Login database at your store hacked?

Status
Not open for further replies.
Dynas said:
Why do you not disclose your breach? Apart from legal issues you have an ethical responsibility to disclose this so people that didn't see this thread will change their passwords etc.
Click to expand...
this thread is the first we heard of it. We will be sending out an email later today.
 
Dynas said:
Why do you not disclose your breach? Apart from legal issues you have an ethical responsibility to disclose this so people that didn't see this thread will change their passwords etc.
Click to expand...

based on the start of this thread its been 1 business day.

In a former job I dealt with privacy breaches and large scale customer remediation's

There is a 3 step process in handling them
1) stop the bleeding
2) make customers whole/inform them
3) find out exactly what went wrong so it can never happen again

my assumption is that Canam is neck deep in #1
that includes many tasks like, what actually did or didn't happen? What customers were or weren't impacted? If there really is a hole has it been plugged?

all of those tasks are far more urgent than notifying customers.

Customer comms usually happened 1-2 weeks after the issue was first identified. The are barely on day 2 and have no staff dedicated to this type of thing.
 
This is exactly why vendors asking for photos of PALs, DOB/Address and even credit card numbers via email is such a bad idea.
 
Is there a good reason for this information NOT being on any "Common" sub-forum like "General Firearms Discussion" ?? After 2 days one would think this is a "confirmed breach" ?
 
Buck1950 said:
Is there a good reason for this information NOT being on any "Common" sub-forum like "General Firearms Discussion" ?? After 2 days one would think this is a "confirmed breach" ?
Click to expand...
We have not yet confirmed it yet, but are proceeding with the information as if it has. The only thing we can do at this stage is recommend changing your password and purging your vital data from your account.
 
CanAm, Thanks very much for your update. When I've purchased from you I didn't set up an account and presume my CC and PAL are scrubbed afterwards.
Best wishes,
Buck
 
when someone receives their email from canam can you please post it (minus any personal info) in this thread? i changed on the account to a bogus one so i wont be able to check.
 
CanAm said:
We have not yet confirmed it yet, but are proceeding with the information as if it has. The only thing we can do at this stage is recommend changing your password and purging your vital data from your account.
Click to expand...

Short of posting the link here to continue spreading the very accessible file of breach, is there a way you would like me to send you the link associated with this dump? I see that your profile says you are not currently accepting PMs
 
Not sure if there is a way to delete the address info from existing orders? Was able to change password and delete payment info/address in the profile. But no way to strip address info/recipient info from the orders.
 
FYI This email just went out :

We have discovered that it is likely there has been a data breach on CanadaAmmo.com. We are working to correct this situation. At this time, we recommend that all customers change their password and remove any personal details or card numbers from their account.

We do not believe that PAL or credit card numbers have been comprimised. It appears that details such as name address, etc may have been.

We will keep you updated as we have new information

If you have any questions, please reply to this email.

Regards,

CanadaAmmo Staff
 
CanAm said:
FYI This email just went out :

We have discovered that it is likely there has been a data breach on CanadaAmmo.com. We are working to correct this situation. At this time, we recommend that all customers change their password and remove any personal details or card numbers from their account.

We do not believe that PAL or credit card numbers have been comprimised. It appears that details such as name address, etc may have been.

We will keep you updated as we have new information

If you have any questions, please reply to this email.

Regards,

CanadaAmmo Staff
Click to expand...

Thanks for the update. Are there any plans to disable checkout on your website until the situation is resolved?
 
foghsho said:
(First time poster, long time lurker)

I found the breach download and was able to grab a copy of it.

The database that was leaked appears to just be the "users" table.

"id,username,email,password,reset_pin,registration_date,last_login,confirmation,ip,role_id"

These are the headers of what was dumped.

The password is hashed via MD5 encryption, which is reversible in majority of cases, depending on what the password was.

From what I see, there is no personal data outside of emails, passwords, usernames, and ip addresses of accounts.

Change your passwords and all should be good! :)
Click to expand...

Same, simple google search will give a sample of the breach.
A lot of old data being stored. example of what it looks like; (info hidden to protect user)

id,username,email,password,reset_pin,registration_date,last_login,confirmation,ip,role_id
1,k*k*@*.ca,$P######HASH##############.,80000008,2011-07-27 17:33:34,2021-02-28 00:01:13,"",0,1
2,***85,c***@****.ca,$P####HASH##########,777777777,2011-09-12 05:40:24,2016-09-08 19:26:36,"",4*7*9*0*5,1

and so on....

What I'd like to see from CanAm;

a) Allow me to delete old orders with my address. (orders that are 10+ years old)
b) Allow me to close my account / delete from database. (no such option)
 
ARmike said:
Same, simple google search will give a sample of the breach.
A lot of old data being stored. example of what it looks like; (info hidden to protect user)

id,username,email,password,reset_pin,registration_date,last_login,confirmation,ip,role_id
1,k*k*@*.ca,$P######HASH##############.,80000008,2011-07-27 17:33:34,2021-02-28 00:01:13,"",0,1
2,***85,c***@****.ca,$P####HASH##########,777777777,2011-09-12 05:40:24,2016-09-08 19:26:36,"",4*7*9*0*5,1

and so on....

