# Staminus sites offline - massively hacked



## wlanboy (Mar 11, 2016)

Their statement:



> "Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable. Our technicians quickly began working to identify the problem.
> We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery."



Real thing:





For your entertainment.


----------



## bauhaus (Mar 11, 2016)

Well, apparently also @ramnode data is compromised , not sure.


_Leak *MUST HAVE* Staminus.net / Intreppid.com / Ku Klux Klan | Spigot | RamNode ++ FRESH_


----------



## wlanboy (Mar 11, 2016)

And the bin: http://hastebin.com/raw/oweyukamuj


Snip:



> Hello ******,
> 
> 
> Your server is complete.
> ...



        FILES:     
            http://************/chatbot.tar.gz
            http://************/lighttpd.tar.gz
            http://************/main.tar.gz
            http://************/openvpn.tar.gz
            http://************/svn.tar.gz
                  
        SQL:       
            http://************/3-9-staminus2.sql
            http://************/accountUpdate.sql
            http://************/acctserver.sql
            http://************/appliance_lan.sql
            http://************/full.sql
            http://************/ip_limit_history.sql
            http://************/ip_limit_profile.sql
            http://************/ip_limit.sql
            http://************/sp.sql


All interal and protected ips leaked - easily mapped... making their protection useless.


----------



## Licensecart (Mar 11, 2016)

Interesting there's WHMCS information in it, who uses a very small insecure password for important files? And LOL the same password for the Wordpress... Don't they know Wordpress has even worse security than WHMCS...


----------



## OSTKCabal (Mar 11, 2016)

As of right now, allegations are going around that they're actively covering up complaints and questions about the breach. They appear to be deleting Facebook comments, and deleting and re-posting tweets that have potentially incriminating information.


Forbes has a small section about it: http://www.forbes.com/sites/thomasbrewster/2016/03/11/kkk-staminus-hacked/#7d247e2c6942


Krebs on Security post: https://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/


I think whoever's managing their PR should be fired immediately. They've allowed a narrative controlled by hearsay, angry customers, and tech/business blogs and magazines. In their position, I would have acknowledged the breach (because I promise you they know and knew), and clearly explained how a subsequent one would be prevented, BEFORE it got out of the PR team's hands.


----------



## DomainBop (Mar 11, 2016)

> Interesting there's WHMCS information in it, who uses a very small insecure password for important files? And LOL the same password for the Wordpress... Don't they know Wordpress has even worse security than WHMCS...





> As of right now, allegations are going around that they're actively covering up complaints and questions about the breach. They appear to be deleting Facebook comments, and deleting and re-posting tweets that have potentially incriminating information.



If they were really storing credit card info, including card numbers, in plain text (which is a violation of card industry rules) they legally need to notify their customers of the breach (46 states have data breach notification laws) and they need to notify their card processor.  If the plain text rumors are true it puts them at risk of being sued (or fined) by their card processors and by customers who had their info leaked



> BEFORE it got out of the PR team's hands.



The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.  From Twitter.



> The KKK's website was taken down by a breach of its host and security provider, Staminus



...and the headline from Forbes:



> Hackers Claim Breach Of Ku Klux Klan's Security Company


----------



## Licensecart (Mar 11, 2016)

DomainBop said:


> If they were really storing credit card info, including card numbers, in plain text (which is a violation of card industry rules) they legally need to notify their customers of the breach (46 states have data breach notification laws) and they need to notify their card processor.  If the plain text rumors are true it puts them at risk of being sued (or fined) by their card processors and by customers who had their info leaked
> 
> 
> The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.  From Twitter.
> ...



In the thread linked to on a website (can't remember) there's a link to a paste.ee which has their clear text card details:


----------



## drmike (Mar 11, 2016)

Catching up 


This isn't the first time Staminus has been dinged.  Prior they had their DDoS protection platform / scrubbing / process code released to public.


