VPSAce hacked, database stolen, encryption key for cards likely taken

MannDude

Just a dude
vpsBoard Founder
Moderator
Ah, you must lurk IRC. I didn't think to post it here.


1:00 AM <•MannDude> I log in once a week or so and check to see where traffic is coming from and what not.
1:00 AM <Hexxis> i do it about once a month
1:00 AM <•MannDude> Speaking of which...
1:00 AM — •MannDude checks Piwik
1:01 AM <Hexxis> ;p
1:02 AM <•MannDude> uhg
1:02 AM <•MannDude> http://leak.sx/showthread.php?tid=188223
1:02 AM <•MannDude> That is in the referal log



Anyhow, worth noting. I think most customers of vpsace have already jumped ship or have been smart enough to change their info.  Looks like whoever posted that on that site tried to sell something another member there gave them? No idea.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Ah, you must lurk IRC. I didn't think to post it here.
Yeah I lurk, trying to reclaim more life cycles for offline ventures like picking my nose.  Thus the more sporadic and reduced posting.  

I posted this because it involves customers and their credit cards, if they were dumb enough to buy from vpsAce and use a direct card.  Shame. 

I've seen a database dump they were compromised fully, contrary to whatever the person on that other site is saying.  Clearly, there must have been multiple people in vpsAce's servers.
 

drmike

100% Tier-1 Gogent
Has there been a public statement at least?


Francisco
I don't believe there has been.  A quick search of Google finds this and some offer posts by vpsAce.   Nothing else though.

I'll be posting more information on this later.   There is at least one tidbit found in the data that is concerning and prior to hack/database theft.
 

drmike

100% Tier-1 Gogent
This is ugly.

$cc_encryption_hash = 'sWSMAch3ptCe34eTlWzg4VQFcCWClinE46gu9nnpHQtBKykW....
Someone at vpsAce/B2 Net/Servermania/etc. needs to go compare that portion with the on disk crypto for WHMCS.

Yeah, I've truncated the hash.   
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
and... it appears from the data that they were given some prior notice, albeit extortion of the hack.   So their failure to let customers know and proper authorities is unforgivable:

| id | tid | did | userid | contactid | name | email | cc | c | date | title | message | status | urgency | admin | attachment | lastreply | flag | clientunread | adminunread | replyingadmin | replyingtime | service |
+------+--------+-----+--------+-----------+------+-------+----+----------+---------------------+--------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+-------+------------+---------------------+------+--------------+-------------+---------------+---------------------+---------+
| 2887 | 404068 | 1 | 1601 | 0 | | | | 2Dp7FSCB | 2013-11-13 02:35:02 | Hi, I hacked VPSAce.com | If you don't want your customer database and your /public_html/ files to
be released, I'd suggest you listen to me. To make me want to not
release the information that I have, I need you to go ahead and
reinstate the VPS that Taylor S---- owned, and upgrade it to a nice 8GB
RAM, 200GB HDD, and 6 cores.

Thanks, ________. | Open | Medium | | | 2013-11-13 02:35:02 | 0 | 1 | 7,8 | 0 | 0000-00-00 00:00:00 | |
Note the date:

2013-11-13 02:35:02
 

MannDude

Just a dude
vpsBoard Founder
Moderator
Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?

Sounds like someone was suspended since they ask for it to be reinstated.
 

drmike

100% Tier-1 Gogent
Jesus, is that a joke? Someone exploited them and demanded a VPS to be upgraded as ransom?

Sounds like someone was suspended since they ask for it to be reinstated.
No joke. I am looking through the database.  That stood out since was one of the very last tickets.  Random query luck.
 

drmike

100% Tier-1 Gogent
What's funny about the extortion piece is "Taylor S________" doesn't exist... Mind you, omitting the poor chaps name.
 

drmike

100% Tier-1 Gogent
Here's a good one:

Doing this will not only give you better io and better system performance by utilization of flashcache but you will also be able to pack more clients on per node for a better profit on your side as well
 

Thomas Dale
Operations, ColoCrossing.com
More of them profiteering for over sold.  Spread the love around.  With flashcache, you to can oversell like a champion.  Or that's the concept.

32GB RAM E3 again.  Selling 2GB plans off of it and looks like a lack of servers vs. containers.
 

RiotSecurity

New Member
Taylor Swift the singer maybe. :p
Taylor Smyth - aka Vypor

Google: Taylor Smyth Vypor

Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
^--- still doesn't dawn on me why Taylor was mentioned therein when wasn't a customer and the company would have no way of complying with whoevers request to reactivate and boost service.
 

DomainBop

Dormant VPSB Pathogen
Has there been a public statement at least?
TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in

TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).

The Agreement shall be governed by the laws of the State of Seattle...
HttpZoom TOS...I rest my case about some low end providers being clueless. :p
 
Last edited by a moderator:

raindog308

vpsBoard Premium Member
Moderator
Taylor Smyth - aka Vypor

Google: Taylor Smyth Vypor

Taylor Smyth = Taylor Hayden Smyth, how's been a naughty little boy sending out bomb threats and who got himself a nice raid & computer clone.
Sheesh, second link on Bing for "Taylor Smyth Vypor" is a pastebin of his mother and father's SSN.
 

drmike

100% Tier-1 Gogent
TL;DR The company is based in Ontario. Canada, with the exception of Alberta, doesn't require consumers (or the government) to be notified when there is a database breach.  Notification is voluntary. https://www.privacyassociation.org/publications/2013_04_01_exploring_federal_privacy_breach_notification_in

TL;DR #2 even if Canada required notification the average low end provider would probably be clueless about the requirement (just look at US based companies like ChicagoVPS and httpZoom who failed to follow the letter of the law of the 46 states that have breach notification laws when they were breached this year).

HttpZoom TOS...I rest my case about some low end providers being clueless. :p
The people's dirty hippie funk scent State of Seattle. ;)

As far as regulations go and notification,  the test in enough states involves you doing business with their citizens and in some states a certain minimum of customers therein.   Foreign company ARE NOT EXEMPT.
 
Top