- Business Insider spoke to multiple people claiming involvement in the TalkTalk hack.
- They claim they carried out the attack for “shits and giggles,” rather than in an attempt make money.
- They say TalkTalk’s security was so weak one admin login had a three-letter password.
- One source claims hackers still had access to TalkTalk’s systems days after the hack was announced.
The net is closing in on the TalkTalk hackers. Four individuals have now been arrested in the police investigation of the October 21 hack on the company.
Business Insider spoke and communicated with multiple people who claim they were close to the attack since it was first made public on October 22. In the immediate aftermath of the attack — before the company released details of the hack, and before any arrests were made — these sources knew key information about the hack that later turned out to be true. These sources told us details about the hacking days before they were made public by the police or TalkTalk, including the ages of two of the boys arrested in connection with the attack.
They also told us why and how they decided to breach TalkTalk’s databases.
The alleged hackers told Business Insider that they did it for “shits and giggles,” and that TalkTalk’s security was “horrible.” TalkTalk declined to comment, citing the ongoing criminal investigation.
Many of the claims made by sources we have spoken to are unverifiable. Some may have outright lied to us, in part to conceal their identities. One of the individuals we spoke to has been falsely accused by online hackers of cybersecurity breaches in the past, according to The Times, raising the possibility that a calculated effort is being made by some hackers to frame a teenager over the hack.
With that said, here is what the people claiming responsibility for the TalkTalk hack told us about how and why they did it.
On Friday, October 23, one day after the hack was made public, and three days before anyone was arrested, Business Insider spoke to someone who identified themselves using the handle “Vamp.” This person gave his age, said he was from the UK, and said he was not worried about being caught. “I personally don’t mind, you can publish what you want, it doesn’t bother me,” he said. “I don’t have any cares to be quite honest with you, that’s why I’m willing to talk with you in my real voice on a Skype call.”
“Vamp” told Business Insider that one of the databases he allegedly exfiltrated had around 1.3 million entries.
In a statement released on November 6, TalkTalk said 156,959 customers were affected by the hack. In a previous statement, the company had said that “less than” 1.2 million pieces of customer data in total were compromised. A TalkTalk spokesperson clarified to Business Insider that this 1.2 million figure is made up of multiple pieces of data from each compromised individual — email addresses, names, and so on.
“Vamp” also showed Business Insider information on a TalkTalk customer that was allegedly taken in the breach. Significantly, this data had a timestamp dating from after the last attack on the company in August 2015, indicating that it wasn’t taken from an earlier hack. The customer later told Business Insider they believe they cancelled a contract with TalkTalk at a date corresponding to the timestamp, suggesting that the data had indeed come from the October 22 hack.
Within hours of TalkTalk announcing it was hacked on the evening of October 22, multiple tweets sent by people connected to “Vamp” mentioning his Twitter handle (“@niggerbit”) imply that he had a hand in it. For example, two hours after TalkTalk issued a statement about the hack, a user called “Antichrist” sent the tweet “@n—-rbit what have you done”, and linked to this statement from TalkTalk.
A blackmail demand from Soviet Jihadi terrorists claimed responsibility for the hack in the immediate aftermath, and garnered some press attention. “Vamp” told Business Insider on October 23 that he had “never heard of that group.” On October 24, he subsequently said that it was “a troll,” and was “to be used as a bait by a friend so the attack wouldn’t fall back on him.”
TalkTalk announced on Friday, October 23, that it had received a ransom note from someone purporting to be the hacker, and reportedly asked for £80,000 in digital currency bitcoin. “Vamp” denied to Business Insider that he or any of the others involved had sent a ransom demand to TalkTalk.
However, the company says that it received the ransom demand before the hack was made public, making it unlikely to be an imitator trying to cash in. Additionally, respected security journalist Brian Krebs reports that the individual demanding money provided an internal database of 400,000 users as “evidence” of their involvement in the hack, citing “a source close to the investigation.”
