Hacker publishes credit card numbers on the Web

Online retailers are still reeling this morning after a hacker broke into music store www.CDuniverse.com and stole 25,000 credit card numbers.

In what could be the largest recorded credit card fraud on the Internet, the hacker, simply known as 'Maxus', obtained entry to the US company's 300,000 strong sales database and demanded over £60,000 in blackmail money.

After CD Universe refused to pay, Maxus published 25,000 numbers, expiry dates and addresses on his Web site, and advertised their availability on hacker news groups.

Some reports suggest the credit card details were available from 25 December until last Sunday, when Internet service provider Lightrealm shut down the hacker's site.

The incident could have serious ramifications for online retailers who have repeatedly assured consumers the Internet is a safe place to shop.

This morning, CD Universe's Web site still carried the message: "CD Universe has successfully processed over one hundred thousand credit-card transactions, without a single credit card number being compromised. In February 1997 we were named one of the 10 best commerce sites in the world by PC Week magazine."

According to Michael Walton, CEO of Internet consultancy, Nvision, it was an accident waiting to happen. "It was inevitable. Any hacker worth their salt likes the challenge," he said.

"It certainly says that credit card suppliers and retailers need to be working ever more diligently to improve security online. Bad publicity is worse than any financial loss," he added.

Most of CD Universe's customers will be covered for any losses - at least after the first $50 - by their credit card supplier.

A spokesman for American Express confirmed its customers were covered for fraudulent purchases made over the Internet, and added that the company would work with any affected online retailer to help tighten up security procedures.

The retailer and its software partner CyberCash are so far keeping quiet about the incident.