What I'd like to see from CanAm;

a) Allow me to delete old orders with my address. (orders that are 10+ years old)
b) Allow me to close my account / delete from database. (no such option)
Click to expand...

This is great information and a reasonable ask. Unfortunately Canadian Private Sector isn't mandated to have data retention laws like EU and USA where the functionality of a hard-delete is mandatory. But its coming soon, and will be a wakeup call for a lot of Canadian Businesses.

In addition to the information you provided above, I'll cross-post a blurb I did this evening on a different website discussing this same topic. That way the users of CGN can benefit as well from the information.

I'm hesitant to really disclose anything that might disclose some information to people that may want to target this for further exploit. Anyone who is tech-savvy should be able to find the breach on a known forum community that shares these breaches (like the 500+mill Facebook leak, for example) using some quick googling.

From what I was able to download and check out, it is simply just hashed passwords and emails. This however doesn't mean there isn't other information out there. Typically in this type of situation, E-mails and Passwords are more-so used to validate that a breach has happened. Personal information typically is sold for BitCoin or other Cryptocurrency markets in the darkweb for profit.

In saying this, after combing their site it does appear that they do their banking with TD Canada Trust as a direct deposit through them is listed as a means of payment. Their credit card processing form looks identical to the documentation that Bambora (Formerly BeanStream) provides, as they are the merchant partner for TD Canada Trust Business Clients. From experience I do know that if this is the case, the Credit Card information isn't stored, and instead forwarded through to the payment processor. However, that being said - theres really no way to confirm that they record any personal information like Credit Cards in a database prior to sending the information to Bambora (or any other merchant partner being used).

A quick way to know if your information is being stored on a website, is simply to login to your account to do another purchase. Anything you dont have to fill out again (PAL info, credit card, address, etc) is stored within their system in some way.

When a database is breached, it doesn't necessarily matter what is released, but we can assume everything is vulnerable. This breach was only put out in the web on April 5, 2022, and from the DB records I have checked and skimmed through, there is evidence of this not being a very recent breach.

Here is the last 3 records in the database dump file

id,username,email,password,reset_pin,registration_ date,last_login,confirmation,ip,role_id
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
79091,ravi_********@*****.com,ravi_********@*****. com,REMOVED FOR CONFIDENTIALITY,81883934,2021-03-29 13:34:30,2021-03-29 13:34:30,"",0,
79092,"",ari.*****@*******.com,REMOVED FOR CONFIDENTIALITY,"",2021-03-29 14:40:36,2021-03-29 14:40:37,"",638741489,
79093,jsc**@*******.net,jsc**@*******.net,REMOVED FOR CONFIDENTIALITY,59886044,2021-03-30 04:02:16,2021-03-30 04:02:17,"",3358809358,

Really what is upsetting here is that the information has been readily and publicly available since the 5th of April. We have 2 Cybersecurity programs that are sounding alarms for customers associated with this breach, yet their website is still online, accepting orders, and there hasn't been notice to customers as of yet until they "confirm" the breach.

There are 79k+ records of a database out there, and the customers do have a right to know. This website should have been placed on a maintenance mode page as soon as the threads started popping up.
Click to expand...
 
foghsho said:
In addition to the information you provided above, I'll cross-post a blurb I did this evening on a different website discussing this same topic. That way the users of CGN can benefit as well from the information.
Click to expand...

Good post, thanks again for your insights on this. I can handle a password and email breach. (happens all the time)

It's the address that makes me cringe. (since its a gun-related retailer) it's a bit worrisome for obvious reasons. I haven't found any evidence of other data yet (addresses,credit cards)
Hoping its was a low level SQL injection.

All I can say is, CanAmmo really needs to secure their box, last hop seems to be LunaNode Hosting, secure your box...

Not shown: 983 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1500/tcp closed vlsi-lm
3306/tcp closed mysql
5432/tcp closed postgresql
35500/tcp closed unknown
 
Felonius said:
Not sure if there is a way to delete the address info from existing orders? Was able to change password and delete payment info/address in the profile. But no way to strip address info/recipient info from the orders.
Click to expand...

I just tried as well with no success. It’s more than just your address with the order history, it shows your PAL number, date of birth etc. I just emailed them to see if there is a way to delete them.
 
CanAm, I would absolutely recommend calling your insurer -- you likely have some cyber security coverage with your policy. Most insurance firms have cyber security response teams that will provide expertise in dealing with situations like yours if you don't have the expertise in house.

Also, you guys should strongly consider proactively reseting passwords and dumping any PII you don't require. It is trivial for a bad actor to script turning the hashes in to plain text, then tossing every email/pw pair they breach at your site and downloading saved addresses.

Let users re-add the PII when they purchase again.
 
Last edited:
Status
Not open for further replies.
Back
Top Bottom