Calgarypuck Forums - The Unofficial Calgary Flames Fan Community
Old 09-20-2018, 03:32 PM   #1
PsYcNeT
Franchise Player
 
PsYcNeT's Avatar
 
Join Date: May 2004
Location: Marseilles Of The Prairies
Exp:
Default Ever Bought Something From NCIX? Hope You Used PayPal...

Jesus christ.

https://www.privacyfly.com/articles/ncix_breach/#three

Quote:
August 1, 2018. A rare sunny day in rain ridden Vancouver, British Columbia. Typical of my introverted lifestyle, I found myself indulging my passion for used computer hardware by scouring Craigslist. Post after post of monotonous listings began to blend together as an intriguing title caught my eye. “NCIX Database Servers - $1500 (Richmond BC)”. The seller claimed to be offering two servers, one a Database Server from NCIX and another, a Database Reporting Server. The seller claimed to have acquired both from Vancouver based Able Auction’s. I would later find out that was a lie, crafted to conceal their true origin. I emailed the seller and plainly stated, “I am interested in the server, does it have data in the database or is it a fresh install? I am primarily interested in the data.” To which I received no reply.

August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.
Quote:
The nciwww file contained 291 tables from their NCIX US store and had multiple versions of the file with data going back to 2007. The version I spent time analyzing was dated between November 2013 to February 2015. All the various versions of the MDF database files had been unencrypted with the last file being dated in 2017 for most of the databases. The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information. There were also three hundred eighty-five thousand names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses and unsalted MD5 hashed passwords. The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
Goddamn that company was shady but...goddamn. There must be some kind of possible class-action suit here.
__________________

Quote:
Originally Posted by MrMastodonFarm View Post
Settle down there, Temple Grandin.
PsYcNeT is offline   Reply With Quote
Old 09-20-2018, 03:41 PM   #2
Fuzz
Franchise Player
 
Fuzz's Avatar
 
Join Date: Mar 2015
Exp:
Default

Wellll sheeeet. Looks like I ordered twice form them. Credit card they have has expired, so I'm not sure what the risk is for me.
__________________
Air Canada - We're not happy until you're not happy.
Telus - Almost as bad as Winnipeg.
Calgary Roads Dept - Ya, we'll get to that.
Fuzz is offline   Reply With Quote
Old 09-20-2018, 04:04 PM   #3
ZedMan
Crash and Bang Winger
 
Join Date: Apr 2008
Exp:
Default

Quote:
Originally Posted by PsYcNeT View Post
Goddamn that company was shady but...goddamn. There must be some kind of possible class-action suit here.
Who would they sue? NCIX is gone.
Quote:
The database also contained full credit card payment details in plain text for two hundred and fifty-eight thousand users between various tables.
Well THAT's certainly not PCI-DSS compliant...

*edit* After reading I sure hope they author contacted the authorities with 'Jeff''s identity. What an ahole.

Last edited by ZedMan; 09-20-2018 at 04:11 PM.
ZedMan is offline   Reply With Quote
Old 09-20-2018, 04:10 PM   #4
Hemi-Cuda
wins 10 internets
 
Hemi-Cuda's Avatar
 
Join Date: Feb 2006
Location: slightly to the left
Exp:
Default

So who runs the NCIX website now? Going to it you'd think nothing ever happened, it looks normal
Hemi-Cuda is offline   Reply With Quote
Old 09-20-2018, 04:45 PM   #5
DoubleK
First Line Centre
 
DoubleK's Avatar
 
Join Date: Aug 2012
Location: Calgary, AB
Exp:
Default

Quote:
Originally Posted by ZedMan View Post
Who would they sue? NCIX is gone.
The officers of the company would still be liable under their fiduciary duty to the customers.
__________________
It's only game. Why you heff to be mad?
DoubleK is offline   Reply With Quote
The Following User Says Thank You to DoubleK For This Useful Post:
Old 09-20-2018, 04:51 PM   #6
Ducay
Franchise Player
 
Ducay's Avatar
 
Join Date: Feb 2006
Exp:
Default

Quote:
Originally Posted by DoubleK View Post
The officers of the company would still be liable under their fiduciary duty to the customers.
Fiduciary to customers by Officers? You wish. Perhaps criminal level negligence by someone auctioning off servers with data (could even be the court appointed trustee), but you're likely thinking of fiduciary duty to shareholders by the directors that often can create liability, but any director worth their salt would have proper insurance.
Ducay is offline   Reply With Quote
Old 09-20-2018, 04:56 PM   #7
DoubleK
First Line Centre
 
DoubleK's Avatar
 
Join Date: Aug 2012
Location: Calgary, AB
Exp:
Default

Might have got my terminology not quite straight, but wouldn't that insurance be a target for a lawsuit?
__________________
It's only game. Why you heff to be mad?
DoubleK is offline   Reply With Quote
Old 09-20-2018, 07:04 PM   #8
DownhillGoat
Franchise Player
 
DownhillGoat's Avatar
 
Join Date: Jan 2010
Exp:
Default

Quote:
Originally Posted by PsYcNeT View Post
There must be some kind of possible class-action suit here.
Considering the payout for a government employee losing a drive with unencrypted student loans info (which is infinitely more sensitive than an old credit card number) was $60, this one should net me a sweet 25 cents.
DownhillGoat is offline   Reply With Quote
Old 09-20-2018, 07:29 PM   #9
Ducay
Franchise Player
 
Ducay's Avatar
 
Join Date: Feb 2006
Exp:
Default

Quote:
Originally Posted by DoubleK View Post
Might have got my terminology not quite straight, but wouldn't that insurance be a target for a lawsuit?
Might be a target, but proving a director didn't do their due diligence or duties around a bankruptcy sale would be tough to prove; not really up to them to ensure its disposed of right unless they pushed for it or otherwise caused it to happen.

