VPSAce hacked, database stolen, encryption key for cards likely taken

[drmike]

I'll keep it short and to the point here.

VPSAce.com was hacked.   Their WHMCS was victimized.   Their WHMCS database was stolen.  The on disk encryption key was swiped.

Their data is among a heap offered up on a hacking related website:

http://leak.sx/showthread.php?tid=188223

 

[MannDude]

Ah, you must lurk IRC. I didn't think to post it here.


1:00 AM <•MannDude> I log in once a week or so and check to see where traffic is coming from and what not.
1:00 AM <Hexxis> i do it about once a month
1:00 AM <•MannDude> Speaking of which...
1:00 AM — •MannDude checks Piwik
1:01 AM <Hexxis> ;p
1:02 AM <•MannDude> uhg
1:02 AM <•MannDude> http://leak.sx/showthread.php?tid=188223
1:02 AM <•MannDude> That is in the referal log

Anyhow, worth noting. I think most customers of vpsace have already jumped ship or have been smart enough to change their info.  Looks like whoever posted that on that site tried to sell something another member there gave them? No idea.

 

[drmike]

Ah, you must lurk IRC. I didn't think to post it here.

Yeah I lurk, trying to reclaim more life cycles for offline ventures like picking my nose.  Thus the more sporadic and reduced posting.  

I posted this because it involves customers and their credit cards, if they were dumb enough to buy from vpsAce and use a direct card.  Shame. 

I've seen a database dump they were compromised fully, contrary to whatever the person on that other site is saying.  Clearly, there must have been multiple people in vpsAce's servers.

 

[Francisco]

Has there been a public statement at least?

Francisco

 

[drmike]

Has there been a public statement at least?


Francisco

I don't believe there has been.  A quick search of Google finds this and some offer posts by vpsAce.   Nothing else though.

I'll be posting more information on this later.   There is at least one tidbit found in the data that is concerning and prior to hack/database theft.

 

[drmike]

This is ugly.

$cc_encryption_hash = 'sWSMAch3ptCe34eTlWzg4VQFcCWClinE46gu9nnpHQtBKykW....

Someone at vpsAce/B2 Net/Servermania/etc. needs to go compare that portion with the on disk crypto for WHMCS.

Yeah, I've truncated the hash.   

 

[drmike]

and... it appears from the data that they were given some prior notice, albeit extortion of the hack.   So their failure to let customers know and proper authorities is unforgivable:

| id | tid | did | userid | contactid | name | email | cc | c | date | title | message | status | urgency | admin | attachment | lastreply | flag | clientunread | adminunread | replyingadmin | replyingtime | service |
+------+--------+-----+--------+-----------+------+-------+----+----------+---------------------+--------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+-------+------------+---------------------+------+--------------+-------------+---------------+---------------------+---------+
| 2887 | 404068 | 1 | 1601 | 0 | | | | 2Dp7FSCB | 2013-11-13 02:35:02 | Hi, I hacked VPSAce.com | If you don't want your customer database and your /public_html/ files to
be released, I'd suggest you listen to me. To make me want to not
release the information that I have, I need you to go ahead and
reinstate the VPS that Taylor S---- owned, and upgrade it to a nice 8GB
RAM, 200GB HDD, and 6 cores.

Thanks, ________. | Open | Medium | | | 2013-11-13 02:35:02 | 0 | 1 | 7,8 | 0 | 0000-00-00 00:00:00 | |

Note the date:

2013-11-13 02:35:02

 

[MannDude]

Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?

Sounds like someone was suspended since they ask for it to be reinstated.

 

[drmike]

Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?

Sounds like someone was suspended since they ask for it to be reinstated.

No joke. I am looking through the database.  That stood out since was one of the very last tickets.  Random query luck.

 

[drmike]

What's funny about the extortion piece is "Taylor S________" doesn't exist... Mind you, omitting the poor chaps name.

 

[drmike]

Here's a good one:

Doing this will not only give you better io and better system performance by utilization of flashcache but you will also be able to pack more clients on per node for a better profit on your side as well
 

Thomas Dale
Operations, ColoCrossing.com

More of them profiteering for over sold.  Spread the love around.  With flashcache, you to can oversell like a champion.  Or that's the concept.

32GB RAM E3 again.  Selling 2GB plans off of it and looks like a lack of servers vs. containers.

 

[RiotSecurity]

This is ugly.

Someone at vpsAce/B2 Net/Servermania/etc. needs to go compare that portion with the on disk crypto for WHMCS.

Yeah, I've truncated the hash.   

Ugly, sloppy work VPSAce.

 

[budi1413]

What's funny about the extortion piece is "Taylor S________" doesn't exist... Mind you, omitting the poor chaps name.

Taylor Swift the singer maybe.

 

[RiotSecurity]

Taylor Swift the singer maybe.

Taylor Smyth - aka Vypor

Google: Taylor Smyth Vypor

Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.

 

[drmike]

^--- still doesn't dawn on me why Taylor was mentioned therein when wasn't a customer and the company would have no way of complying with whoevers request to reactivate and boost service.

 

[RiotSecurity]

drmike: PM, he has a history.

 

[DomainBop]

Has there been a public statement at least?

TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in

TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).

The Agreement shall be governed by the laws of the State of Seattle...

HttpZoom TOS...I rest my case about some low end providers being clueless.

 

[Tux]

HttpZoom TOS...I rest my case about some low end providers being clueless.

That means that the state of Cascadia exists now?

 

[raindog308]

Taylor Smyth - aka Vypor

Google: Taylor Smyth Vypor

Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.

Sheesh, second link on Bing for "Taylor Smyth Vypor" is a pastebin of his mother and father's SSN.

 

[drmike]

TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in

TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).

HttpZoom TOS...I rest my case about some low end providers being clueless.

The people's dirty hippie funk scent State of Seattle.

As far as regulations go and notification,  the test in enough states involves you doing business with their citizens and in some states a certain minimum of customers therein.   Foreign company ARE NOT EXEMPT.