NCIX data breach

[Xtrema]

https://www.privacyfly.com/articles/ncix_breach/#three

Watch for your transactions if you ever did business with them.

[Sentry]

Haven't ordered from them in a decade. That's pretty crazy though, guess they didn't give a fuck after going bankrupt and just fire sale'd all their shit without wiping it.

[Sentry]

The examination portion of the meeting began to wind-down as time flew by and Jeff jumped into brokering a deal over a cup of tea. The first offer was thirty-five thousand dollars which would allow me to purchase all the desktop’s and server hardware, excluding one group of hard drives that I had analyzed which he would allow me to copy. This struck me as strange and I inquired as to why I couldn’t purchase those drives. He explained that those drives and the data on them had already sold for around fifteen thousand dollars to a foreign buyer who was arriving in Vancouver to acquire them in December. “December” I quipped in questioning tone which, prompted Jeff to explain that even though the buyer was picking up the physical drives in December. Jeff had already copied the data from those drives to a network storage device and allowed the buyers remote access. The data on those drives contained thirteen terabytes of SQL databases and various VHD and Xen server backup files. I cringed at the thought of that data being sold once, as it was dangerous enough when during further conversation Jeff mentioned at least five other buyers. Jeff described one as a completing retailer while the other three Jeff claimed to “Not Want to Know” their intentions or business. Armed with the knowledge that Jeff was willing to sell the data without all the hardware attached to the deal, I mentioned that I had little use for hardware which prompted him to make a considerably shadier proposal. Jeff stated that I could pay fifteen thousand dollars to copy all the data from the hard drives including the ones that he had previously sold. This scenario would playout with my employer paying fifteen thousand dollars to “Rent the Room” and he would provide me with a couple of desks and some servers to image all the data onto my own drives. Jeff and I tentatively agreed on the second deal and I quickly exited the warehouse.

On my way out, I couldn’t help but think about how Jeff boasted that he was able to “crack their ISCSI server with very simple tools in five minutes” and called their security “really, really, bad” and I would whole heartedly agree with him there. This entire scenario could have been avoided by simply implementing full disk encryption within their organization or destroying the drives as their bankruptcy loomed. NCIX founder Steve Wu worked in IT for many years and fully understood the risk involved in his choice not to encrypt any data and then the repercussions of him abandoning the assets in a warehouse. Mr. Wu’s reckless behavior has harmed every individual and business NCIX dealt with, by allowing millions of confidential records to be sold without any oversight to anonymous buyers. The data can easily be used to cash out credit cards, craft convincing phishing messages containing details on purchases and commit identity theft.

I wouldn't at all be surprised if Steve Wu was in on this sale of data, now that the company is sunk. This story is just breaking so it could be interesting to see how it plays out.

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Haven't ordered from them in a decade. That's pretty crazy though, guess they didn't give a fuck after going bankrupt and just fire sale'd all their shit without wiping it.

Sounds like the DB goes back to to 2005. Also there are tons of employee SIN numbers exposed with T4 and such as well.

August 21st, 2018. Twenty days had passed since my inquiry when I received the following response, “sorry for replying late, it has the data. it's unerased server contents.” The seller proceeds to inform me that he has three NCIX servers for sale for which he has the passwords required to login. These series of messages immediately renewed my curiosity and we arranged to meet in person to inspect the data on August 25th, 2018.

August 25th, 2018. I arrived to the agreed upon address, a warehouse in Richmond, British Columbia. I met an Asian man in his mid-thirties who identified himself as Jeff. He led me up a flight of stairs above the warehouse into a nearly empty office with cheap laminate flooring. The office contained three rooms. The first housed nothing but a child’s play mat. The second, a main room contained two cheap folding tables, some chairs and a tea stand. The third was sporting a bed, various electronics equipment and a NCIX Server propped up on a folding table in what I can only describe as feeling unsettlingly transient. I remember the thought crossing my mind that this was the kind of room someone could “disappear” in. Those thoughts were quickly dashed as Jeff’s young son came into the room, which put me at ease while also making me question why he would bring this son along on this deal.