Either way, good luck collecting.
Ducay is offline   Reply With Quote
Old 09-20-2018, 10:41 PM   #10
Wormius
Franchise Player
 
Wormius's Avatar
 
Join Date: Feb 2011
Location: Somewhere down the crazy river.
Exp:
Default

Yep. Bought a few things a couple of years ago. Pretty sure the credit card has expired since considering it was a 802.11b AP.

Wonder when I will be getting an email from haveibeenpwneed.
Wormius is offline   Reply With Quote
Old 09-20-2018, 10:57 PM   #11
chemgear
Franchise Player
 
Join Date: Feb 2010
Exp:
Default

LOL 8:15

chemgear is offline   Reply With Quote
The Following 2 Users Say Thank You to chemgear For This Useful Post:
Old 09-20-2018, 11:03 PM   #12
Wormius
Franchise Player
 
Wormius's Avatar
 
Join Date: Feb 2011
Location: Somewhere down the crazy river.
Exp:
Default Ever Bought Something From NCIX? Hope You Used PayPal...

Double post
Wormius is offline   Reply With Quote
Old 09-21-2018, 02:22 PM   #13
Buff
Franchise Player
 
Buff's Avatar
 
Join Date: Apr 2004
Location: I don't belong here
Exp:
Default

A guy who works with my friend is on one of those screen grabs listing people's names and city. He's a bit unhappy.
Buff is offline   Reply With Quote
Old 09-21-2018, 03:15 PM   #14
ZedMan
Crash and Bang Winger
 
Join Date: Apr 2008
Exp:
Default

Yeah those pics really aren't redacted as much as they ought to be.
ZedMan is offline   Reply With Quote
Old 09-21-2018, 03:17 PM   #15
PsYcNeT
Franchise Player
 
PsYcNeT's Avatar
 
Join Date: May 2004
Location: Marseilles Of The Prairies
Exp:
Default

I have to assume that he didn't redact them so people would take his claim seriously.
__________________

Quote:
Originally Posted by MrMastodonFarm View Post
Settle down there, Temple Grandin.
PsYcNeT is offline   Reply With Quote
Old 09-21-2018, 03:29 PM   #16
Fuzz
Franchise Player
 
Fuzz's Avatar
 
Join Date: Mar 2015
Exp:
Default

It's not much different than what's in a phone book, is it?
__________________
Air Canada - We're not happy until you're not happy.
Telus - Almost as bad as Winnipeg.
Calgary Roads Dept - Ya, we'll get to that.
Fuzz is offline   Reply With Quote
The Following User Says Thank You to Fuzz For This Useful Post:
Old 09-21-2018, 04:11 PM   #17
BloodFetish
First Line Centre
 
BloodFetish's Avatar
 
Join Date: Aug 2009
Location: Coquitlam, BC
Exp:
Default

Quote:
Originally Posted by Fuzz View Post
It's not much different than what's in a phone book, is it?
Usernames and passwords in plain text? Let's take those credentials and have a bot try them on PayPal and the big 5 banks...
BloodFetish is offline   Reply With Quote
Old 09-21-2018, 04:15 PM   #18
Wormius
Franchise Player
 
Wormius's Avatar
 
Join Date: Feb 2011
Location: Somewhere down the crazy river.
Exp:
Default

Quote:
Originally Posted by BloodFetish View Post
Usernames and passwords in plain text? Let's take those credentials and have a bot try them on PayPal and the big 5 banks...


Those weren’t shown in the article, AFAIK.
Wormius is offline   Reply With Quote
Old 09-21-2018, 04:18 PM   #19
BloodFetish
First Line Centre
 
BloodFetish's Avatar
 
Join Date: Aug 2009
Location: Coquitlam, BC
Exp:
Default

I'm confused. Was Fuzz talking about what wasn't redacted in the pictures, or the data for sale?

Re-read the last few posts and probably the former.
BloodFetish is offline   Reply With Quote
Old 09-21-2018, 04:30 PM   #20
DownhillGoat
Franchise Player
 
DownhillGoat's Avatar
 
Join Date: Jan 2010
Exp:
Default

I think he was commenting on Names/Addresses not being redacted.

Either way if you use the same password/username for everything in this day and age, I have little empathy.
DownhillGoat is offline   Reply With Quote
The Following User Says Thank You to DownhillGoat For This Useful Post:
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 01:05 AM.

Calgary Flames
2017-18




Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright Calgarypuck 2016