----------



## drmike (Mar 11, 2016)

and mind you, I started a thread 20~ hours before this


----------



## HN-Matt (Mar 11, 2016)

DomainBop said:


> The PR team now also has to deal with the fact that the first page of search results for Staminus on Twitter and Google now turn up KKK images and references, but I guess if their CEO is willing to accept any customer as long as he can make a buck from them then there's no need to feel sorry for him.



I guess Trump didn't disavow hard enough last week, which begs the question, who will pay for Staminus' sins if they don't?


----------



## DomainBop (Mar 11, 2016)

It looks like we have a winner in the _piece of shit whose company I wouldn't touch with a 10 foot pole_ category.  A single homed hosting company in Buffalo is taking this opportunity (a database dump with email addresses of a competitor's customers) to spam Staminus customers.


copy of email (from this LET post)



> To whom this may concern,
> 
> 
> My name is Andrew Horton, Account Manager at ServerMania.com. I’m contracting you today as I’ve heard that you were affected by the Staminus outage and hack that occurred earlier today. We’re a premier Dedicated Server company with services based in New York. We leverage RioRey DDOS Protection appliances on the core of our network with over 200 Gbps of mitigation available covering all 7 layers.
> ...



The slime at ServerMania must be taking their cue from the company that was accused of spamming Staminus customers in 2012 after yet another Staminus leak of customer emails. (old WHT thread  http://www.webhostingtalk.com/showthread.php?t=1193478  TLDR: BlackLotus said they were innocent and  a competitor was trying to smear them.


----------



## wlanboy (Mar 11, 2016)

Whenever I think that this drama ends another detail of total-crap on personal or technical side happens.


----------



## DomainBop (Mar 11, 2016)

The CEO posted an announcement on their home page:
 



> Statement
> To follow up on our communication from yesterday evening regarding the system outage, we can now confirm the issue was a result of an unauthorized intrusion into our network. As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed. Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.
> 
> 
> ...


----------



## drmike (Mar 11, 2016)

HN-Matt said:


> I guess Trump didn't disavow hard enough last week, which begs the question, who will pay for Staminus' sins if they don't?



Should be expected that anything controversial is going to be behind filtering.  It's just how the hate (pun intended) goes.   Plenty of legit businesses who have been attempted victims of DDOS extortion behind filtering also.   So not everyone behind filtering is on the wrong side of social norms nor bad people.  


In an ideal world, no one would have to take shelter.  I can't see utopia existing any time soon though.  Pass me the pipe.


@Licensecart PM that site info please.


----------



## drmike (Mar 11, 2016)

Tracked down a bit of the data from the Staminus hack...  Working on the rest to see how ugly this really is.


As far as Staminus customers who used a credit card, your data is fully there in a file and details are in PLAINTEXT.  Totally a PCI violation and wrong way to handle bankcard data by Staminus and appears to be all customers from when they started this accounting system until current. This is the start of the file: 


mysql> select * from credit_card;
+------+-----------------------------------------------+-----------------------------------------------------------+---------------------------------------------+-------------------+----------+---------+-----------+------+------------+
| ID | accountID | firstName | lastName | number | expMonth | expYear | validated | main | cvv |
+------+-----------------------------------------------+-----------------------------------------------------------+---------------------------------------------+-------------------+----------+---------+-----------+------+------------+
| 1 | T--rd | Thomas | W--- | 4--------------3 | 2 | 2009 | 1 | 1 | NULL |


I've  dashed out the details to protect the innocent.


*IF YOU USED A BANK CARD / CREDIT CARD / DEBIT CARD TO PAY STAMINUS --- CONTACT YOUR BANK AND LOCK THINGS DOWN / GET A NEW CARD ISSUED NOW!!!*


----------



## willie (Mar 11, 2016)

Wonder if they support 2 factor authentication.  A site like that certainly should.  Not that it helps that much any more: there's Android malware out there that steals 2fa credentials.


----------



## HN-Matt (Mar 11, 2016)

wlanboy said:


> Whenever I think that this drama ends another detail of total-crap on personal or technical side happens.



Hrm, yes, true.

_*posts perennial drama thread, catalysing next sideshow in the Data Surfacing Security Theatre cycle*
*complains of there being no end to the drama*_

Just overclock that logic and formalize it into an endless for loop, chances are the narrative will eventually melt down into a law of diminishing returns.


