Staminus sites offline - massively hacked

[drmike]

1. We need a bad provider list around here that entire buying audience at large can reference.  Bad providers are those spamming stolen customer data, repeat spam factories, those known to and proven to intentionally take money from spammers, criminals, etc. Forthcoming.


2. "f you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about."
Cheap is like 85% of market just that.  Everything about cheap operations is cheap.  From the lack of actual knowledge to not staffing qualified people to having no policies or procedures.  The remaining 15% need to ramp up their business and confidence and usually just get out of cheap to better markets.


3. " 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software." 


Assuming @Licensecart compared dump data If this true, the same credentials, then Staminus signed up for more than a hacking.  


4. "I  know one day a company will get hacked using that trash and it could impact me as-well."


Reason numero uno not to buy things under your real name or something directly attached to your company.  Some might find that practice deceptive, so be it.   I shop these days for companies that are alternative payment friendly and more interested in having customers and running a service than Q&A research into who their customers are and idle time in customers data and life.


5. "But we obviously also love the service and support that they provide."


No question about it, Staminus excels at DDoS Protection.  They need to hire or bring on as a partner someone with operations and security focus though.  No way to avoid that at this point.


6. "I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web."


Hosting has too many man children.  Too many at-risk types.  Too many of age, but morally deficient f--k jobs.  Most of it comes straight down to fact that they feel there are no implications for their actions.  Law on all levels does nothing, even when vicitimized company calls them in.   See #1 above.  I think this is part of necessary punishment that is overdue for these idiots. Talking about GlobalFrag, talking about Servermania, etc.



 Like this

•  
  

 

[Licensecart]

Assuming @Licensecart compared dump data If this true, the same credentials, then Staminus signed up for more than a hacking.  

I'm not sure what data was in the 2012 breech mate but the info we know about is what a guy on a forum linked to which apparently came from the breeched zips.


In 2012: can't find the main thread but one closest to the time was in this thread by DomainBop: http://www.webhostingtalk.com/showthread.php?t=1193478
In 2012: http://www.webhostingtalk.com/showthread.php?t=1115909 (DNS issues).


It's really not a company you can trust.

 

[Jonathan]

I don't get why there's so many TWATS in the industry, it doesn't take a bloody genius to know it's illegal to use leaked and private information even if it's open on the world wide web. If I was a customer and I got an email because some twat got it from a database leak I would be on their arse quicker than you could say idiots, to a legal team and sue them idiots to get some extra cash on the side. They might take it serious then.


And for the people who ask why we are on their backs, it's NOT the first time this has happened to them. 2012 they was breached. If anyone uses them after this one then they are a twat as-well. Not being a jackass but it really doesn't take a lot to loose respect. If they had a secure system I wouldn't mind, if it only happened once I wouldn't mind. But twice in the same decade.... Pathetic! 

Same with WHMCS when they had a database leak, that was by Hostgator's lack of security believing they was talking to Matt on the phone and gave the hackers their password or something. If they did it again you'd think twice. Same with their exploits they knew if someone leaked a big one in the wild again they would die so they try to cover it all up using the bounties, which has found some bad exploits, one which they paid $1K. A big DDos protection side with no security is 10x worse.

*lose

 

[OSTKCabal]

That's where people like me know what's your priority in business and to avoid you. What's important SECURITY or CHEAP Prices?

If you choose Cheap (affordable) prices then this won't be the first thing your customers will have to worry about. Security in my opinion is 10000000000000% more important and if your business / company relies on DDos protection then you have to "invest" money / capital into it.

As for improvements you won't because 1. They where attacked in 2012.... 2. They then again where breeched in 2016, that's a 4 year gap and their passwords are weak / same passwords for important software. They can claim like they did in 2012, that it's a one off and they will learn from their mistakes.... but they won't and that's just to keep you.

Myself I refuse to use a company which uses WHMCS for the same reason above, I don't trust their security, and therefore I use a non secure (Passwords I use for Secure systems, accounts) when I have no choice (LiteSpeed / SolusVM) because I know one day a company will get hacked using that trash and it could impact me as-well.

So, because we want to maintain affordable and sustainable pricing for both ourselves and our customers, you intend to avoid us at all costs, despite the fact that we own all of our hardware and IP addresses? Our priority is not "cheapness", it's the value and sustainability. Absolutely nobody else can provide the same level of service for the same price - we've done plenty of searching, comparing, and testing with other mitigation providers.


It's not like we're a massive company with a few hundred thousand dollars to spend, either. We're a small business and have to approach this with a small business mindset - we can't reasonably go out tomorrow and get a $200,000 loan (estimated price to truly do it right - redundant routers/core switches, on-site mitigation appliances, intelligent routing, etc.) to deploy our own network and our own on-site mitigation. Would that be preferable, even to us as a company? Of course it would. Would we love to do it? Hell yes. But can we? No, not right now. Why can't we? Because unfortunately, that's more of an investment than we're presently willing to make. We'd rather focus on improving other areas of the company first. But thanks for your input. 

 

[drmike]

I'm not sure what data was in the 2012 breech mate but the info we know about is what a guy on a forum linked to which apparently came from the breeched zips.


In 2012: can't find the main thread but one closest to the time was in this thread by DomainBop: http://www.webhostingtalk.com/showthread.php?t=1193478
In 2012: http://www.webhostingtalk.com/showthread.php?t=1115909 (DNS issues).


It's really not a company you can trust.

Looks like their mailing list was likely used prior by Black Lotus according to one of those threads... Ouchie.

