A Web security company’s systems are offline this morning after an apparent intrusion into the company’s network. The servers and routers of Staminus Communications—a Newport Beach, California-based hosting and distributed denial of service (DDoS) protection company—went offline at 8am Eastern Time on Thursday in what a representative described in a Twitter post as “a rare event [that] cascaded across multiple routers in a system wide event, making our backbone unavailable.”
That “rare event” appears to have been intentional. A data dump of information on Staminus’ systems includes customer names and e-mail addresses, database table structures, routing tables, and more. The data was posted to the Internet this morning, and a Staminus customer who wishes to remain anonymous confirmed his data was part of the dump. The authors of the dump claim to have gained control of Staminus’ routers and reset them to factory settings.
The dump, in a hacker “e-zine” format, begins with a note from the attacker. Sarcastically titled “TIPS WHEN RUNNING A SECURITY COMPANY,” it details the security holes found during the breach:
- Use one root password for all the boxes
- Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
- Never patch, upgrade or audit the stack
- Disregard PDO [PHP Data Objects] as inconvenient
- Hedge entire business on security theatre
- Store full credit card info in plaintext
- Write all code with wreckless [sic] abandon
No credit card data was displayed in the dump viewed by Ars Technica, but storing credit card data unencrypted is a violation of Payment Card Industry (PCI) security standards and would be a major error for any company. It’s much more egregious for a company marketing itself as a security firm.
DDoS mitigation companies attract a wide range of customers; those in the Staminus breach included a number of small gaming companies (including Minecraft server operators) and hosting firms. However, the dump also included the Klu Klux Klan—the official website of the KKK was among the sites hosted through Staminus. The company also hosted a number of other public sites associated with the Klan and the American Heritage Committee serviced under the same account.
Ars attempted to reach Staminus, but no one was available to comment this morning. Meanwhile, the company’s Twitter feed has gone quiet after announcing that some services were restored; some customers responded that they had become unavailable again. As word spread of the hack, the Staminus Twitter thread became one of customer despair.