----------



## DomainBop (Mar 11, 2016)

> mysql> select * from credit_card;
> 
> 
> *cvv*



CVV numbers should never be stored in any form whether it's encrypted, plain text, or on scraps of used toilet paper.  ( see Basic PCI Data Storage Guidelines for Merchants )


----------



## drmike (Mar 11, 2016)

The schema they have there for storing card details - ALONE - should spell legal implications.



DomainBop said:


> copy of email (from this LET post)
> 
> 
> The slime at ServerMania must be taking their cue from the company that was accused of spamming Staminus customers in 2012 after yet another Staminus leak of customer emails. (old WHT thread  http://www.webhostingtalk.com/showthread.php?t=1193478  TLDR: BlackLotus said they were innocent and  a competitor was trying to smear them.



The scumfucks at ServerMania need stopped.


They are nothing more than co-conspirators with the ColoCrossing guys.   For a company to dip this low to snag the details and hit customers directly with SPAM means they give no regard and will do anything to lure customers.  Hopefully, the type of customers that subscribe to Staminus find ZERO comfort in garbage like Servermania and Colocrossing are doing.


*Both of these companies wonder why I've given them so much shit over the years?  Boys you just upped my XL serving of unfriendliness that is overdue.*


*May I remind Colocrossing and Servermania that prior, both of them had puppet facemasked subsidiaries hacked with details public dumped?*


----------



## drmike (Mar 11, 2016)

Staminus needs to go fuck off in a confession booth too.



> Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed. It is important to note that *we do not collect Social Security numbers or tax IDs*.
> 
> 
> While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack. While *the exposed passwords were protected with a cryptographic hash*, we also strongly recommend that customers change their Staminus password



Like not collecting SSNs and Tax IDs + crypto hash on password somehow exempts you from legal action?


I won't say I am making a love package for various attorney generals, but I won't deny it either.  I am grabbing the data and seeing beyond PCI compliance busting and entirely retarded plaintext full card details, just what is in there head to toe.


Stupidity like this needs to end with moronic companies.  People need to be held accountable.


----------



## drmike (Mar 11, 2016)

Damnit, Tor serving these files ... is ... SLOW!


The dump files are GIGANTIC.  GBs  in size.. One is 3GB, another 10GB, another 14GB....


----------



## Hxxx (Mar 11, 2016)

Interesting all of this. Now for me what's important is that somebody mentioned @ramnode.   Confirmation about this? Anyone?


----------



## drmike (Mar 11, 2016)

Ramnode is just an end customer.  So no Ramnode data that impacts customers of Ramnode.


Likely information relative to Ramnode's own account in the dump though.


----------



## MikeA (Mar 11, 2016)

Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).


----------



## drmike (Mar 11, 2016)

MikeA said:


> Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).



not even sure if they said card info was public and plaintext.  They sugar coated it all as fine and nothing out there = crypto'd.


----------



## OSTKCabal (Mar 11, 2016)

MikeA said:


> Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).



That would be correct. Like I said, there was some time where they appeared to be actively attempting to cover it up. No acknowledgement of a breach even as the databases/leaks were being downloaded by thousands of users, users who also reported it directly to Staminus through Twitter and Facebook. They knew about it, more than likely, the literal moment it hit the public 'net, if not before.


----------



## drmike (Mar 11, 2016)

OSTKCabal said:


> That would be correct. Like I said, there was some time where they appeared to be actively attempting to cover it up. No acknowledgement of a breach even as the databases/leaks were being downloaded by thousands of users, users who also reported it directly to Staminus through Twitter and Facebook. They knew about it, more than likely, the literal moment it hit the public 'net, if not before.



I don't know... did Staminus at any point clearly say credit card details were public and unencrypted?  cause it's a big deal... I didn't see it, but not saying they did ... but that should have been NUMERO UNO since these customers all have to contact their bank and get new card issued.


