According to a new blog post from famed security researcher Brian Krebs, the DDoS service offered up by the hacking duo Lizard Squad has been compromised, and the identifying information contained within has been leaked as a result.
If you’ll remember back to Christmas, Lizard Squad made headlines when they took down the networks of Xbox Live and PlayStation Network over the holidays with one of the largest DDoS campaigns in recent history.
Shortly after this success, the group advertised their new service which would hire out the same botnet for all your personal DDoS needs for a nominal fee. With the original gaming attacks being so successful, it didn’t take long before orders were flooding in by the thousands from every corner of the globe.
Though members of the Lizard Squad later claimed that the attack was launched in an effort to get Sony and Microsoft to stay on their security toes, many now believe it was simply a proof of concept to show off their software, and get more people to sign up for the service through their network.
Now it seems the database containing all the usernames, emails, and financial information of people who signed up for the service have been hacked by an unknown third party and released to the general public.
“A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service. Interestingly, all registered usernames and passwords were stored in plain text.
Also, the database indicates that customers of the service deposited more than USD $11,000 worth of bitcoins to pay for attacks on thousands of Internet addresses and Web sites (including this one).”
Subscriptions for the “booter service” ran for anywhere from $5.99 per month to take a target offline for 100 seconds at a time, all the way up to $129.99 a month to bring similar sites down for upwards of eight hours per hit.
What makes this story especially fail-worthy (beyond the obviously ironic implications of a world-famous hacking group getting hacked themselves), is that that usernames/passwords stored in their servers was kept in, drumroll please…plaintext.
That’s right, a group who prides themselves on knowing the ins and outs of some of the biggest networks in the biz kept all of their most vital data stored in plain ASCII text for all the world to see if they happened to stumble upon it in the right circumstances.
And as if that weren’t bad enough, one of the members of Lizard Squad was apparently just arrested in the UK. Vinnie Omari, first identified by none other than Krebs himself, surrendered to officials in the country after a warrant was put out for his capture.
Many suspect it won’t be long before he starts flipping on the rest of the gang, and their short, but impactful reign as kings of the underground comes to an quick, and unceremonious end.