CanAm
Canada Ammo - CGN Sponsor
- Location
- Vancouver, BC
I appreciate all the tips. IT will monitor this thread.
Login database at your store hacked?
- Thread starter chris
- Start date
- Status
GunsNotPuns
CGN frequent flyer
It's also a case of closing the barn door afterwards. If our address information has been grabbed, as it appears at this point has been, then deleting your personal information isn't entirely pointless but not much of a solution.
I'd go atomic on CA -- and I am less than impressed with their response with not removing the database of customers until improvements can be made -- but I've found that businesses in general seem to nod and smile when it comes to the security of the information they collect.
A good example was a recent conversation I had with my doctor's office. They moved to a new outsourced "solution" in which when you need new prescriptions and renewals of existing ones that you log into this third party company's web site. And unsurprisingly the web site's database contains name, addresses, credit card information and current prescriptions. I decided to deep dive into the third party company and according to their privacy policy, my information could potentially be accessed by contractors hired by the company to maintain systems, etc. Those contractors aren't named.
So when I explained to the doctor's office that potential points of intrusion now included the third party and unknown independent contractors, they responded, "Oh my, we'll bring that up to the doctor!"
No, I have not heard back from the doctor's office since that conversation two months ago. I am sure, however, that they will be very apologetic if third party company or any of those contractors are used as intrusion points to capture medical information -- one of the top targets of black hats these days.
trebor2880
CGN Ultra frequent flyer
- Location
- Ontario
It didn't help.
CanAm
Canada Ammo - CGN Sponsor
- Location
- Vancouver, BC
We will likely purge the entire customer database ASAP. Secure the site then start customers fresh once secure.
I will post news as I have it
Well - in that case.... Thank you!
104 hours and counting since the breach was posted online, almost 64 hours since this thread began... still up and accepting orders like nothing is happening? There are protocols and rules that must be followed when a data breach has been identified. If your IT team is dictating what should be done right now, maybe you should consult a cyber security consultant?
Step 1: Notify CSIS, CFO, and your Insurance Agent about the cyber attack
Step 2: Take a current backup of all your data and server files including logs
Step 3: Take down your website and post a notice that theres been a breach and you're working to contain it
Step 4: Call your Web Vendor and get your website and web server updated and not running on 3+ yr old technology
Step 5: E-mail directly all addresses in your DB that this is happening and to change their information right away
This all should've been done no later than working day of April 7th when this was starting to hit the industry. When you use this data online for customers you have an obligation and a legal responsibility to secure this ASAP.
Last edited:
simonyzer
CGN frequent flyer
- Location
- near Montreal
That's the best thing to do I think !
kgb81
Regular
- Location
- Central AB
Nevada Smith
CGN Regular
- Location
- Candiac, QC
Canada Ammo sent me an email informing they've been hacked. I immediately erased all my info in my account and changed my password. Unfortunately they have no procedure to delete the account. I very seldom buy at Canada Ammo, they never have any stock.....
Deckard
CGN Ultra frequent flyer
- Location
- Chumperistani Gulag
Me too. Wretched situation.
Nic3500
CGN frequent flyer
- Location
- Montreal,Qc
Come on CA, some information would be nice here.
Any barely competent IT guy with access to the database can backup and flush the fields that are needed to flush the information.
Ex. why is my PAL number saved on the orders? I know that information, it should not be displayed on the site at all!
Any barely competent IT guy with access to the database can backup and flush the fields that are needed to flush the information.
Ex. why is my PAL number saved on the orders? I know that information, it should not be displayed on the site at all!
Here is some information I have put together based on the compromised data I pulled off some hacking sites regarding this breach. CanadaAmmo should really have provided this information, but since they appear to be staying pretty quiet on the subject I am posting it for informational purposes only. Standard disclaimer applies.
- The data appears to have been stolen in early 2021 - probably some time in late March or early April. My best guess would be March 28 of 2021.
- There are 78746 records in the database. Some of that -- 300 to 400 records -- is just noise and evidence of injection attacks.
