CreditCards.com database stolen
 
Card numbers posted on various Web sites  
The hacker's Web site, where he published the credit card numbers.
  

By Bob Sullivan and Mike Brunker
MSNBC
Dec. 12 —  A computer hacker has stolen a database of credit card numbers from CreditCards.com and posted them on several Internet sites. The Los Angeles-based merchant processing company told MSNBC.com today that the break-in actually occurred four months ago and the hacker has been trying to extort the firm ever since.
 WHILE THE COMPUTER intruder claims to have taken 55,000 credit cards from CreditCards.com, the company actually says the number of real victims is much smaller. Michael Butts, executive of operations at the company, said many of the numbers taken were actually test numbers. He said he would not estimate the number of real victims, but described the hacker as “a Russian.”
       MSNBC learned of the heist from a victim — a consumer who was contacted by the computer intruder and warned that three Web pages were recently published revealing the database to any Internet user. On Tuesday morning, one of the Web pages was still visible.
       Butts said his company contacted the FBI immediately on receiving an extortion demand from the hacker, but it did not contact any customers.
Image: Sullivan “They weren’t compromised,” Butts said, adding that there was no evidence the stolen card numbers had been used for any fraudulent purchases.
       
A VICTIM SPEAKS
       But MSNBC.com was able to find a potential victim within a few moments of seeing the database.
       MSNBC.com confirmed that several of the names and card numbers listed in the database were legitimate.
       One of those victims, Elizabeth McCabe of Des Plaines, Ill., canceled her credit card after noticing a fraudulent transaction two months ago.
       “I got a confirmation e-mail from the Worldwide Wrestling Federation thanking me for my order,” she said. “It was for something that was being shipped to the Philipines — $350 worth of hats and things.”
The victim who originally contacted MSNBC, Michael Sayres, called the company this week to complain and was surprised that it had no intention of contacting customers.
       “It was explained to me that I would need to contact my credit card company and cancel my card,” Sayres said in an e-mail. “It appears they have no responsibility with this problem!”
       As a merchant processor, CreditCards.com is a go-between that connects small merchants and banks. According to Butts, the firm is small, with only a couple of hundred merchants — most Internet sites.
       On the Web site that revealed the credit cards, the criminal was direct about his extortion scheme:
 “Michael Butts says I need to talk to Michael Stankewitz from COO [sic]...I told him tjat O want to help creditcards.com, he had my price and he knew my deal,” the Web page reads. “He knew what kind of information we had from their servers. I would destroy it all after the agreement was made and provide network security.
       “Now, I didn’t receive any payment from creditcards.com and I am going to make them bankrupt.”
       Word of the extortion comes nearly a year after thousands of credit card numbers were stolen from CDUniverse.com and posted to the Internet in a failed extortion plot that embarrassed the company.