Staminus Communications, a hosting provider that specializes in DDoS protection, was the target of a massive hack that exposed sensitive customer data, including credit card information. One of the company’s clients is the Ku Klux Klan, so there’s that.
The hack isn’t a huge surprise, though it’s a remarkably embarrassing turn of events for Staminus. It’s not out of the ordinary for anti-DDoS sites to become fodder for hackers, as they often host unsavory clients. Staminus, for example, plays host to the www.kkk.com, which is obviously a website run by the Ku Klux Klan. (It was still down as of Friday afternoon.) According to Forbes, data from the KKK and “related sites” was also included in the data dump—which, again, is not uncommon
The company acknowledged that there was a problem—though it didn’t specify a data breach—in a message posted to Twitter on Thursday morning:
The company’s website, as well as those of its entire network, remained down through Thursday evening, and at least a few of its clients’ webpages were still unavailable as of Friday afternoon.
The service outage, however, is now the least of the company’s problems. Multiple outlets had previously reported that Staminus was also the target of a major data breach, and on Friday, the company confirmed it had been hacked. Its homepage was updated with the following statement from CEO Matt Mahvi—emphasis ours:
To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that we do not collect Social Security numbers or tax IDs.
While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While the exposed passwords were protected with a cryptographic hash, we also strongly recommend that customers change their Staminus password.
I fully recognize that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies.
We will provide updates, as appropriate, as the investigation continues.
The customer information was reportedly exposed on Thursday after hackers posted a data dump online.
According to the security blog Krebs on Security, the data was posted in e-zine format with the title “Fuck ‘em all.” It reportedly included download links for databases belonging to both Staminus and Intreppid, a Staminus-powered host that protects against gaming-focused DDoS attacks. Forbes reported that the breach included at least 15 gigabytes worth of data.
Ars Technica reported that the data dump also included a note from the hackers titled “Tips when running a security company,” which included the following highlights:
—Use one root password for all the boxes
—Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
—Never patch, upgrade or audit the stack
—Disregard PDO [PHP Data Objects] as inconvenient
—Hedge entire business on security theatre
—Store full credit card info in plaintext
—Write all code with wreckless [sic] abandon
Meanwhile, Staminus has advised its users to “change their Staminus password” while the company investigates.
Contact the author at sophie.kleeman@gizmodo.com.