- The data contains:
- a unique numeric "id" field ranging from 1 to 79093
- a unique "username" field that is mostly blank but in some cases corresponds to the part of your email address to the left of the @ symbol
- a unique "email" field containing email addresses
- a hashed "password" field. It looks as though different hashing algorithms have been used over the years based on the different formats, but it seems to have settled sometime in 2013. Prior to that it looks as though 2 different hashing algorithms were used. It looks like they started off with SHA1, switched to Blowfish / bcrypt, and currently use MD5.
- in some cases a numeric "reset_pin" field
- a "registration_date" and "last_login_date" date fields
- a "confirmation" field (it's blank for everyone)
- a field called "ip" which is not unique to each user. It is a string of digits that doesn't correspond to anything obvious but might be a mapping of an IP address to a geo-location. It does not appear to map to PAL numbers.
- a "role_id" field which is blank for customers but appears to have some sort of correspondence with CanadaAmmo employees and possibly vendors, suppliers, etc. (ranges from 0 to 3, and blank). There are only 47 records associated to a role_id. The rest (customers) are blank.
An examination of the leaked data shows that a number of injection attacks have been tried over the years -- going as far back as 2013 and then picking up again in 2017, and pretty steady up until 2021. I suspect one of these 2021 attacks -- the one on March 28 -- is the attack that succeeded.
It also looks like the database was developed by a company called "Chili Code Solutions", based on the first few entries in the database, and the associated role_id fields.
The compromised data is easily found on some common hacking sites as well as being all over the dark web.
I certainly hope that CanadaAmmo has consulted a lawyer specialising in these sort of data breaches. I also hope that they have adequate insurance to cover losses due to cyber attacks, etc.
A few obvious recommendations are that:
- Users / customers should change their passwords. Passwords should be unique, different from any other site, contain a mix of upper, lower, numbers, and special characters.
- Users /customers should delete any saved payment card information. It doesn't look as though that information was compromised in this breach, but ... there is no legit reason to save payment data for the vendor or for the customer. Just type it in again when you buy something and use a password manager / data wallet to store that information to make it easy to re-enter.
- Users / customers should contact CanadaAmmo to let them know of any of their costs incurred in dealing with this breach.
- CanadaAmmo should really have some Cybersecurity professionals working on this, as well as the RCMP. Hopefully that's the case.
- If the developer of the application and database is still in business, they should be engaged in order to do an in-depth-analysis, probably led by an independent CyberSecurity Professional, of how their code was compromised and to remediate the vulnerabilities that are identified. The developer of the application should also be held accountable and responsible.
- CanadaAmmo should also be completely transparent with us. In this day-and-age there is NO reason to bury your head in the sand. Tell us everything.
- CanadaAmmo should be prepared to provide some kind of remediation and compensation to anyone who has had out-of-pocket expenses due to this incident.
- CanadaAmmo should be providing updates about the breach on a dedicated source -- like here or on a dedicated web page.
- CanadaAmmo should hire a company to do periodic penetration tests on their infrastructure, or to at least review their infrastructure. At least twice a year but ideally every time changes are introduced. Any change to a system is an opportunity to introduce a new vulnerability.
- CanadaAmmo should invest in some intrusion detection and prevention technology.
- EVERYONE should practice good security. It's not very effective to close the barn doors after the horses have bolted.
- The data appears to have been stolen in early 2021 - probably some time in late March or early April. My best guess would be March 28 of 2021.
- There are 78746 records in the database. Some of that -- 300 to 400 records -- is just noise and evidence of injection attacks.
- The data contains:
- a unique numeric "id" field ranging from 1 to 79093
- a unique "username" field that is mostly blank but in some cases corresponds to the part of your email address to the left of the @ symbol
- a unique "email" field containing email addresses
- a hashed "password" field. It looks as though different hashing algorithms have been used over the years based on the different formats, but it seems to have settled sometime in 2013. Prior to that it looks as though 2 different hashing algorithms were used. It looks like they started off with SHA1, switched to Blowfish / bcrypt, and currently use MD5.
- in some cases a numeric "reset_pin" field
- a "registration_date" and "last_login_date" date fields
- a "confirmation" field (it's blank for everyone)
- a field called "ip" which is not unique to each user. It is a string of digits that doesn't correspond to anything obvious but might be a mapping of an IP address to a geo-location. It does not appear to map to PAL numbers.
