Staminus Communiations had its entire network knocked offline, during which sensitive customer data was leaked.
A California-based firm that provides protection against distributed denial of service (DDoS) attacks was itself hacked last week.
Staminus Communications had its entire network knocked offline for more than 20 hours on Thursday, during which sensitive customer data was leaked.
“Around 5 a.m. PST [March 10], a rare event cascaded across multiple routers in a system-wide event, making our backbone unavailable,” Staminus wrote in a series of social media posts while its website was down. “Our technicians quickly began working to identify the problem. We understand and share your frustration,” the company said.
While Staminus scrambled to restore service, the hackers on Thursday dumped private data online, in what security expert Brian Krebs called a “classic ‘hacker e-zine’ format,” called “F**k ’em all.”
The page includes links to download databases reportedly stolen from Staminus and Intreppid—a Staminus project that targets customers looking for protection against large DDoS attacks.
The hacker group claim to have seized control over Staminus’s Internet routers, resetting the devices to their factory settings, Krebs said.
They also suggest Staminus used “one root password for all the boxes,” and stored full credit card information in plain text—a violation of payment card industry standards.
“We can now confirm the issue was a result of an unauthorized intrusion into our network.
As a result of this intrusion, our systems were temporarily taken offline and customer information was exposed,” Staminus CEO Matt Mahvi said in a statement published on Friday. “Upon discovering this attack, Staminus took immediate action including launching an investigation into the attack, notifying law enforcement and restoring our systems.”
Usernames, hashed passwords, customer record information—including names and contact information—and payment card data were exposed; Staminus, however, does not collect Social Security numbers or tax IDs.
“While the investigation continues, we have and will continue to put additional measures into place to harden our security to help prevent a future attack,” Mahvi said.
“I fully recognize that our customers put their trust in Staminus and, while we believe that the issue has been contained, we are continuing to take the appropriate steps needed to safeguard our clients’ information and enhance our data security policies,” he added, encouraging all users to change their password immediately.
As Krebs pointed out, anti-DDoS providers are a common target for hackers; the sites often host customers whose content is offensive or hateful.
Staminus, for example, covers kkk.com—the official homepage for the Ku Klux Klan (KKK) white supremacist group.
Among a catalog of other customers, the dump included a list of “Tips When Running a Security Company,” detailing security holes found during the breach.