Staminus Communications, a hosting provider that specialises in DDoS protection, was the target of a massive hack that exposed sensitive customer data, including credit card information. One of the company’s clients is the Ku Klux Klan, so there’s that. The hack isn’t a huge surprise, though it’s remarkably embarrassing turn of events for Staminus. It’s not out of the ordinary for anti-DDoS sites to become fodder for hackers, as they often host unsavoury clients. Staminus, for example, plays host to the www.kkk.com, which is obviously a website run by the Ku Klux Klan. (It was still down as of this morning.) According to Forbes, data from the KKK and “related sites” was also included in the data dump — which, again is not uncommon.
The company acknowledged that there was a problem — though it didn’t specify a data breach — in a message posted to Twitter on Friday morning:
We are aware of network impacts. We are working on them. No ETA currently.— DDoS Protection (@StaminusComm) March 10, 2016
Problem has been identified and technical team is working on the network. A timeline for the restoration of service is still unavailable.— DDoS Protection (@StaminusComm) March 10, 2016
Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable.— DDoS Protection (@StaminusComm) March 10, 2016
The company’s website, as well as those of its entire network, remained down through Friday morning, and at least a few of its clients’ webpages were still unavailable as of this morning.
The service outage, however, is now the least of the company’s problems. Multiple outlets had previously reported that Staminus was also the target of a major data breach, and today, the company confirmed it had been hacked. Its homepage was updated with the following statement from CEO Matt Mahvi — emphasis ours:
To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorised intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.
I fully recognise that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies.
We will provide updates, as appropriate, as the investigation continues.
The customer information was reportedly exposed on Friday after hackers posted a data dump online.
According to the security blog Krebs on Security, the data was posted in e-zine format with the title “Fuck ’em all”. It reportedly included download links for databases belonging to both Staminus and Intreppid, a Staminus-powered host that protects against gaming-focused DDoS attacks. Forbes reported that breach included at least 15 gigabytes worth of data.
Ars Technica reported that the data dump also included a note from the hackers titled “Tips when running a security company,” which included the following highlights:
— Use one root password for all the boxes
— Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
— Never patch, upgrade or audit the stack
— Disregard PDO [PHP Data Objects] as inconvenient
— Hedge entire business on security theatre
— Store full credit card info in plaintext
— Write all code with wreckless [sic] abandon
Meanwhile, Staminus has advised its users to “change their Staminus password” while they investigate. They will probably be doing more than that!