Staminus sites offline - massively hacked
- Thread starter wlanboy
- Start date
Pretty sad the amount of time it took them to come out and say "Hey, your card info is public". What was it, 24+ hours AFTER it was initially uploaded over Tor? That's plenty of time for someone to do lots of damage. Feel bad for the Staminus employees that had nothing to do with this, surely it'll hurt business quite a bit (and ServerMania abusing the leak and e-mailing their clients even more so).
Last edited by a moderator:
drmike
100% Tier-1 Gogent
not even sure if they said card info was public and plaintext. They sugar coated it all as fine and nothing out there = crypto'd.
Last edited by a moderator:
That would be correct. Like I said, there was some time where they appeared to be actively attempting to cover it up. No acknowledgement of a breach even as the databases/leaks were being downloaded by thousands of users, users who also reported it directly to Staminus through Twitter and Facebook. They knew about it, more than likely, the literal moment it hit the public 'net, if not before.
drmike
100% Tier-1 Gogent
I don't know... did Staminus at any point clearly say credit card details were public and unencrypted? cause it's a big deal... I didn't see it, but not saying they did ... but that should have been NUMERO UNO since these customers all have to contact their bank and get new card issued.
Nick_A
Provider of the year (2014)
Thank you - that's correct. We can't think of anything in the leaks that would directly impact our customers as Staminus is simply a filtering provider for us.
DomainBop
Dormant VPSB Pathogen
No, they just disclosed the minimum amount of info that they legally need to tell customers when there is a breach "your card info was compromised...here's what you should do to protect yourself...". They don't need to explicitly tell the customers the data was unencrypted (but since many state laws like California only require notification when unencrypted personal info is breached, by notifying the customers of the breach it can probably be implied that it was unencrypted).
Unencrypted could be a huge issue though if either the card companies or their customers 'lawyer up' and start filing lawsuits, or the card companies impose penalties for not complying with PCI guidelines.
A couple of links on state notification requirements:
http://www.dwt.com/statedatabreachstatutes/
http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf
Last edited by a moderator:
DomainBop
Dormant VPSB Pathogen
From WHT: Staminus has reportedly been up and down all day and support is mostly MIA
From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack
FYI, AthenaLayer also owns the HF advertised site OrcaHub whose main claim to fame was offering a free booter. Google it https://www.google.com/search?q=orcahub+and+booter or read this reddit thread https://www.reddit.com/r/hacking/comments/3dbykm/orcahubs_owner_has_bailed/ or Google some of the owner Nick Lim's past ventures like NalSEC or DDoS-protection.io
From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack
FYI, AthenaLayer also owns the HF advertised site OrcaHub whose main claim to fame was offering a free booter. Google it https://www.google.com/search?q=orcahub+and+booter or read this reddit thread https://www.reddit.com/r/hacking/comments/3dbykm/orcahubs_owner_has_bailed/ or Google some of the owner Nick Lim's past ventures like NalSEC or DDoS-protection.io
Last edited by a moderator:
drmike
100% Tier-1 Gogent
@DomainBop pls change your custom title from "Dormant VPSB Pathogen" to "Kangaroo Court Super Creeper", ty
Last edited by a moderator:
Matt's a genius, he isn't some off-the-shelf DDOS protection vendor, he writes a lot of code and always has.
Honestly I wonder if he was simply not involved in the security side of things and things kinda went south. Staminus started as an IRC shell company so exploits, root shells, etc, were a day-to-day thing for him so he knows security.
I feel bad for them. Their support was always helpful whenever possible and Matt's been at this for 10+ years. He knows his stuff.
Best of luck to them,
Francisco
I echo this. We've been extremely happy with Staminus - the support has been dedicated, extremely helpful, and fast in helping us optimize our mitigation to best meet our needs as a gaming-oriented hosting provider. The service itself is great and I'd still recommend them as a DDoS Protection provider.
Obviously, I'm disappointed that the breach happened and that their own internal security was so abysmal. I hope they fix the glaring issues and conduct a full top-down security audit of their systems.
Last edited by a moderator:
I hadn't heard of Staminus prior to this thread and don't quite understand the critique (without prejudice). Intrusion aside, how is it that they've 'hedged the entire business on security theatre' if they only offer DDoS protection and seem to be effective in that area? Or do they offer other security services?
Last edited by a moderator:
drmike
100% Tier-1 Gogent
I knew of Staminus purely as a company specializing in DDoS protection. Used them before when BuyVM was with them. Used them with another provider since then.
I don't know them to offer security services of any sort. DDoS protection and other best practices for security seem like they go together, but they really don't - different worlds.
You can check their site before it was rm -rf'd --- https://web.archive.org/web/20160220132015/https://www.staminus.net/
They have another brand, but I believe that is just hosting, no security practice there either.
DomainBop
Dormant VPSB Pathogen
Reports of more Idiot competitors using the Staminus database to spam Staminus customers: today's miscreant is a young lad who works as a respite caregiver by day and plays DC mogul by night. Was it only two months ago that I was bitching about this spam friendly provider and blocked all SMTP traffic from their AS46573 in my firewalls?
A copy of the spam sent by GlobalFrag to an email address that was only used for a Staminus account: http://www.webhostingtalk.com/showthread.php?t=1556659&p=9655137#post9655137
*****
Risk Based Security published some stats on the Staminus hack:
A copy of the spam sent by GlobalFrag to an email address that was only used for a Staminus account: http://www.webhostingtalk.com/showthread.php?t=1556659&p=9655137#post9655137
*****
Risk Based Security published some stats on the Staminus hack:
- full article and the complete list of stats at RBS: https://www.riskbasedsecurity.com/2016/03/staminus-breach-just-how-bad-is-it/
Last edited by a moderator:
Licensecart
Active Member
I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.
And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic!
Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.
And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic!
Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.
It really seems to me like you're taking this to the extremes. I urge you to suggest to me a DDoS Protection provider that supplies the same level of support and service in general for around the same pricing. Beyond that, yes, obviously mistakes were made. Obviously we're highly disappointed in the breach. Obviously, we want to see improvements. But we obviously also love the service and support that they provide.
Last edited by a moderator:
Licensecart
Active Member
That's where people like me know what's your priority in business and to avoid you. What's important SECURITY or CHEAP Prices?
If you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about. Security in my opinion is 10000000000000% more important and if your business / company relies on DDos protection then you have to "invest" money / capital into it.
As for improvements you won't because 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software. They can claim like they did in 2012, that it's a one off and they will learn from their mistakes.... but they won't and that's just to keep you.
Myself I refuse to use a company which uses WHMCS for the same reason above, I don't trust their security, and therefore I use a non secure (Passwords I use for Secure systems, accounts) when I have no choice (LiteSpeed / SolusVM) because I know one day a company will get hacked using that trash and it could impact me as-well.
Last edited by a moderator: