[BreachExchange] NCIX servers sold on Craigslist with 15 years of user data

Destry Winant destry at riskbasedsecurity.com
Mon Sep 24 09:39:06 EDT 2018


https://www.tweaktown.com/news/63283/ncix-servers-sold-craigslist-15-years-user-data/index.html

NCIX is in some big effing trouble with a story breaking over the
weekend that someone had access to their old servers that went for
auction and were purchased, after the Canadian retailer went bankrupt
in 2017.

The servers that were previously owned by NCIX somehow ended up on
Craigslist, with Travis Doering from Privacy Fly access the servers
and pretending to be someone called "Jeff" for privacy (fly) reasons.
Doering was after the data on the NCIX server, making is clear he was
after the contents of the HDD alone and not the juicy server hardware.
Doering met with the seller multiple times, confirming that they were
ex-NCIX servers and that they indeed had NXIC user and business data
on it.

 The used servers were sold because NCIX reportedly didn't pay their
warehouse storage bills in late-2017 with over $115,000 owed, where
the servers were given to the warehouse owner to sell to recoup costs.
Yeah well, the NCIX servers weren't wiped and millions of customers
private detailed were exposed, as well as business customers who used
to buy many millions worth of goods.

Doering said that Jeff, the guy selling the NCIX servers on
Craigslist, had access to "300 desktop computers from NCIX's corporate
offices and retails stores, 18 DELL Poweredge servers, as well as at
least two Supermicro server's running StarWind iSCSI Software that
NCIX had used to back up their hard disks". Jeff also gave Doering
access to even more storage, with "109 hard drives which had been
removed from servers before auction and one large pallet of 400-500
used hard drives from various manufacturers".

The private data on these servers and storage drives had personal data
of millions of people, with credentials, invoices, photographs of
customers IDs, bills, customer names, addresses, email addresses,
phone numbers, IP addresses, and unsalted MD5 hashed passwords. You
know, pretty much everything. The database had 258,000 payment card
details, all stored in plain text, and 3.8 million orders.

Even worse, Doering found the backup image for NCIX founder Steve Wu,
showing just how bad this data breach could've been.

The Craigslist seller was happy for Doering to copy all of the NCIX
customer data from ALL of the server HDDs, without buying any of the
hardware. This is beyond sketchy, just in case you're not aware of
this situation because at point, it's ridiculously bad. Jeff even told
Doering that at least one other person had purchased the old NCIX
data, so who knows how many people have access to it at this stage.


More information about the BreachExchange mailing list