Staminus sites offline - massively hacked

drmike

100% Tier-1 Gogent
Damnit, Tor serving these files ... is ... SLOW!


The dump files are GIGANTIC.  GBs  in size.. One is 3GB, another 10GB, another 14GB....  
 
Last edited by a moderator:

Hxxx

Active Member
Interesting all of this. Now for me what's important is that somebody mentioned @ramnode.   Confirmation about this? Anyone?
 

drmike

100% Tier-1 Gogent
Ramnode is just an end customer.  So no Ramnode data that impacts customers of Ramnode.


Likely information relative to Ramnode's own account in the dump though.
 

MikeA

New Member
Verified Provider
Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).
not even sure if they said card info was public and plaintext.  They sugar coated it all as fine and nothing out there = crypto'd.
 
Last edited by a moderator:

OSTKCabal

Active Member
Verified Provider
Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).
That would be correct. Like I said, there was some time where they appeared to be actively attempting to cover it up. No acknowledgement of a breach even as the databases/leaks were being downloaded by thousands of users, users who also reported it directly to Staminus through Twitter and Facebook. They knew about it, more than likely, the literal moment it hit the public 'net, if not before.
 

drmike

100% Tier-1 Gogent
That would be correct. Like I said, there was some time where they appeared to be actively attempting to cover it up. No acknowledgement of a breach even as the databases/leaks were being downloaded by thousands of users, users who also reported it directly to Staminus through Twitter and Facebook. They knew about it, more than likely, the literal moment it hit the public 'net, if not before.
I don't know... did Staminus at any point clearly say credit card details were public and unencrypted?  cause it's a big deal... I didn't see it, but not saying they did ... but that should have been NUMERO UNO since these customers all have to contact their bank and get new card issued.
 

Nick_A

Provider of the year (2014)
Ramnode is just an end customer.  So no Ramnode data that impacts customers of Ramnode.


Likely information relative to Ramnode's own account in the dump though.
Thank you - that's correct. We can't think of anything in the leaks that would directly impact our customers as Staminus is simply a filtering provider for us.
 

DomainBop

Dormant VPSB Pathogen
I don't know... did Staminus at any point clearly say credit card details were public and unencrypted?  cause it's a big deal... I didn't see it, but not saying they did ... but that should have been NUMERO UNO since these customers all have to contact their bank and get new card issued.
No, they just disclosed the minimum amount of info that they legally need to tell customers when there is a breach "your card info was compromised...here's what you should do to protect yourself...".   They don't need to explicitly tell the customers the data was unencrypted (but since many state laws like California only require notification when unencrypted personal info is breached, by notifying the customers of the breach it can probably be implied that it was unencrypted).  


Unencrypted could be a huge issue though if either the card companies or their customers 'lawyer up' and start filing lawsuits, or the card companies impose penalties for not complying with PCI guidelines.


A couple of links on state notification requirements:


http://www.dwt.com/statedatabreachstatutes/


http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf
 
Last edited by a moderator:

DomainBop

Dormant VPSB Pathogen
From WHT: Staminus has reportedly been up and down all day and support is mostly MIA


From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack 


FYI, AthenaLayer also owns the HF advertised site OrcaHub whose main claim to fame was offering a free booter.  Google it https://www.google.com/search?q=orcahub+and+booter  or read this reddit thread https://www.reddit.com/r/hacking/comments/3dbykm/orcahubs_owner_has_bailed/  or Google some of the owner Nick Lim's past ventures like NalSEC or DDoS-protection.io 
 
Last edited by a moderator:

Francisco

Company Lube
Verified Provider
Matt's a genius, he isn't some off-the-shelf DDOS protection vendor, he writes a lot of code and always has. 


Honestly I wonder if he was simply not involved in the security side of things and things kinda went south. Staminus started as an IRC shell company so exploits, root shells, etc, were a day-to-day thing for him so he knows security.


I feel bad for them. Their support was always helpful whenever possible and Matt's been at this for 10+ years. He knows his stuff.


Best of luck to them,


Francisco
 

OSTKCabal

Active Member
Verified Provider
Matt's a genius, he isn't some off-the-shelf DDOS protection vendor, he writes a lot of code and always has. 


Honestly I wonder if he was simply not involved in the security side of things and things kinda went south. Staminus started as an IRC shell company so exploits, root shells, etc, were a day-to-day thing for him so he knows security.