So, because we want to maintain affordable and sustainable pricing for both ourselves and our customers, you intend to avoid us at all costs, despite the fact that we own all of our hardware, IP addresses, and colocate out of Steadfast Networks? Our priority is not "cheapness", it's value and sustainability. 

I don't think / hope that wasn't an attack in your direction  I never found your prices to be cheap.  Affordable is a little murky, but I'll buy that.


Sustainability is the keyword that more providers should be paying attention to... Pricing that covers costs, pays staff, actually provides for legit support that is timely and useful.

we can't reasonably go out tomorrow and get a $200,000 loan (estimated price to truly do it right - redundant routers/core switches, on-site mitigation appliances, intelligent routing, etc.) to deploy our own network and our own on-site mitigation.

Well I suspect you can get lending to accomplish most of that.  On-site mitigation as DIY isn't anything tiny or cheap.  Very easy to go spend that kind of change on a single location build out which isn't anything near level of shops like Staminus on capability.  Plus need to hire a certifiable bad ass to build and maintain the filtering (should have multiples).  There aren't many players or even gear companies out there for filtering... For good reason.. and you need to build a network with big pipes and great upstream relationships and arrangements to deal with issues.  I don't think the common cheap way of a 10Gbps burstable connect will any longer cut it for true mitigation.  Lots of DCs you say you want to start bonding those or bigger pipe and want to tank stuff, you are going to find quickly you need to do you own buildout, own internet connects, etc.


If someone has the spine to do all that, consider me interested.  Money and finance ability is the least of the puzzle.

 

[DomainBop]

1. We need a bad provider list around here that entire buying audience at large can reference.  Bad providers are those spamming stolen customer data, repeat spam factories, those known to and proven to intentionally take money from spammers, criminals, etc. Forthcoming.



 Like this

•  
  

It could be a very long list and require a full time staff to maintain when you add in all of the hidden brands and shell companies and try to separate them into actual companies.  


For example, you  have companies like ServerMania assigning blocks of IPs to the Washington State LLC of their employee who grabbed the Staminus DB. 


https://www.sos.wa.gov/corps/search-app.aspx#/detail/602808789


https://myip.ms/view/ip_owners/447492/Beyond_Grey_Skies_Llc.html


Spamhaus has a full time staff and it has even taken them forever to put together the pieces on some of these bad egg spammer friendly/criminal friendly/sanction busting providers (but Spamhaus is slowly doing it and assigning the blame to the companies at the top of the pyramids as this new /17 blacklisting from yesterday shows: servermania> b2 net solutions > velocity servers inc   <-- there are going to be some Iranians with .ir websites pissed off that they can't send email now http://bgp.he.net/net/23.236.128.0/18#_dns ).

 

[drmike]

It could be a very long list and require a full time staff to maintain when you add in all of the hidden brands and shell companies and try to separate them into actual companies. 

Between you, me and a few others, well, we have a good start


Beyond Skies is a new find to me...  Same old Horton fellow, never noticed this LLC before.  Weird stuff.


Iranians   Bunch in there... again. Still not legal to take their money I think. 

 

[DomainBop]

Copies of the two notification letters Staminus sent to its customers are available on the California AG's website.  They submitted their notification paperwork to California 10 days ago.


Organization Name


Date(s) of Breach


Reported Date


Staminus Communications


03/10/2016


04/11/2016

 

[drmike]

Copies of the two notification letters Staminus sent to its customers are available on the California AG's website.  They submitted their notification paperwork to California 10 days ago.


Organization Name


Date(s) of Breach


Reported Date


Staminus Communications


03/10/2016


04/11/2016

That sure took them long enough.


Customers were just notified today via email?

 

[DomainBop]

That sure took them long enough.


Customers were just notified today via email?

A poster on WHT said he received notification via postal mail on April 15th.  The notification date and method might depend on where the customer is located since each state has slightly different notification requirements (new California requirements).


Timing of breach notifications in California: 

Companies and government agencies must issue data security breach notifications “in the most expedient time possible and without unreasonable delay” and “immediately following discovery,” but may delay notification if “a law enforcement agency determines that the notification will impede a criminal investigation,” so long as the notification is “made promptly after the law enforcement agency determines that it won't compromise the investigation.”

 

[drmike]

They are fine with CA filing / disclosure.


Issue I take is timely with customers who had data go out there plaintext, including bank account/card data.


Those customers should have been informed within 72 hours of the event.  Unsure if they were.  I really hope they were.  Feels like they were not.

 

[drmike]

From WHT: Staminus has reportedly been up and down all day and support is mostly MIA


From the idiot competitor's file: AthenaLayer has spammed the hell out of the Staminus Facebook page today not to mention spamming a Reddit thread about the hack 


FYI, AthenaLayer also owns the HF advertised site OrcaHub whose main claim to fame was offering a free booter.  Google it https://www.google.com/search?q=orcahub+and+booter  or read this reddit thread https://www.reddit.com/r/hacking/comments/3dbykm/orcahubs_owner_has_bailed/  or Google some of the owner Nick Lim's past ventures like NalSEC or DDoS-protection.io 

Nick "the virgin" Lim...  18 year old "CEO"... this guy... What a douchebag, a used one at that.


Martin Shkreli, who I am not a fan of, but who had tolerance to let Lim go ADHD full bore for damn near two hours. Pure comic gold.  26 minutes in and Shkreli says it makes sense that Lim is a virgin. 


Lim and Jonny Nuggets should team up.