- Joined
- May 15, 2016
- Messages
- 10,262
- Likes
- 2,620
- Points
- 1,730
InfoTrax Systems, a hosting company for MLM applications, has not noticed any compromise for several years. Hacking was discovered only after a giant archive file took up almost all of the disk space on the server.
Back in 2016, the company first reported security problems: then an unknown hacker stole the personal data of about a million InfoTrax Systems users. After this incident, the Federal Trade Commission (FTC) became interested in the company and began its own investigation of what happened.
As it became known now, according to the FTC, the attacker took advantage of a vulnerability on the InfoTrax Systems website to download malicious code that allowed him to remotely control not only the company's website, but also the infrastructure of neighboring servers. Even worse, the attacker has been in contact with InfoTrax servers for almost two years, from May 2014 to March 2016. During this time, he contacted the company’s network at least 17 times.
InfoTrax Systems employees failed to notice the intrusion on their own. FTC representatives write that the company simply did not have the proper security systems and solutions for detecting unauthorized access and file changes. Hacking became known almost by accident: on March 7, 2016, one of the servers almost ran out of disk space, which the company learned from an automatic message.
As it turned out, while collecting data from InfoTrax Systems servers, an unknown attacker created an archive file that became so large that the disk almost ran out of space.
In total, the cracker stole about a million user records from a number of InfoTrax Systems customers. At that time, the company's servers hosted a total of about 11.8 million users, and they were stored openly. As a result, the criminals ended up with social security numbers, information about payment cards and bank accounts, as well as usernames and their passwords.
This week, representatives of the Federal Trade Commission and InfoTrax Systems finally agreed. The company was required to implement certain security measures, including: inventorying and deleting personal information of users when it is no longer needed; regularly check the code of your software and test your network; detect malvari boot; actively segment the network, as well as implement tools to protect against attacks and to detect unusual activity. Representatives of InfoTrax Systems hastened to report that many of these points had already been implemented earlier, even before the FTC decision.
Back in 2016, the company first reported security problems: then an unknown hacker stole the personal data of about a million InfoTrax Systems users. After this incident, the Federal Trade Commission (FTC) became interested in the company and began its own investigation of what happened.
As it became known now, according to the FTC, the attacker took advantage of a vulnerability on the InfoTrax Systems website to download malicious code that allowed him to remotely control not only the company's website, but also the infrastructure of neighboring servers. Even worse, the attacker has been in contact with InfoTrax servers for almost two years, from May 2014 to March 2016. During this time, he contacted the company’s network at least 17 times.
InfoTrax Systems employees failed to notice the intrusion on their own. FTC representatives write that the company simply did not have the proper security systems and solutions for detecting unauthorized access and file changes. Hacking became known almost by accident: on March 7, 2016, one of the servers almost ran out of disk space, which the company learned from an automatic message.
As it turned out, while collecting data from InfoTrax Systems servers, an unknown attacker created an archive file that became so large that the disk almost ran out of space.
In total, the cracker stole about a million user records from a number of InfoTrax Systems customers. At that time, the company's servers hosted a total of about 11.8 million users, and they were stored openly. As a result, the criminals ended up with social security numbers, information about payment cards and bank accounts, as well as usernames and their passwords.
This week, representatives of the Federal Trade Commission and InfoTrax Systems finally agreed. The company was required to implement certain security measures, including: inventorying and deleting personal information of users when it is no longer needed; regularly check the code of your software and test your network; detect malvari boot; actively segment the network, as well as implement tools to protect against attacks and to detect unusual activity. Representatives of InfoTrax Systems hastened to report that many of these points had already been implemented earlier, even before the FTC decision.