----------



## Nick_A (Mar 11, 2016)

drmike said:


> Ramnode is just an end customer.  So no Ramnode data that impacts customers of Ramnode.
> 
> 
> Likely information relative to Ramnode's own account in the dump though.



Thank you - that's correct. We can't think of anything in the leaks that would directly impact our customers as Staminus is simply a filtering provider for us.


----------



## DomainBop (Mar 12, 2016)

drmike said:


> I don't know... did Staminus at any point clearly say credit card details were public and unencrypted?  cause it's a big deal... I didn't see it, but not saying they did ... but that should have been NUMERO UNO since these customers all have to contact their bank and get new card issued.



No, they just disclosed the minimum amount of info that they legally need to tell customers when there is a breach _"your card info was compromised...here's what you should do to protect yourself..."_.   They don't need to explicitly tell the customers the data was unencrypted (but since many state laws like California only require notification when unencrypted personal info is breached, by notifying the customers of the breach it can probably be implied that it was unencrypted).  


Unencrypted could be a huge issue though if either the card companies or their customers 'lawyer up' and start filing lawsuits, or the card companies impose penalties for not complying with PCI guidelines.


A couple of links on state notification requirements:


http://www.dwt.com/statedatabreachstatutes/


http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf


----------



## DomainBop (Mar 14, 2016)

From WHT: Staminus has reportedly been up and down all day and support is mostly MIA


From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack 


FYI, AthenaLayer also owns the HF advertised site OrcaHub whose main claim to fame was offering a free booter.  Google it https://www.google.com/search?q=orcahub+and+booter  or read this reddit thread https://www.reddit.com/r/hacking/comments/3dbykm/orcahubs_owner_has_bailed/  or Google some of the owner Nick Lim's past ventures like NalSEC or DDoS-protection.io


----------



## drmike (Mar 14, 2016)

Interesting:


http://patents.justia.com/inventor/mehdi-mahvi


----------



## HN-Matt (Mar 14, 2016)

@DomainBop pls change your custom title from "Dormant VPSB Pathogen" to "Kangaroo Court Super Creeper", ty


----------



## Francisco (Mar 14, 2016)

drmike said:


> Interesting:
> 
> 
> http://patents.justia.com/inventor/mehdi-mahvi



Matt's a genius, he isn't some off-the-shelf DDOS protection vendor, he writes a *lot* of code and always has. 


Honestly I wonder if he was simply not involved in the security side of things and things kinda went south. Staminus started as an IRC shell company so exploits, root shells, etc, were a day-to-day thing for him so he knows security.


I feel bad for them. Their support was always helpful whenever possible and Matt's been at this for 10+ years. He knows his stuff.


Best of luck to them,


Francisco


----------



## OSTKCabal (Mar 15, 2016)

Francisco said:


> Matt's a genius, he isn't some off-the-shelf DDOS protection vendor, he writes a *lot* of code and always has.
> 
> 
> Honestly I wonder if he was simply not involved in the security side of things and things kinda went south. Staminus started as an IRC shell company so exploits, root shells, etc, were a day-to-day thing for him so he knows security.
> ...



I echo this. We've been extremely happy with Staminus - the support has been dedicated, extremely helpful, and fast in helping us optimize our mitigation to best meet our needs as a gaming-oriented hosting provider. The service itself is great and I'd still recommend them as a DDoS Protection provider.


Obviously, I'm disappointed that the breach happened and that their own internal security was so abysmal. I hope they fix the glaring issues and conduct a full top-down security audit of their systems.


----------



## HN-Matt (Mar 15, 2016)

I hadn't heard of Staminus prior to this thread and don't quite understand the critique (without prejudice). Intrusion aside, how is it that they've 'hedged the entire business on security theatre' if they only offer DDoS protection and seem to be effective in that area? Or do they offer other security services?


----------



## drmike (Mar 15, 2016)

HN-Matt said:


> I hadn't heard of Staminus prior to this thread and don't quite understand the critique (without prejudice). Intrusion aside, how is it that they've 'hedged the entire business on security theatre' if they only offer DDoS protection and seem to be effective in that area? Or do they offer other security services?



