Hackers Attack DDoS Defense Hosting FirmCredit Cards, Other Customer Data Exposed
Credit card and other personal information was exposed in a data breach of Internet hosting provider Staminus Communications, which specializes in protection against distributed denial-of-service attacks. The company hosts the website of the Ku Klux Klan white supremacist group, which was also brought down.
See Also: 2016 Social Engineering Report
Hackers reportedly disrupted access to the website of Staminus Communications for at least 20 hours on March 10, and by March 14, staminus.net appeared to still be inaccessible. The Klan's website also appeared to remain offline.
Staminus' homepage on March 11 initially featured a statement from CEO Mat Mahvi acknowledging the outage, although claiming that "global services, as well as most auxiliary services, are back online for our customers."
The hosting firm has also warned that attackers appear to have stolen and leaked customer data. "Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information and payment card data were exposed," Mahvi said in the statement. "It is important to note that we do not collect Social Security numbers or tax IDs."
But as of March 14, both the website - and that statement - still appeared to be only intermittently inaccessible, if at all.
Pilfered Data Reportedly Seen Online
A huge trove of data from Staminus appeared online, in a classic "hacker e-zine" format, according to Krebsonsecurity.com, which was the first to report on the incident. The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.
"The authors of this particular e-zine indicated that they seized control over most or all of Staminus' Internet routers and reset the devices to their factory settings," the Krebs report says. "They also accuse Staminus of 'using one root password for all the boxes,' and of storing customer credit card data in plain text, which is violation of payment card industry standards."
Hours after the outage, Staminus posted overly optimistic Twitter posts promising service would be shortly restored.
Global services are now back online, ancillary services are currently being brought back online. We expect full service restoration soon.ï¿½ DDoS Protection (@StaminusComm) March 11, 2016
Staminus says it had notified law enforcement, including the FBI, once it learned its website was breached. "While the investigation continues," Mahvi says, "we have and will continue to put additional measures into place to harden our security to help prevent a future attack."
Although the exposed passwords were protected with a cryptographic hash, Mahvi urges customers to change their passwords.
Staminus says it notified its payment processor and all card brands so that they could monitor for fraudulent activity. The company advises its customers to regularly check their credit and debit card statements to see whether any fraudulent or suspicious activities occurred.