DDoS security firm a victim
Staminus Communications provides DDoS attack protection and mitigation

DDoS Security that provides attack protection and mitigation became a target

Hackers Bring Down DDoS Security Firm, a security outfit that prides itself on DoS and DDoS attack protection and mitigation was itself the victim of a DDoS Security attack late last week and over the weekend.

Staminus Communications first disclosed the attack to the public last Thursday in a Twitter post, calling it a “rare event that cascaded across multiple routers in a system wide event, making our backbone unavailable.” Service was restored a few hours later but there was no mention of exactly what happened.

A day later, the California-based outfit posted an update to its website confirming that it was an “unauthorized intrusion.” The attack not only prompted the company to take its system offline, it also exposed sensitive customer data.

“Based on the initial investigation, we believe that usernames, hashed passwords, customer record information, including name and contact information, and payment card data were exposed,” Staminus Communications CEO Matt Mahvi stated in a blog post.

The attackers weren’t able to extract Social Security numbers or tax IDs, though they still collected quite a bit of information about Staminus Communications’ customers.

The hackers weren’t content to just steal customer data, they saw fit to taunt the security outfit as well. According to Arstechnica, a subsequent data dump titled “TIPS WHEN RUNNING A SECURITY COMPANY” offered up sarcastic suggestions based on several security vulnerabilities discovered during the attack. The ‘tips’ included:

  • Use one root password for all the boxes
  • Expose PDU’s [power distribution units in server racks]
  • Never patch, upgrade or audit the stack
  • Disregard PDO [PHP Data Objects] as inconvenient
  • Hedge entire business on security theatre
  • Store full credit card info in plaintext
  • Write all code with reckless [sic] abandon

Luckily for customers of Staminus, no credit card data was contained in the data dump. Nevertheless, Staminus customers might want to request new cards with new numbers to avoid future hassles.

More Here [maximumpc]


Receive Weekly RoundUp

By clicking this button you agree to receive marketing communications from EMI

I agree to have my personal information transfered to MailChimp ( more information )