One possibility is that one of the others that “Vamp” alleges was involved in the hack sent the ransom request; another is that one of them shared the data, and whoever they shared the data with did it. Or “Vamp” could have simply lied to us in an attempt to protect himself.
“Vamp” claimed that the data he allegedly stole was “just going to sit on my desktop, it’s not going to go anywhere.” He denied that he planned to sell it to criminals and identity thieves on the dark web — a frequent outcome of data breaches. “Money’s no value to me,” he said. “We did it — it seems ironic saying this — but we did it for the lulz.”
The attack was, he said, “purely to like, own the ISP,” and “there was no bad behind it.” It was for “shits and giggles.”
“Vamp” alleged that some of TalkTalk’s passwords were stored in plain text rather than encrypted. “Vamp” described TalkTalk’s alleged security as “terrible, that’s being honest with you, horrible.” TalkTalk, however, says that no users’ passwords have been accessed.
A second TalkTalk customer Business Inside spoke to confirmed that a password linked to an email address that “Vamp” alleges was taken in the breach was real — but hasn’t been used with the account for “three or four years” at least. The account was a Tiscali account, and as such, one possibility is that no current passwords were accessed, but that records of old Tiscali passwords — stored in plain text — were retained, and accessed by the attackers. Tiscali was an Italian telco and email provider acquired by TalkTalk in 2009. TalkTalk says the amount of data potentially stolen is far less than the 4 million initially feared — just 157,000 customers have apparently been affected.
“Vamp” said that he wasn’t the one who initially found the vulnerability. “I was chilling, and my friend hit me up with some information we decided to exploit.” He said the attack was a “blind SQL injection,” taking advantage of a vulnerability in a certain web page video.
An SQL injection is a way to input commands into a database in order to get a dump of information or gain access to a machine. A similar vulnerability in TalkTalk’s website had previously been disclosed to security website Xssposed.org before the hack on October 18, albeit with the details and the required URL hidden, as Brian Krebs later reported.
An individual connected to “Vamp” first tweeted a link to the alleged vulnerability directly at one of TalkTalk’s Twitter accounts on October 23, a day after the hack was first made public.
“Vamp” said there were four others involved directly involved in the attack — two from the UK, and two from the US. So far, including the person linked to the “Vamp” alias, four people have been arrested in the UK. It is not currently clear what is the alleged involvement of those arrested, and so far none have been formally charged.
“Glubz,” another individual with knowledge of the hack, told Business Insider that the vulnerability was passed around a lot, and that as many as “20 +” were ultimately involved. Another source claimed that “in the background a lot more people were busy with it.” This suggests that if “Vamp’s” story is accurate, then whoever shared the vulnerability with him also shared it with multiple others.
Channel 4 has also reported a similar number, with one of their sources alleging that “at least 25 people had access to it.”
A tweet sent by “Ryan,” another individual with apparent knowledge of the hack (above), suggests that one of the admin logins for an internal tool was “tim,” and that the password for the login was also “tim”. Using the same word as a login ID and a password is a classic mistake that hackers look for.
“Vamp” also claimed to Business Insider that this was the case. “Talktalk has a isp tool called ‘Davinci’ and the admin login for that tool was tim:tim,” he said.
“On October 26, three days after Business Insider began our conversation with “Vamp,” London Metropolitan Police announced the arrest of a 15-year-old boy in County Antrim, Northern Ireland, as part of the investigation into the hack. The boy was, the police said in a statement, “arrested on suspicion of Computer Misuse Act offences.” He has since been bailed until a “date in November” as “enquiries continue.” “
At this point, the circumstantial evidence that we had talked to the boy who was arrested began to mount up.