I feel bad for them. Their support was always helpful whenever possible and Matt's been at this for 10+ years. He knows his stuff.


Best of luck to them,


Francisco
I echo this. We've been extremely happy with Staminus - the support has been dedicated, extremely helpful, and fast in helping us optimize our mitigation to best meet our needs as a gaming-oriented hosting provider. The service itself is great and I'd still recommend them as a DDoS Protection provider.


Obviously, I'm disappointed that the breach happened and that their own internal security was so abysmal. I hope they fix the glaring issues and conduct a full top-down security audit of their systems.
 
Last edited by a moderator:

HN-Matt

New Member
Verified Provider
I hadn't heard of Staminus prior to this thread and don't quite understand the critique (without prejudice). Intrusion aside, how is it that they've 'hedged the entire business on security theatre' if they only offer DDoS protection and seem to be effective in that area? Or do they offer other security services?
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
I hadn't heard of Staminus prior to this thread and don't quite understand the critique (without prejudice). Intrusion aside, how is it that they've 'hedged the entire business on security theatre' if they only offer DDoS protection and seem to be effective in that area? Or do they offer other security services?
I knew of Staminus purely as a company specializing in DDoS protection.   Used them before when BuyVM was with them.  Used them with another provider since then.


I don't know them to offer security services of any sort.  DDoS protection and other best practices for security seem like they go together, but they really don't - different worlds.


You can check their site before it was rm -rf'd  --- https://web.archive.org/web/20160220132015/https://www.staminus.net/


They have another brand, but I believe that is just hosting, no security practice there either.
 

DomainBop

Dormant VPSB Pathogen
Reports of more Idiot competitors using the Staminus database to spam Staminus customers: today's miscreant is a young lad who works as a respite caregiver by day and plays DC mogul by night.  Was it only two months ago that I was bitching about  this spam friendly provider  and blocked all SMTP traffic from their AS46573 in my firewalls? 


A copy of the spam sent by GlobalFrag to an email address that was only used for a Staminus account: http://www.webhostingtalk.com/showthread.php?t=1556659&p=9655137#post9655137


*****


Risk Based Security published some stats on the Staminus hack: 

approximately 2,300 previous and current clients included as part of the Staminus breach.


full.sql

  • Billing table contains 141,403 tracks of account billing from purchases.
  • Account table contains 4,415 users’ details with full addresses, contact details, company details, emails, and encrypted passwords.
  • Credit_card table contains 2,042  with full card details.
  • Rest of the information seems to relate to Staminus sales, site configuration, billing tracking and other configuration values related to the systems.

  • 3-9-staminus2.sql

  • Same data as Full.sql as well as data related to DDoS reporting, tickets, and other server-related actions.

  • Full ticket history with user details, ticket content, and Staminus responses

  • Staff details with encrypted passwords, email addresses, and Oauth credentials in the format of tokens and generated user keys.
 
Last edited by a moderator:

Licensecart

Active Member
I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.


And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic! 

Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.
 

OSTKCabal

Active Member
Verified Provider
I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.


And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic! 

Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.
It really seems to me like you're taking this to the extremes. I urge you to suggest to me a DDoS Protection provider that supplies the same level of support and service in general for around the same pricing. Beyond that, yes, obviously mistakes were made. Obviously we're highly disappointed in the breach. Obviously, we want to see improvements. But we obviously also love the service and support that they provide.
 
Last edited by a moderator:

Licensecart

Active Member
It really seems to me like you're taking this to the extremes. I urge you to suggest to me a DDoS Protection provider that supplies the same level of support and service in general for around the same pricing. Beyond that, yes, obviously mistakes were made. Obviously we're highly disappointed in the breach. Obviously, we want to see improvements. But we obviously also love the service and support that they provide.
That's where people like me know what's your priority in business and to avoid you. What's important SECURITY or CHEAP Prices?

If you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about. Security in my opinion is 10000000000000% more important and if your business / company relies on DDos protection then you have to "invest" money / capital into it.

As for improvements you won't because 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software. They can claim like they did in 2012, that it's a one off and they will learn from their mistakes.... but they won't and that's just to keep you.

Myself I refuse to use a company which uses WHMCS for the same reason above, I don't trust their security, and therefore I use a non secure (Passwords I use for Secure systems, accounts) when I have no choice (LiteSpeed / SolusVM) because I know one day a company will get hacked using that trash and it could impact me as-well.
 
Last edited by a moderator:
Top