NullCrew hackers announced the leak a few weeks ago, and have made public the data dump this Saturday. The site hosting the dump has been taken offline, but not before some security researchers and likely some cyber crooks managed to download it.
The blogger behind DataBreaches.net has interviewed the hackers, and has been shown screenshoots of conversations and of the hacking process that corroborate their claims that they they had access to Bell’s server for months, and that they have (unsuccessfully) tried to inform Bell of it and of the vulnerability that allowed them to mount an SQL injection against the company's protection management login page (https://protectionmanagement.bell.ca/passwordrecovery_1.asp).
After a short investigation, Bell Canada confirmed the information compromise, but said that the servers in question are not theirs.
"Bell today announced that 22,421 user names and passwords and 5 valid credit card numbers of Bell small-business customers were posted on the Internet this weekend. The posting results from illegal hacking of an Ottawa-based third-party supplier's information technology system," they stated on Sunday.
"In line with our strict privacy and security policies, Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies. We continue to work with the supplier as well as law enforcement and government security officials to investigate the matter. Bell's own network and IT systems were not impacted."
NullCrew still claims that it was Bell's own servers that got hacked, but the company reiterated their claim that they belong to a third-party supplier. Security researcher Adam Caudill commented on Twitter that Bell's version might be true.
"I've seen more than once where a subdomain of a large company points to a third party," he said, adding that his company hosts one for a "very large bank".
"So it's quite possible they are telling the truth. They should still take more responsibility for their data though," he concluded. Another Twitter user searched for the IP of the subdomain in question, and revealed that it is registered to Ottawa-based Magma Communications.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.