The name of the arrested boy (which Business Insider is not publishing for legal reasons) is the same as one included in a “dox” of “Vamp” nine months ago. A “dox” is the publication of personal identifying information about an individual, done to make the individual vulnerable to other hackers and identity thieves. Hackers sometimes dox each other as an act of revenge for some perceived slight. The individual who claims to have doxed “Vamp” told Business Insider that he did so after “Vamp” allegedly doxed him first. (“Vamp” also previously went by the alias “Vicious,” people close to him say, and an older “dox” of the boy also refers to him by that alias.)
Additionally, independent journalist Nevin Farrell said on Twitter he had visited the house of the boy arrested, and that it is located at the same estate as the one named in the dox.
Since the arrest, the individual we spoke to has been unresponsive, and has not tweeted.
An apparent friend of “Vamp’s” shared with Business Insider a photo that he claims is of “Vamp” after the teenager was arrested in Ireland. It shows a teenage boy with the word “HACKER” written on a piece of paper stuck to his forehead. The boy in the photo looks similar to the photo of the teenager that was published on the front pages of The Sun and The Daily Mail following the first arrest.
One possibility is that we didn’t speak to the “real” “Vamp,” but rather an impersonator — perhaps another hacker trying to frame him.
As The Times’ John Simpson has reported, hackers have tried to frame “Vamp” for previous cybersecurity breaches before. Something similar could be happening here. One source Business Insider spoke to admitted this has happened in the past — describing it as “fun times” — but denied this was the case in this instance.
Several people Business Insider spoke to who move in hacking circles were also dismissive of “Vamp,” describing him as a “skid” — an abbreviation of the derisory term “script kid,” or someone who is reliant on scripts and pre-written code to hack, rather than using their own skill.
But a tweet from September 2015 links the alias “Vamp,” the Skype handle of the individual that Business Insider spoke to, and an IP address in Ireland — suggesting they may indeed be one and the same. It is also possible that we spoke to the real “Vamp,” but that he lied about some or all of his involvement in the attack — and was arrested anyway. This should become clearer in the weeks ahead as the police investigation continues.
The alternative explanation is that some people with detailed knowledge of the TalkTalk hack are going to extensive lengths to try and frame a boy for the breach.
The mother of the person arrested did not respond to a request for comment. Ian Paisley, the MP for North Antrim, has subsequently said: “I have spoken with the mother of the teenager arrested and bailed in relation to the TalkTalk case. The family are trying to come to terms with this situation and although they appreciate the wide public and press interest in this matter, can I appeal for the press to cease contacting the family at their home.”
“They cannot comment publicly and the teenager in question cannot make any public comments.”
On October 29, Business Insider approached TalkTalk with the claims made by “Vamp.” The company declined to comment.
As previously mentioned, “Vamp” isn’t the only arrest. As of publication, there have been three others:
- A 16-year-old from West London, who was arrested on October 29.
- A 20-year-old man from Staffordshire, on October 31.
- A 16-year-old from Norwich, who was arrested on November 3.
Multiple sources claimed to Business Insider that the 16-year-old arrested on November 3 is a hacker who goes by the alias “Glubz.” “Glubz,” who uses the Twitter handle @fearful, was previously linked to the attack by Brian Krebs, who reported that “Glubz” had been tweeting about “expecting a raid from the UK authorities any minute” in the aftermath of the TalkTalk hack.
One source alleged to Business Insider that “Glubz” is the one who initially found the exploit. Krebs reported that an user account linked to “Glubz” posted a similar exploit on XSSposed, a site for reporting vulnerabilities in websites.
This source also alleged that “Glubz” had to be taught how to use the exploit after discovering it, though they declined to say who did so.
They did not provide proof of these claims, and Business Insider has been unable to substantiate them. And this is true for many of the allegations floating around in the aftermath of the hack: Hackers are making claims and counter-claims — perhaps truthfully, perhaps in attempts to clear their name, and perhaps in deliberate malicious attempts to sow misinformation.
Business Insider does not know for sure whether any of the individuals we spoke to were directly involved in the attack — and none of the individuals arrested have been formally charged with any crime at the time of publication.
