Hackers exploited poor coding practices at an Ottawa-based third-party contractor to access and eventually publish more than 20,000 usernames and passwords of Bell Canada’s small business customers on a website.

Canada’s largest phone company is being criticized for allowing the third-party contractor access to sensitive account information, which became vulnerable after IT workers introduced security holes that bypassed Bell’s own security and encryption systems. Even worse, security experts say, Bell apparently stores customer usernames and passwords in a plain text format, accessible to any hacker.

Bell has refused to comment on the security lapse or its ongoing investigation, but the hackers are talking.

“Nullcrew” claimed responsibility for the breach on Twitter, including screenshots that suggest the group used a well-known SQL (structured query language) exploit that allowed the hackers to fish for information contained in Bell’s database.

Hackers often use automated scripts to hunt sites for security exploits and often don’t know whether they will get a handful of useless data or a treasure trove like Bell’s customer records.

Trustwave Holdings, a security company based in Chicago, Ill., said in a 2013 report that poor coding practices have made the SQL injection attack a threat for more than 15 years.

“Outsourcing IT and business systems saves money only if there’s no attack,” the Trustwave report said. “Many third-party vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind.”

“Nullcrew’s” attack also discarded any pretense of encouraging clients to use passwords that are easy to remember but hard for others to guess, since Bell stored the data in an easily readable format.

Nullcrew said it alerted Bell to its security lapse more than two weeks before publishing their find online. An additional screenshot showed a Bell online customer service representative perplexed about the hacker group’s claims and likely never passed the information on to Bell’s security department.

Bell suspended the affected passwords over the weekend and is notifying customers about the security breach.