09-20-2018, 03:32 PM
|
#1
|
|
Franchise Player
Join Date: May 2004
Location: Marseilles Of The Prairies
|
Ever Bought Something From NCIX? Hope You Used PayPal...
Jesus christ.
https://www.privacyfly.com/articles/ncix_breach/#three
Quote:
August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.
August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.
|
Quote:
|
The nciwww file contained 291 tables from their NCIX US store and had multiple versions of the file with data going back to 2007. The version I spent time analyzing was dated between November 2013 to February 2015. All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases. The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
|
Goddamn that company was shady but...goddamn. There must be some kind of possible class-action suit here.
__________________
Quote:
Originally Posted by MrMastodonFarm
Settle down there, Temple Grandin.
|
|
|
|