I knew of Staminus purely as a company specializing in DDoS protection.   Used them before when BuyVM was with them.  Used them with another provider since then.


I don't know them to offer security services of any sort.  DDoS protection and other best practices for security seem like they go together, but they really don't - different worlds.


You can check their site before it was rm -rf'd  --- https://web.archive.org/web/20160220132015/https://www.staminus.net/


They have another brand, but I believe that is just hosting, no security practice there either.


----------



## DomainBop (Mar 16, 2016)

Reports of more Idiot competitors using the Staminus database to spam Staminus customers: today's miscreant is a young lad who works as a respite caregiver by day and plays DC mogul by night.  Was it only two months ago that I was bitching about  this spam friendly provider  and blocked all SMTP traffic from their AS46573 in my firewalls? 


A copy of the spam sent by GlobalFrag to an email address that was only used for a Staminus account: http://www.webhostingtalk.com/showthread.php?t=1556659&p=9655137#post9655137


*****


Risk Based Security published some stats on the Staminus hack: 



> approximately 2,300 previous and current clients included as part of the Staminus breach.
> 
> 
> *full.sql*
> ...



full article and the complete list of stats at RBS: https://www.riskbasedsecurity.com/2016/03/staminus-breach-just-how-bad-is-it/


----------



## Licensecart (Mar 16, 2016)

I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.


And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic! 

Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.


----------



## OSTKCabal (Mar 16, 2016)

Licensecart said:


> I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.
> 
> 
> And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic!
> ...



It really seems to me like you're taking this to the extremes. I urge you to suggest to me a DDoS Protection provider that supplies the same level of support and service in general for around the same pricing. Beyond that, yes, obviously mistakes were made. Obviously we're highly disappointed in the breach. Obviously, we want to see improvements. But we obviously also love the service and support that they provide.


----------



## Licensecart (Mar 16, 2016)

OSTKCabal said:


> It really seems to me like you're taking this to the extremes. I urge you to suggest to me a DDoS Protection provider that supplies the same level of support and service in general for around the same pricing. Beyond that, yes, obviously mistakes were made. Obviously we're highly disappointed in the breach. Obviously, we want to see improvements. But we obviously also love the service and support that they provide.



That's where people like me know what's your priority in business and to avoid you. What's important SECURITY or CHEAP Prices?

If you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about. Security in my opinion is 10000000000000% more important and if your business / company relies on DDos protection then you have to "invest" money / capital into it.

As for improvements you won't because 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software. They can claim like they did in 2012, that it's a one off and they will learn from their mistakes.... but they won't and that's just to keep you.

Myself I refuse to use a company which uses WHMCS for the same reason above, I don't trust their security, and therefore I use a non secure (Passwords I use for Secure systems, accounts) when I have no choice (LiteSpeed / SolusVM) because I know one day a company will get hacked using that trash and it could impact me as-well.


----------



## drmike (Mar 16, 2016)

1. We need a bad provider list around here that entire buying audience at large can reference.  Bad providers are those spamming stolen customer data, repeat spam factories, those known to and proven to intentionally take money from spammers, criminals, etc. Forthcoming.


2. "f you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about."
Cheap is like 85% of market just that.  Everything about cheap operations is cheap.  From the lack of actual knowledge to not staffing qualified people to having no policies or procedures.  The remaining 15% need to ramp up their business and confidence and usually just get out of cheap to better markets.


3. " 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software." 


Assuming @Licensecart compared dump data  If this true, the same credentials, then Staminus signed up for more than a hacking.  


4. "I  know one day a company will get hacked using that trash and it could impact me as-well."


Reason numero uno not to buy things under your real name or something directly attached to your company.  Some might find that practice deceptive, so be it.   I shop these days for companies that are alternative payment friendly and more interested in having customers and running a service than Q&A research into who their customers are and idle time in customers data and life.


5. "But we obviously also love the service and support that they provide."


No question about it, Staminus excels at DDoS Protection.  They need to hire or bring on as a partner someone with operations and security focus though.  No way to avoid that at this point.


6. "I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web."


