This time we are reporting on an NCIX data being sold on Craigslist with data from as far back as 10 years. The news surfaced online when a researcher found NCIX database servers for sale on the popular platform Craigslist. The seller allegedly possessed loads of hardware and databases abandoned by NCIX.
NCIX Data Breach Leading To A Horrific Trade
A security researcher from Privacy Fly unveiled a peculiar security breach involving millions of customers. The NCIX data breach was allegedly put at risk from NCIX customers who collaborated with the now defunct firm over the past 15 years.
The researcher Travis Doering brought the report to light in a detailed blog post. According to the blog, Doering found a strange ad on Craigslist while he was looking for some used computer hardware. There, he noticed the advertisement of NCIX servers for sale. Delving into details, he found that the seller possessed three different unwiped servers from the defunct company Netlink Computer Inc. (brand name ‘NCIX’).
Out of curiosity, he decided to meet the seller (named ‘Jeff’) while disguising himself as a potential customer for the servers. He analyzed the servers and made shocking discoveries. The servers had loads of customer and employee data with explicit personal, professional and financial details.
How Did The Seller Get Those Servers
Upon meeting Jeff, Doering was curious to know the source of the servers involved in this NCIX data breach. He succeeded in finding out some details from the seller. According to him, NCIX abandoned the servers in a warehouse they previously rented.
“Jeff confided in me that NCIX had been renting a portion of a warehouse in Richmond where all the hardware is currently located. He explained that the owner of the hardware is currently NCIX’s previous landlord, as NCIX had abandoned the hardware when they failed to pay a past due rent total of $150,000.”
Jeff, having links with the warehouse owner, could therefore access the servers as he tried to help the owner recover the owed amount.
“Jeff proceeded to tell me that he had previously assisted the landlord in selling 500 of NCIX’s desktop computers and some enterprise hardware via Able Auctions in April of this year.”
Despite selling a few items, the seller still possessed around 300 computers, 18 DELL servers, and at least two Supermicro servers from the NCIX.
The Story Continues…
Doering continued to meet the seller on multiple occasions with different requirements after his first visit. Every time he could get his hands on the servers, he found shocking things. The database, which the seller was ready to sell even without hardware, contained explicit details about the NCIX employees and the customers.
In his first visit, he could analyze an NCIX server that showed some XML files. There, he found “plain text names, usernames, passwords, and addresses”. On his next visit, he got the chance to review an ex-NCIX employee’s computer, that contained a “treasure trove of confidential data”.
“The computer contained a treasure trove of confidential data including credentials, invoices, photographs of customers ID’s, Bills, and Mr. Ma’s T4 among other files.”
Upon further exploration of a Supermicro server, he even found some personal data and photographs of the NCIX owner. In addition, he found other details in various SQL databases, titled, nciwww, posreports, payroll_Data, and OrdersSql.
The Treasure Trove Revealed…
Doering has explicitly listed what he found in the databases in his blog. Here we present a summary to you.
“The nciwww database contained a thousand records from affiliates listing plain text passwords, addresses, names, and some financial data. In another table of information, I found customer service inquiries including messages and contact information.”
In addition, he found 385,000 records including names, addresses, email addresses, IP addresses, company names, phone numbers, unsalted MD5 hashed passwords, and serial numbers with dates of purchase, and payment details for 258,000 users.
Proceeding further, in the OrdersSql_Data file, the Canadian database, he found the data dating back to 15 ago. He then analyzed the version having 3,848,000 records for three years (2007 to 2010). Regarding the details he found, Doering states,
“Contents included names, company names, items purchased with serial numbers, addresses, phone numbers, and payment data. I also opened a more recent version of the file and it contained the addition of email addresses.”
Netlink Computer Inc. established itself as a computer hardware/software retailer in Richmond, BC, Canada. Owned by Steve Wu, the firm started off in 1996 as a walk-in retail outlet, which emerged into an online computer sales company in 1997. In his firm, Steve Wu appointed many people from Taishan, China, his birthplace. The company then grew up to establish some physical stores as well in Vancouver, Toronto, and other places.
However, the firm started facing a downfall since July 2017, resulting in the closure of several retail stores. Ultimately, in December 2017, the firm filed for bankruptcy. Since then, nothing noteworthy came up online regarding the defunct firm until Travis Doering dug out the NCIX database server ads on Craigslist to unveil a massive security breach.
After the news surfaced online, according to ZDNet, the Craigslist advertisement, as well as the Facebook profile of the alleged NCIX employee Chadwick Ma, went offline. We, at LHN, also tried to search for the Craigslist ad, but failed.
Nonetheless, we hope the Richmond Royal Canadian Mounted Police will resolve the underlying mysteries regarding the NCIX data breach. They announced a beginning of investigations regarding the incident in a tweet.
Yesterday afternoon we opened an investigation into data storage devices being sold online allegedly containing customer data from a defunct, but well-known computer retailer. We have since recovered the storage devices. Our investigation is active and on-going.
— Richmond RCMP (@RichmondRCMP) September 21, 2018
While finding breached data for sale isn’t anything strange, the present event perhaps sets a new model. Usually, we find such databases for sale on the dark web by hackers. However, in this incident, the seller was bold enough to advertise the loaded database servers on a public platform like Craigslist.
Stay tuned as we shall update you as we get more noteworthy information about the NCIX data breach.