimal Services acquired this summer with the purchase of CVC Capital Partners, the situation is a little bit more complicated. Nevertheless, Optimal Services confirmed that authorities were contacted for that incident as well.
Investigations for both services proved that the intrusions were minimal and that no data was used for fraudulent purchases online. Optimal Services stressed the fact that it had not received one single complaint from Moneybookers and Neteller users about those incidents.
Over 8.1 million Moneybookers and Neteller user details are available online
As for the source of the intrusion, company representatives say that a Joomla CMS vulnerability led to hackers accessing the Neteller infrastructure, whereas the Moneybookers intrusion took place because of a compromised VPN.
Fox-Brewster and Hunt claim that the database dump they've received holds 4.5 million Moneybookers records and 3.6 million Neteller accounts.
The Moneybookers data contains user details like addresses, emails, telephone numbers, and birth dates, whereas the Neteller database also holds information about the users' answers to password hints.
Fox-Brewster and Hunt were also the two that investigated and disclosed the 000Webhost.com data breach that leaked details of around 13 million users.