Hosting has too many man children.  Too many at-risk types.  Too many of age, but morally deficient f--k jobs.  Most of it comes straight down to fact that they feel there are no implications for their actions.  Law on all levels does nothing, even when vicitimized company calls them in.   See #1 above.  I think this is part of necessary punishment that is overdue for these idiots. Talking about GlobalFrag, talking about Servermania, etc.



 Like this


----------



## Licensecart (Mar 16, 2016)

drmike said:


> Assuming @Licensecart compared dump data  If this true, the same credentials, then Staminus signed up for more than a hacking.



I'm not sure what data was in the 2012 breech mate but the info we know about is what a guy on a forum linked to which apparently came from the breeched zips.


In 2012: can't find the main thread but one closest to the time was in this thread by DomainBop: http://www.webhostingtalk.com/showthread.php?t=1193478
In 2012: http://www.webhostingtalk.com/showthread.php?t=1115909 (DNS issues).


It's really not a company you can trust.


----------



## Jonathan (Mar 16, 2016)

Licensecart said:


> I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.
> 
> 
> And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic!
> ...



*lose


----------



## OSTKCabal (Mar 17, 2016)

Licensecart said:


> That's where people like me know what's your priority in business and to avoid you. What's important SECURITY or CHEAP Prices?
> 
> If you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about. Security in my opinion is 10000000000000% more important and if your business / company relies on DDos protection then you have to "invest" money / capital into it.
> 
> ...



So, because we want to maintain affordable and sustainable pricing for both ourselves and our customers, you intend to avoid us at all costs, despite the fact that we own all of our hardware and IP addresses? Our priority is not "cheapness", it's the value and sustainability. Absolutely nobody else can provide the same level of service for the same price - we've done plenty of searching, comparing, and testing with other mitigation providers.


It's not like we're a massive company with a few hundred thousand dollars to spend, either. We're a small business and have to approach this with a small business mindset - we can't reasonably go out tomorrow and get a $200,000 loan (estimated price to truly do it right - redundant routers/core switches, on-site mitigation appliances, intelligent routing, etc.) to deploy our own network and our own on-site mitigation. Would that be preferable, even to us as a company? Of course it would. Would we love to do it? Hell yes. But can we? No, not right now. Why can't we? Because unfortunately, that's more of an investment than we're presently willing to make. We'd rather focus on improving other areas of the company first. But thanks for your input.


----------



## drmike (Mar 17, 2016)

Licensecart said:


> I'm not sure what data was in the 2012 breech mate but the info we know about is what a guy on a forum linked to which apparently came from the breeched zips.
> 
> 
> In 2012: can't find the main thread but one closest to the time was in this thread by DomainBop: http://www.webhostingtalk.com/showthread.php?t=1193478
> ...



Looks like their mailing list was likely used prior by Black Lotus according to one of those threads... Ouchie.



OSTKCabal said:


> So, because we want to maintain affordable and sustainable pricing for both ourselves and our customers, you intend to avoid us at all costs, despite the fact that we own all of our hardware, IP addresses, and colocate out of Steadfast Networks? Our priority is not "cheapness", it's value and sustainability.



I don't think / hope that wasn't an attack in your direction   I never found your prices to be cheap.  Affordable is a little murky, but I'll buy that.


Sustainability is the keyword that more providers should be paying attention to... Pricing that covers costs, pays staff, actually provides for legit support that is timely and useful.



OSTKCabal said:


> we can't reasonably go out tomorrow and get a $200,000 loan (estimated price to truly do it right - redundant routers/core switches, on-site mitigation appliances, intelligent routing, etc.) to deploy our own network and our own on-site mitigation.



Well I suspect you can get lending to accomplish most of that.  On-site mitigation as DIY isn't anything tiny or cheap.  Very easy to go spend that kind of change on a single location build out which isn't anything near level of shops like Staminus on capability.  Plus need to hire a certifiable bad ass to build and maintain the filtering (should have multiples).  There aren't many players or even gear companies out there for filtering... For good reason.. and you need to build a network with big pipes and great upstream relationships and arrangements to deal with issues.  I don't think the common cheap way of a 10Gbps burstable connect will any longer cut it for true mitigation.  Lots of DCs you say you want to start bonding those or bigger pipe and want to tank stuff, you are going to find quickly you need to do you own buildout, own internet connects, etc.


