TechSpot

Hackers breach web security company used by the KKK, leak sensitive customer data

By midian182
Mar 14, 2016
Post New Reply
  1. It’s pretty embarrassing for any company to get hacked, but it’s even worse when the organization suffering the attack is a web security firm. This was the situation faced by Newport Beach, California-based Staminus Communications recently when the hosting and distributed denial-of-service protection company was the victim of a giant hack.

    On its Twitter page, Staminus described the attack, which took place around 5 am PST last Thursday, as “a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable.”

    Part of the hack involved leaking the sensitive data of around 1971 Staminus customers, including their names and email addresses, as well as unencrypted credit card numbers, expiry dates and CVVs. As pointed out by Ars technica, storing credit card data unencrypted is a violation of Payment Card Industry (PCI) security standards.

    The attack was perpetrated by a crew going by the name of FTA. The data dump, posted in e-zine format, included a note from the hackers titled “TIPS WHEN RUNNING A SECURITY COMPANY,” which outlined the vulnerabilities that FTA found in Staminus’ system:

    • Use one root password for all the boxes
    • Expose PDU's [power distribution units in server racks] to WAN with telnet auth
    • Never patch, upgrade or audit the stack
    • Disregard PDO [PHP Data Objects] as inconvenient
    • Hedge entire business on security theatre
    • Store full credit card info in plaintext
    • Write all code with wreckless [sic] abandon

    It’s not entirely clear why Staminus was targetted, it may have simply been a way to expose the company’s poor security.

    One of the firm's clients is the Klu Klux Klan; according to Forbes, data from the Klan’s domain and “related sites” was found in the data dump. It appears that the KKK’s site is still down following the breach.

    “This was a real treat and one that completely blindsided our team. After pillaging and generally sh*tting on the entirety of Staminus’ & co’s infrastructure, it was discovered that one of the client box’s was housing a real gem,” the FTA wrote.

    “Yes, that’s right, Staminus was hosting the KKK and it’s affiliates. An organization legally recognized in some regions as a terrorist collective. Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is unforgiveable [sic], and consequently they had to be punished.”

    Staminus CEO Matt Mahvi has posted a message on the company wesite confirming the breach.

    Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs,” he wrote.

    “While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.

    Permalink to story.

     
  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,485   +2,038

    Par for the course. A brainless organization choosing a brainless organization for their security. Just like two peas in a pod.
     
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 1,663   +774

    Oh please publish the entire list! I mean, then are proud of their organization so they should be just as proud of letting us ALL know who they are!
     
  4. bmw95

    bmw95 TS Addict Posts: 104   +51

    You'd think they'd at least store credit card data as encrypted data and not in plain text. Ouch.
     
  5. Ira Wechsler

    Ira Wechsler TS Rookie

    The KKK should not be underestimated. Racist hate groups like the KKK and Nazis are not necessarily run by clowns. They are insidious and genocidal. Laughing them off is a mistake. They have to be smashed physically by a united working class. That is why the Trump candidacy is so dangerous. It shows that the finance capitalists are moving toward fascism to maintain their rule as they face both an angry working class and rsing competition from both the Russian and Chines capitalists. We should not be sucked into the patriotic panderings of the ruling class. They do not serve the interests of the 85% of the population that toils under wage slavery.
     
  6. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,485   +2,038

    I'm not a Yank, neither do I live in the US so I'm unaffected by by the likes of the KKK. We have more than enough of our own ridiculous radicals to deal with.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...