Sounds like Jeff got the password. So either it got sold with auction or "Jeff" used to work for NCIX and stole the gear.

[Sentry]

Yeah the thing is, I no longer live at the billing address used and the credit card used expired ages and ages ago lol. So I'm probably safe.

EDIT: I'm having fun going through my old orders on gmail and getting nostalgic though.

[firebane]

This is not good news for people like myself. As I was both an employee AND customer *sigh*

Will be watching shit closely for awhile.

[rage2]

Ordered tons of shit through them, somehow I setup my first payment via PayPal in 2009 and only paid that way because I was lazy.

[schocker]

My last payments in 2016 and 2017 were all paypal, but since it seemingly goes back forever I will watch my mastercard which it looks like I used once as well.

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Ordered tons of shit through them, somehow I setup my first payment via PayPal in 2009 and only paid that way because I was lazy.

Same here, so other than shipping address, I could care less.

[Sentry]

Yeah mine was only ever through paypal, from 2005-2009. Then I moved to Calgary and discovered Memex. Check out this absolute beauty of a build I did in 2008.

[ZenOps]

I guess they know now that I used an 8800GT for eight years without upgrading. Yup, choices were a little more limited back then as a computer enthusiast - NCIX and Newegg (also data breached) were both go to places for tech.

[JRSC00LUDE]

This quote is hidden because you are ignoring this member. Show Quote

I guess they know now that I used an 8800GT for eight years without upgrading. Yup, choices were a little more limited back then as a computer enthusiast - NCIX and Newegg (also data breached) were both go to places for tech.

https://www.skyandtelescope.com/obse...landing-sites/

[ZenOps]

Yup, when NASA finally had the ability to launch a vehicle that could accurately look at the surface of the moon (at least down to the meter) in 2009 is about the same time as when the 8800GT became popularized. By that timeline, it only took NASA 40 years to degrade to the point of only observing instead of actually doing.

By my estimation, it took 10 years to increase graphics processing by a factor of 10x (1,000% faster) quite impressive given the obvious regression of space technology of the last 40 years.


Side factoid: The LRO also did eventually find the Russian rover landing spot after about a year of searching the surface of the moon. I hear they actually employed actual humans to for thousands of hours to visually look at the pictures, instead of *totally* relying on the AI to find that needle in a haystack.

https://www.universetoday.com/59881/...an-spacecraft/

https://en.wikipedia.org/wiki/Lunokhod_2 Some say 2010 is when they spotted it, others say 2012.

I think China should launch a LRO by 2050, so that they can attempt a manned moon mission with accurate data on landing spots - maybe by 2100. That is - when you don't have to bankrupt the entire nation to get a few moon rocks made of chalk.

PS: I can say with 99.9% certainty that the USA did manage to launch a spacecraft capable of taking pictures of the moon from orbit in 2009. No conspiracy there, it is quite a technical and fully realistic achievement. And is a cautious first step - to landing a donkey on the moon.



I'd like to thank NCIX for selling me that 8800GT, it has served me well for nearly a decade of flesh tone and moon based image viewing :P

[Xtrema]

https://www.cbc.ca/news/canada/briti...each-1.4833976

RCMP recovered hardware, investigation started.

[firebane]

This forum was started by a NCIX employee and a lot of the members are either ex employees or customers. Interesting thread.

https://www.hardwarecanucks.com/foru...000-users.html

[rage2]

Well the NCIX data is clearly out there. Got this email this AM, complete with the correct unique password I used on NCIX.



Guy's right, I do have great taste in porn.

[firebane]

This quote is hidden because you are ignoring this member. Show Quote

Well the NCIX data is clearly out there. Got this email this AM, complete with the correct unique password I used on NCIX.



Guy's right, I do have great taste in porn.

Oh shit?!

[killramos]

Lol that’s some great software he’s got there!

[msommers]

Wow that's fucked.

[Sentry]

What was the subject? So we know what to look for in our inboxes. Or was it just your password as the subject?