If someone has the spine to do all that, consider me interested.  Money and finance ability is the least of the puzzle.


----------



## DomainBop (Apr 13, 2016)

drmike said:


> 1. We need a bad provider list around here that entire buying audience at large can reference.  Bad providers are those spamming stolen customer data, repeat spam factories, those known to and proven to intentionally take money from spammers, criminals, etc. Forthcoming.
> 
> 
> 
> Like this



It could be a very long list and require a full time staff to maintain when you add in all of the hidden brands and shell companies and try to separate them into actual companies.  


For example, you  have companies like ServerMania assigning blocks of IPs to the Washington State LLC of their employee who grabbed the Staminus DB. 


https://www.sos.wa.gov/corps/search-app.aspx#/detail/602808789


https://myip.ms/view/ip_owners/447492/Beyond_Grey_Skies_Llc.html


Spamhaus has a full time staff and it has even taken them forever to put together the pieces on some of these bad egg spammer friendly/criminal friendly/sanction busting providers (but Spamhaus is slowly doing it and assigning the blame to the companies at the top of the pyramids as this new /17 blacklisting from yesterday shows: servermania> b2 net solutions > velocity servers inc   <-- _there are going to be some Iranians with .ir websites pissed off that they can't send email now_ http://bgp.he.net/net/23.236.128.0/18#_dns ).


----------



## drmike (Apr 13, 2016)

DomainBop said:


> It could be a very long list and require a full time staff to maintain when you add in all of the hidden brands and shell companies and try to separate them into actual companies.



Between you, me and a few others, well, we have a good start 


Beyond Skies is a new find to me...  Same old Horton fellow, never noticed this LLC before.  Weird stuff.


Iranians   Bunch in there... again. Still not legal to take their money I think.


----------



## DomainBop (Apr 20, 2016)

Copies of the two notification letters Staminus sent to its customers are available on the California AG's website.  They submitted their notification paperwork to California 10 days ago.


Organization Name


Date(s) of Breach


Reported Date


Staminus Communications


03/10/2016


04/11/2016


----------



## drmike (Apr 20, 2016)

DomainBop said:


> Copies of the two notification letters Staminus sent to its customers are available on the California AG's website.  They submitted their notification paperwork to California 10 days ago.
> 
> 
> Organization Name
> ...



That sure took them long enough.


Customers were just notified today via email?


----------



## DomainBop (Apr 20, 2016)

drmike said:


> That sure took them long enough.
> 
> 
> Customers were just notified today via email?



A poster on WHT said he received notification via postal mail on April 15th.  The notification date and method might depend on where the customer is located since each state has slightly different notification requirements (new California requirements).


Timing of breach notifications in California: 



> Companies and government agencies must issue data security breach notifications “in the most expedient time possible and without unreasonable delay” and “immediately following discovery,” but may delay notification if “a law enforcement agency determines that the notification will impede a criminal investigation,” so long as the notification is “made promptly after the law enforcement agency determines that it won't compromise the investigation.”


----------



## drmike (Apr 21, 2016)

They are fine with CA filing / disclosure.


Issue I take is timely with customers who had data go out there plaintext, including bank account/card data.


Those customers should have been informed within 72 hours of the event.  Unsure if they were.  I really hope they were.  Feels like they were not.


----------



## drmike (May 31, 2016)

DomainBop said:


> From WHT: Staminus has reportedly been up and down all day and support is mostly MIA
> 
> 
> From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack
> ...



Nick "the virgin" Lim...  18 year old "CEO"... this guy... What a douchebag, a used one at that.


Martin Shkreli, who I am not a fan of, but who had tolerance to let Lim go ADHD full bore for damn near two hours. Pure comic gold.  26 minutes in and Shkreli says it makes sense that Lim is a virgin. 


Lim and Jonny Nuggets should team up.


----------

