# VPSAce hacked, database stolen, encryption key for cards likely taken



## drmike (Nov 16, 2013)

I'll keep it short and to the point here.

VPSAce.com was hacked.   Their WHMCS was victimized.   Their WHMCS database was stolen.  The on disk encryption key was swiped.

Their data is among a heap offered up on a hacking related website:

http://leak.sx/showthread.php?tid=188223


----------



## MannDude (Nov 16, 2013)

Ah, you must lurk IRC. I didn't think to post it here.


1:00 AM <•MannDude> I log in once a week or so and check to see where traffic is coming from and what not.
1:00 AM <Hexxis> i do it about once a month
1:00 AM <•MannDude> Speaking of which...
1:00 AM — •MannDude checks Piwik
1:01 AM <Hexxis> ;p
1:02 AM <•MannDude> uhg
1:02 AM <•MannDude> http://leak.sx/showthread.php?tid=188223
1:02 AM <•MannDude> That is in the referal log







Anyhow, worth noting. I think most customers of vpsace have already jumped ship or have been smart enough to change their info.  Looks like whoever posted that on that site tried to sell something another member there gave them? No idea.


----------



## drmike (Nov 16, 2013)

> Ah, you must lurk IRC. I didn't think to post it here.



Yeah I lurk, trying to reclaim more life cycles for offline ventures like picking my nose.  Thus the more sporadic and reduced posting.  

I posted this because it involves customers and their credit cards, if they were dumb enough to buy from vpsAce and use a direct card.  Shame. 

I've seen a database dump they were compromised fully, contrary to whatever the person on that other site is saying.  Clearly, there must have been multiple people in vpsAce's servers.


----------



## Francisco (Nov 16, 2013)

Has there been a public statement at least?

Francisco


----------



## drmike (Nov 16, 2013)

Francisco said:


> Has there been a public statement at least?
> 
> 
> Francisco


I don't believe there has been.  A quick search of Google finds this and some offer posts by vpsAce.   Nothing else though.

I'll be posting more information on this later.   There is at least one tidbit found in the data that is concerning and prior to hack/database theft.


----------



## drmike (Nov 16, 2013)

This is ugly.



> $cc_encryption_hash = 'sWSMAch3ptCe34eTlWzg4VQFcCWClinE46gu9nnpHQtBKykW....


Someone at vpsAce/B2 Net/Servermania/etc. needs to go compare that portion with the on disk crypto for WHMCS.

Yeah, I've truncated the hash.


----------



## drmike (Nov 16, 2013)

and... it appears from the data that they were given some prior notice, albeit extortion of the hack.   So their failure to let customers know and proper authorities is unforgivable:



> | id | tid | did | userid | contactid | name | email | cc | c | date | title | message | status | urgency | admin | attachment | lastreply | flag | clientunread | adminunread | replyingadmin | replyingtime | service |
> +------+--------+-----+--------+-----------+------+-------+----+----------+---------------------+--------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+-------+------------+---------------------+------+--------------+-------------+---------------+---------------------+---------+
> | 2887 | 404068 | 1 | 1601 | 0 | | | | 2Dp7FSCB | 2013-11-13 02:35:02 | Hi, I hacked VPSAce.com | If you don't want your customer database and your /public_html/ files to
> be released, I'd suggest you listen to me. To make me want to not
> ...


*Note the date:*

2013-11-13 02:35:02


----------



## MannDude (Nov 16, 2013)

Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?

Sounds like someone was suspended since they ask for it to be reinstated.


----------



## drmike (Nov 16, 2013)

MannDude said:


> Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?
> 
> Sounds like someone was suspended since they ask for it to be reinstated.


No joke. I am looking through the database.  That stood out since was one of the very last tickets.  Random query luck.


----------



## drmike (Nov 16, 2013)

What's funny about the extortion piece is "Taylor S________" doesn't exist... Mind you, omitting the poor chaps name.


----------



## drmike (Nov 16, 2013)

Here's a good one:



> Doing this will not only give you better io and better system performance by utilization of flashcache but you will also be able to pack more clients on per node for a better profit on your side as well
> 
> 
> Thomas Dale
> Operations, ColoCrossing.com


More of them profiteering for over sold.  Spread the love around.  With flashcache, you to can oversell like a champion.  Or that's the concept.

32GB RAM E3 again.  Selling 2GB plans off of it and looks like a lack of servers vs. containers.


----------



## RiotSecurity (Nov 16, 2013)

drmike said:


> This is ugly.
> 
> Someone at vpsAce/B2 Net/Servermania/etc. needs to go compare that portion with the on disk crypto for WHMCS.
> 
> Yeah, I've truncated the hash.


Ugly, sloppy work VPSAce.


----------



## budi1413 (Nov 16, 2013)

drmike said:


> What's funny about the extortion piece is "Taylor S________" doesn't exist... Mind you, omitting the poor chaps name.


Taylor Swift the singer maybe.


