Newport Beach based Staminus Communications offered DDoS protection and other security services to its clients; early this morning, their systems went down and a dump of their internal files were dumped to the Internet.
The individuals claiming credit for the breach published an accompanying article called "TIPS WHEN RUNNING A SECURITY COMPANY," a blistering attack on the sub-par security they say they encountered at Staminus. The hackers claim all the systems shared a root password, that the power systems for the company's servers had open telnet access, that the company hadn't patched its systems, that they allowed for common PHP attacks, wrote subpar code, and, worst of all, stored credit card numbers in the clear.
The hackers didn't dump any credit card numbers, but storing unencrypted credit card details is a major no-no and violates binding industry standards for handling credit card data.
The dump revealed a lot of information about Staminus's customers, including the KKK's official site; the billing details for the Klan's account revealed that it was jointly managed with several other organizations, including the American Heritage Committee.
Staminus's communications to their customers have hedged on what happened; the company's official tweet said only that "a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable."
The hackers claim that they reset all of Staminus's equipment to factory defaults.
The dump, in a hacker "e-zine" format, begins with a note from the attacker. Sarcastically titled "TIPS WHEN RUNNING A SECURITY COMPANY," it details the security holes found during the breach:
Use one root password for all the boxes
Expose PDU's [power distribution units in server racks] to WAN with telnet auth
Never patch, upgrade or audit the stack
Disregard PDO [PHP Data Objects] as inconvenient
Hedge entire business on security theatre
Store full credit card info in plaintext
Write all code with wreckless [sic] abandon
After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”
[Sean Gallagher/Ars Technica]