A document shared on Pastebin written by someone connected to the hacking scene who uses the handle “Charm” accuses “Glubz” of involvement, albeit without proof. It alleges the attack went down like so:
Story: Glubz found an SQLi vuln[erability] in TALKTALK by accident! he then went to a friend to ask how to use SQLmap to exploit the vuln; he was shown how to use SQLmap, once he learnt the grand skill of the command line magic python tool!!!! known as “SQLmap” his brain decided to kick in “oh sh-t i have bad opsec [operations security] and autism, i should get people to hack this for me so i don’t get v& [arrested] plus i can still take the credit!! yes!!!!”
“Glubz” denied any involvement in the hack to Business Insider prior to police making an arrest in Norwich of a 16-year-old. He said that he had the opportunity to be involved, but declined: “i had the chance to cause crazy damage but i chose the right decision not to.”
(“Charm’s” Pastebin document also alleges that someone who calls themselves “Antichrist” was also involved. “Antichrist” was tweeting about the hack soon after it was made public by TalkTalk, but he denies he had any part in the attack, and Business Insider has seen no proof that he was directly involved. There is also a member of hacking group Lizard Squad who uses the name “Antichrist,” but we know of no relation between the two, and the Antichrist we spoke to denies they are connected.)
Here is “Glubz'” version of events: “it’s a very long and confusing story, but basically a friend of mine told me about this sqli that his friend found. i knew instantly not to get involved, however he spreaded [sic] it onto other people who executed it, god knows how many people got involved.”
“Glubz” said they believe that as many as “20 +” people subsequently “got involved”(a far larger number than that given by “Vamp”). He says he had “never even heard of” “Vamp”, although had encountered the @n—-rbit Twitter account before.
“Don’t do a Krebs on me and make me look like some crazy cyber criminal lol,” he asked. He called Krebs’ coverage “pretty unfair if you ask me,” saying that “my friends i[n] real life saw it lolol.”
Following the arrest of a 16-year-old on November 3, Krebs reported that when “reached for comment … Glubz was evasive and would neither confirm nor deny being arrested.”
After Krebs published his piece, Business Insider reached out to Glubz again. He flatly denied being arrested. “im [sic] actually so confused,” he said. “Don’t listen to people on the internet.”
However, there is evidence to suggest that the person who was arrested is the same “Glubz” who appeared on the Skidpaste site for hackers, according to Brian Krebs:
Glubz also had an entry at the now-defunct skidpaste.org, a site which sought to document the known aliases, addresses and other contact information on young script kids (hence “skid”) who fancy themselves much better hackers than they really are.
After Business Insider brought this up, Glubz stopped responding.
Another individual Business Insider spoke to who, identified only as “C,” also claimed to have been involved in the attack on TalkTalk. “Vamp” said on October 23 — two days after the hack — that this person still had “physical shell access to the machine,” meaning they allegedly still had access to TalkTalk’s system and were able to exfiltrate further data.
On October 24, “C” told Business Insider that he still had access to TalkTalk’s server. On October 27, the day after the first arrest, they said that “i will soon be wiping everything.” This person has since been unresponsive.
However, “C” also told Business Insider that they “have full bank account info on all 4 million users.” TalkTalk says that “less than 21,000” unique bank account numbers and sort codes and “less than 28,000” credit card details (with some digits obscured) were accessed by the attackers — casting doubt on all of “C’s” claims.
It is not clear whether “C” is one of the individuals arrested and subsequently bailed.
Even at the best of times, the online hacking subculture is notoriously untrustworthy — full of hoaxes, disinformation, and catfishing (impersonating people to defraud others on the internet). And as police make arrests, those involved will likely be desperately trying to erase all link between them and the hack.
Who exactly did we speak to? It’s difficult to say for sure — but they claimed involvement, clearly had some knowledge of the attack that was not public, and had ties to those subsequently arrested. As the police investigation progresses, and if any charges are brought against those arrested, the situation should become slowly clearer.