January 21, 2015

Hackers Hit Lizard Squad DDoS-as-a-Service, Leak Customer Data

Hacker group Lizard Squad’s DDoS-for-hire service has been hacked, and a list of all 14,241 customers, complete with payment method and account information, has been leaked, KrebsonSecurity reports. The groups troubles were further compounded when one alleged member was arrested on Friday by UK law enforcement and charged with offences related to both Lizard Squad DDoS attacks and “swatting.”
In the wake of successful Christmas day attacks on Playstation and Xbox, Lizard Squad launched what Krebs calls a “stresser” or “booter” service from LizardStresser[dot]su. Customers could create an account, and then pay a fee to knock a website or person offline.
Lizard Squad collected about $11,000 from this criminal business project, before its customer database was hacked and stolen. Since the database was stored in plain text, all of Lizard Squad’s customers are now exposed.

Those customers had largely used the service to knock out Minecraft servers, according to Geek.com, which also reports that only a few hundred of the customers used bitcoin to pay Lizard Squad. Krebs, which was also attacked using the service, suggested in its initial report that all $11,000 collected was in bitcoins.
The use of virtual currency may provide some identity protection for those whose identities are not entirely revealed by the database, but customers of the illegal service should expect to be contacted by law enforcement.
Geek.com also reports that a computer science student’s “very simple scripting tool” had been used breached the database and extracted user names “weeks ago,” but somehow Lizard Squad failed to recognize and patch the vulnerability. Perhaps the startup needs a new CIO.
The Friday arrest brought the third accused Lizard Squad member into custody since Christmas. Even if it had not suffered its own data breach due to poor cybersecurity practices, it is uncertain any would have remained at large to spend the proceeds of their crimes.