Large online payroll service hacked

Computerworld - In a somewhat unusual data breach, hackers recently stole the login credentials of an unknown number of customers of payroll processing company PayChoice Inc., and then attempted to use the data to steal additional information directly from the customers themselves.

The breach, first reported by the Washington Post this week, took place on Sept. 23 and involved PayChoice's onlineemployer.com portal site. Hackers broke into the site and managed to access the real legal name, username and the partially masked passwords used by customers to log into the site.

They then used the information to send very realistic looking phishing e-mails to PayChoice's customers directing them to download a Web browser plug-in to be able to continue using the onlineemployer.com service. Each of the messages addressed people by their real names and contained their real username and passwords (partially masked), which had been harvested earlier from PayChoice.

Users who clicked on the link to download the plug-in instead got infected with a username and password stealing Trojan.

It is not immediately clear how many customers might have actually clicked on the malicious link.

PayChoice, based in Moorestown, N.J, provides payroll processing services and technology. The company bills itself as the "national leader" in the payroll services and software industry and claims over 125,000 business customers.

In an e-mail statement to Computerworld, PayChoice said it discovered the security breach in its online system last Wednesday.

"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," CEO Robert Digby said in the statement. Once the company discovered the breach, it immediately shut down the online system and instituted "fresh measures" to protect client information, the statement said.

The company has also engaged two outside forensic experts to help figure out the full scope of the intrusion. "PayChoice is determined to find the cause and extent of the breach and to take further measures to prevent a future occurrence," Digby said.

Steve Friedl, an independent security consultant, said he first heard of the breach last Thursday when a PayChoice customer informed him. He said that at this point, it is not clear what other information the hackers might have gotten access to.

But it appears very likely that the only data the hackers accessed was the information they included in the fake e-mails that PayChoice's customers received, said Friedl, who wrote about the incident in his blog.

If hackers had in fact accessed on more data, it is highly unlikely that they would have resorted to sending out those additional e-mails to PayChoice's customers, and thereby running the risk of being exposed, he said.