- a "role_id" field which is blank for customers but appears to have some sort of correspondence with CanadaAmmo employees and possibly vendors, suppliers, etc. (ranges from 0 to 3, and blank). There are only 47 records associated to a role_id. The rest (customers) are blank.
An examination of the leaked data shows that a number of injection attacks have been tried over the years -- going as far back as 2013 and then picking up again in 2017, and pretty steady up until 2021. I suspect one of these 2021 attacks -- the one on March 28 -- is the attack that succeeded.
It also looks like the database was developed by a company called "Chili Code Solutions", based on the first few entries in the database, and the associated role_id fields.
The compromised data is easily found on some common hacking sites as well as being all over the dark web.
I certainly hope that CanadaAmmo has consulted a lawyer specialising in these sort of data breaches. I also hope that they have adequate insurance to cover losses due to cyber attacks, etc.
A few obvious recommendations are that:
- Users / customers should change their passwords. Passwords should be unique, different from any other site, contain a mix of upper, lower, numbers, and special characters.
- Users /customers should delete any saved payment card information. It doesn't look as though that information was compromised in this breach, but ... there is no legit reason to save payment data for the vendor or for the customer. Just type it in again when you buy something and use a password manager / data wallet to store that information to make it easy to re-enter.
- Users / customers should contact CanadaAmmo to let them know of any of their costs incurred in dealing with this breach.
- CanadaAmmo should really have some Cybersecurity professionals working on this, as well as the RCMP. Hopefully that's the case.
- If the developer of the application and database is still in business, they should be engaged in order to do an in-depth-analysis, probably led by an independent CyberSecurity Professional, of how their code was compromised and to remediate the vulnerabilities that are identified. The developer of the application should also be held accountable and responsible.
- CanadaAmmo should also be completely transparent with us. In this day-and-age there is NO reason to bury your head in the sand. Tell us everything.
- CanadaAmmo should be prepared to provide some kind of remediation and compensation to anyone who has had out-of-pocket expenses due to this incident.
- CanadaAmmo should be providing updates about the breach on a dedicated source -- like here or on a dedicated web page.
- CanadaAmmo should hire a company to do periodic penetration tests on their infrastructure, or to at least review their infrastructure. At least twice a year but ideally every time changes are introduced. Any change to a system is an opportunity to introduce a new vulnerability.
- CanadaAmmo should invest in some intrusion detection and prevention technology.
- EVERYONE should practice good security. It's not very effective to close the barn doors after the horses have bolted.
Last edited:
Never had any data stolen, at least I think so. Although I have a lot of large dataset, encrypted passwords and I am always saving all the data on an external HDD, I do not keep these data on my PC. I use lead enrichment tool to gather the data, process them, gladly there are lot of tools for automation processing so it's not taking me that much time. So, keep the data out of your PC, encrypt them to keep them safe
Last edited:
A note about hashes. A lot of the messages in this thread are people upset that their passwords have been compromised. They really haven't. Sort of. The passwords look as though they are stored as a hash, which is NOT encryption. It means that they cannot be decrypted. Instead, a mathematical transformation was run against the string (the password) and a unique identifier was the output (the hash). There is no way to go backwards ... to generate the original input from the output. In order to "crack" your password the malicious actor would have to use a dictionary attack which runs the hashing transformation against words in a dictionary and compares the output hash value to the hashed value of your password. This can take a very long time. The more complex your password is, the harder it is to run a dictionary attack.
Encryption and hashing can be combined to make it even harder for the bad guys.
You should consider:
- use unique passwords for each website
- use a long, complex password -- as long and complex as the site will allow, using lower, upper, numbers, and special characters
- use a password manager to store and generate your passwords -- there is NO reason why you even need to know your passwords when a password manager can do all that for you
- passwords should be changed periodically -- even changing a single character in your password will generate a completely different hash
Encryption and hashing can be combined to make it even harder for the bad guys.
You should consider:
- use unique passwords for each website
- use a long, complex password -- as long and complex as the site will allow, using lower, upper, numbers, and special characters
- use a password manager to store and generate your passwords -- there is NO reason why you even need to know your passwords when a password manager can do all that for you
- passwords should be changed periodically -- even changing a single character in your password will generate a completely different hash
- Status
