Are you making certain that they aren't publically accessable w/default user name password? Also check your device provisioning server and make certain that indexing isn't enabled. Someone could be browsing through your config files and lifting them from there but I think the configuration files are all binary and not text readable. David Thompson Network Services Support Technician (O) 858.357.8794 (F) 858-225-1882 (E) dthompson at esi-estech.com (W)?www.esi-estech.com -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Ryan Delgrosso Sent: Monday, October 14, 2013 4:09 PM To: voiceops at voiceops.org Subject: [VoiceOps] New SPA2100/2102/1001 exploit in the wild? Hey all, I am seeing my fraud-o-meter tick up as of yesterday and it all seems to be driven by accounts attached to these devices. We have taken measures to start locking this down but I am wondering if anyone out there is seeing similar. It looks like somehow legacy devices that have been deployed for 5+ years are having accounts lifted out of them. Does anyone have info on this exploit, or if you are seeing this as well and want to compare notes feel free to ping me. Thanks, -Ryan _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops