It’s pretty embarrassing for any company to get hacked, but it’s even worse when the organization suffering the attack is a web security firm. This was the situation faced by Newport Beach, California-based Staminus Communications recently when the hosting and distributed denial-of-service protection company was the victim of a giant hack.
On its Twitter page, Staminus described the attack, which took place around 5 am PST last Thursday, as “a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable.”
Part of the hack involved leaking the sensitive data of around 1971 Staminus customers, including their names and email addresses, as well as unencrypted credit card numbers, expiry dates and CVVs. As pointed out by Ars technica, storing credit card data unencrypted is a violation of Payment Card Industry (PCI) security standards.
The attack was perpetrated by a crew going by the name of FTA. The data dump, posted in e-zine format, included a note from the hackers titled “TIPS WHEN RUNNING A SECURITY COMPANY,” which outlined the vulnerabilities that FTA found in Staminus’ system:
- Use one root password for all the boxes
- Expose PDU's [power distribution units in server racks] to WAN with telnet auth
- Never patch, upgrade or audit the stack
- Disregard PDO [PHP Data Objects] as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
It’s not entirely clear why Staminus was targetted, it may have simply been a way to expose the company’s poor security.
One of the firm's clients is the Klu Klux Klan; according to Forbes, data from the Klan’s domain and “related sites” was found in the data dump. It appears that the KKK’s site is still down following the breach.
“This was a real treat and one that completely blindsided our team. After pillaging and generally sh*tting on the entirety of Staminus’ & co’s infrastructure, it was discovered that one of the client box’s was housing a real gem,” the FTA wrote.
“Yes, that’s right, Staminus was hosting the KKK and it’s affiliates. An organization legally recognized in some regions as a terrorist collective. Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is unforgiveable [sic], and consequently they had to be punished.”
Staminus CEO Matt Mahvi has posted a message on the company wesite confirming the breach.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs,” he wrote.
“While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.