----------



## RiotSecurity (Nov 16, 2013)

budi1413 said:


> Taylor Swift the singer maybe.


Taylor Smyth - aka Vypor

Google: Taylor Smyth Vypor

Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.


----------



## drmike (Nov 16, 2013)

^--- still doesn't dawn on me why Taylor was mentioned therein when wasn't a customer and the company would have no way of complying with whoevers request to reactivate and boost service.


----------



## RiotSecurity (Nov 16, 2013)

drmike: PM, he has a history.


----------



## DomainBop (Nov 16, 2013)

> Has there been a public statement at least?



TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in

TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).



> The Agreement shall be governed by the laws of the State of Seattle...


HttpZoom TOS...I rest my case about some low end providers being clueless.


----------



## Tux (Nov 16, 2013)

DomainBop said:


> HttpZoom TOS...I rest my case about some low end providers being clueless.


That means that the state of Cascadia exists now?


----------



## raindog308 (Nov 16, 2013)

RiotSecurity said:


> Taylor Smyth - aka Vypor
> 
> Google: Taylor Smyth Vypor
> 
> Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.


Sheesh, second link on Bing for "Taylor Smyth Vypor" is a pastebin of his mother and father's SSN.


----------



## drmike (Nov 16, 2013)

DomainBop said:


> TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in
> 
> TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).
> 
> HttpZoom TOS...I rest my case about some low end providers being clueless.


The people's dirty hippie funk scent State of Seattle. 

As far as regulations go and notification,  the test in enough states involves you doing business with their citizens and in some states a certain minimum of customers therein.   Foreign company ARE NOT EXEMPT.


----------



## Pete M. (Nov 16, 2013)

drmike said:


> I'll keep it short and to the point here.
> 
> VPSAce.com was hacked.   Their WHMCS was victimized.   Their WHMCS database was stolen.  The on disk encryption key was swiped.
> 
> ...


How good or bad was their security?


----------



## scv (Nov 16, 2013)

drmike said:


> Their data is among a heap offered up on a hacking related website:
> 
> http://leak.sx/showthread.php?tid=188223


I'm surprised nobody said anything about these...


----------



## drmike (Nov 16, 2013)

scv said:


> I'm surprised nobody said anything about these...


Quite a target any DDoS firm would be.

I didn't mention it since that for sale payload isn't something I've gotten hold of.   Unsure what whoever has exactly.


----------



## drmike (Nov 16, 2013)

Pete M. said:


> How good or bad was their security?


I can't say myself since I am uninvolved.  Just received the database.

I will say from my position the security at vpsAce is lacking.  They were hacked then their outage page was hacked.  I suspect their site and other assets are all backdoored.

The hash on disk was swiped too.   So, seems like full access scenario with maximum impact and victimization.


----------



## Toast (Nov 17, 2013)

i hope i never have to go through something like this.


----------



## RiotSecurity (Nov 17, 2013)

raindog308 said:


> Sheesh, second link on Bing for "Taylor Smyth Vypor" is a pastebin of his mother and father's SSN.


Yep, if you go on doxing.me and connect to doxbin you`ll find a ton more.


----------



## marlencrabapple (Nov 17, 2013)

drmike said:


> I'll keep it short and to the point here.
> 
> VPSAce.com was hacked.   Their WHMCS was victimized.   Their WHMCS database was stolen.  The on disk encryption key was swiped.
> 
> ...


Am I the only one who's a bit suspicious why a hacking website wants to make me run their javascript just to view their site?


----------



## Enterprisevpssolutions (Nov 18, 2013)

Interesting post I wonder what version of whmcs was used. As they have released a few updates recently that fixed some major issues. This is another reason that all companies need to have people testing the software before using it and better security needs to get built in and around the servers that host the databases.


----------



## Naythan (Nov 18, 2013)

marlencrabapple said:


> Am I the only one who's a bit suspicious why a hacking website wants to make me run their javascript just to view their site?


Are you really that stupid?

We're a leaking site not a hacking site.

Also that Javascript is for CloudFlare to work and if you had a brain that is not the size of a peanut you would have known that.

Also, lol thanks for the free traffic I appreciate it.


----------



## MartinD (Nov 18, 2013)

If that's your attitude to people in your first post you won't be around for long.


Be a little more polite, please.


----------



## drmike (Nov 18, 2013)

marlencrabapple said:


> Am I the only one who's a bit suspicious why a hacking website wants to make me run their javascript just to view their site?


I agree about the Javascript = insecure take over vector.  Slews of sites now requiring JS enabled or they won't load.   Of course Cloudflare is part of that plague.  But there are certainly the malicious out there serving you special payloads.


----------



## marlencrabapple (Nov 18, 2013)

Naythan said:


> Also that Javascript is for CloudFlare to work and if you had a brain that is not the size of a peanut you would have known that.


Don't blame Cloudflare. Unless you're specifically using it to block users with javascript turned off it can function without it. Then again what do I know, I just use it on my own sites.


----------

