South African ISP suffers massive password leak online

Jings

Treasure Maker
Joined
Mar 6, 2012
Messages
39,153
Imagine how the CW staff feel. This was a service provider who was compromised before their company even started...

I can imagine they felt unprepared when dealing with proper security measures.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
78,957
I'd be surprised if DJ wasn't also PM'd. The hades guy must have regarded that as due diligence with regards to notifying CW.

Be surprised. The first DJ knew about it was when myBB approached him for comment after they received the tipoff.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
78,957
Information was leaked. Why are you taking it personally. Are you employed by them?

I am not. Nor am I taking it personally. Just pointing out your failure in understanding the article.
 

Jings

Treasure Maker
Joined
Mar 6, 2012
Messages
39,153
I am not. Nor am I taking it personally. Just pointing out your failure in understanding the article.

No I understand it pretty well, hence my comments on the leak of personal information.
 

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,453
Are these guys still forcing users to register and log into their portal with no SSL ?

Trying to reason with these guys is like talking to a brick wall. Way too much ego at the top. Wasn't one banned from this forum at one point?
 

CataclysmZA

Executive Member
Joined
Apr 1, 2010
Messages
5,531
My guess is that for those of you who never used the portal, you never were affected by the breach because your profile was never made or activated on the portal.

People like me, though, who did try to use it, are the ones affected.
 

crackersa

Honorary Master
Joined
May 31, 2011
Messages
29,028
Trying to reason with these guys is like talking to a brick wall. Way too much ego at the top. Wasn't one banned from this forum at one point?

Sometimes the customer has the ego :whistling:

And yes, one was banned for challenging moderators. Had nothing to do with the business side of things.

Are you a current customer?
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,287
I can assure you that these malicious actions evoke far greater emotions in us as a company than has so far been speculated by a few comments. To clarify a few points:

1) We were not contacted by the person responsible for the data leak whatsoever. These actions appear entirely malicious
2) Crystal Web utilises software from a local company on a licensing model, and they host the software on a dedicated managed server. At no point have we ever had access to this server, in the same way as buying a software license for cloud services like cloud mail doesn’t entitle the mail client access to the provider’s infrastructure underlying those services.
3) The malicious code was uploaded to this particular server before Crystal Web was even incorporated as a company, let alone began doing business with the provider, and as a dedicated managed server it is routinely audited by both the hosting provider and developers for any security vulnerabilities. As a client of a software company, even if we wanted access to this server, it would not be granted and the infrastructure deployed to is specifically selected for its security benefits on the basis of securing such expertise.
4) The very moment that we were made aware of the potential problem, we sprang into action to do all that we could to mitigate against any risk reasonably within our control, given the strict time-constraints we were under, as we do sincerely take this sort of thing very seriously and it was quite evident that the actions of the perpetrator were malicious in nature. The intention was to cause harm to Crystal Web and to our customers, and we’d been given stringent dates by which to have completed our mitigation efforts.
5) While I can understand where you are coming from if you feel we have let you down, it’s important to contextualise this correctly: if you rent a vehicle with a safety inspection certificate from a company that buys in cars from a managed services agent responsible for ensuring that all safety stipulations are met, and it turns out that a fault exists that has resulted in an accident with another vehicle, the other driver may feel warranted in being angry, but can only see the incident from the point of view of the impact time-frame. If it turns out that the vehicle carried a fatal fault that you were under the impression had been checked for and cleared, and this directly resulted in the accident, in my mind that changes things a bit as I’m not sure the driver could reasonably be expected to have known about the existence of the problem, and had the driver known, he/she had a very clear vested interest in resolving the problem. Now imagine that the fault exists only as a result of somebody maliciously tampering with the vehicle years before you rented it, with the specific intention to cause harm to the driver and all other road users, and you have a similar premise to what has taken place.


Had this been an incident of someone using their expertise to point out a security flaw in our code, we’d 100% respect their work and efforts, and immediately initiate a process to remedy the problem. We respect and support responsible white hacking and believe that it serves a positive function for companies and end-users alike. But in this case it was nothing more than malicious activity in an effort to cause harm to us as a business (and potentially other companies) as well as to the general public, by taking advantage of the existence of a security flaw they created or at least took advantage of, and that we couldn’t possibly have known existed on another providers' infrastructure.

We are taking extraordinary measures on our end to ensure that such an incident is not repeated and will release information in due course in this respect, but will do so responsibly so as to avoid any possibility of compounding risk for any other companies and their clients potentially at risk. It should go without saying, but I’ll affirm our position nonetheless, that we condemn these malicious actions in the strongest possible terms, and will cooperate with all subsequent criminal investigations into this matter in an effort to hold those responsible, to account...
 

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,453
Sometimes the customer has the ego :whistling:

And yes, one was banned for challenging moderators. Had nothing to do with the business side of things.

Are you a current customer?
An ex customer. I got offended at the way they attacked postman pot and insulted / called him a liar etc. in here. I've been a lurker in here since 2005. The trouble is that you're always representing your company if you use the same name to post on a personal level and support clients in here.
 

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
16,590
@DJ... No worries from me. One thing though - my email field was blank in that leak. Does that mean my profile is incomplete on your system? Is that why I never received an email with my new password?

An ex customer. I got offended at the way they attacked postman pot and insulted / called him a liar etc. in here. I've been a lurker in here since 2005. The trouble is that you're always representing your company if you use the same name to post on a personal level and support clients in here.

I like the fact that DJ calls a spade a spade. Everyone has attacked the postman at some point. He's basically a rep for a bunch of companies, Apple and Mweb included.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
OOOOOOOOOOOOOooooooooooohhhhhhhhh!

Of course now CW is an ISP and features on mybroadband; I think this is called... Cherry Picking.

The spice must flow!

There are other ISPs and companies who have done substantially worse things and seem to have gotten away through a couple of paid editorials. Leaks of those nature will always happen, but then it is more important how the company affected reacts and does damage control. CW did what was necessary. There are other companies who denied similar incidents for weeks (FWIW - do a search on Pastebin for some prominent SA domain email suffixes and you will see what I mean) without taking ownership.
 
Top