DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“Not a creature was stirring” – well, except Chris Vickery

Posted on December 30, 2015 by Dissent

Three Lock Box is a construction escrow agency in Las Vegas. And while the name “lock box” might suggest security, unfortunately, they had a misconfigured MongoDB installation that exposed several million dollars in funds available in over 90 accounts.

Chris Vickery uncovered the leaky database and contacted them immediately on December 24th because of concern that an attacker might be able to write to the database to add payees or change the admin’s password. Chris tells DataBreaches.net:

… even though the “normal” users’ password hashes are bcrypt hashed, they completely forgot to hash the password if someone resets their password. The result is that many of these accounts have plaintext exposed passwords.

Chris’s notification to them, by email and phone, resulted in a quick call back from the firm, which left Chris with the impression that the database would be secured immediately. But when the database was still not secured by the end of the day, Chris found the owner’s home phone number and woke him up at 2 am (Chris is nothing if not passionate and determined about security!).

“I am incensed that they had all day to put some sort of authentication on it, but failed to do so,” Chris tells DataBreaches.net. Despite owner Noah Allison’s assurance that no money would be moving through the web site at that time, Chris says he informed  him that his entire business was at risk –  the keys to the admin kingdom, all of his client contact details, all the contract documents, w-9 filings, bank account numbers, routing numbers, and many plaintext passwords of his clients were all up for grabs.

Twenty minutes after that middle-of-the-night call, the database was secured.

DataBreaches.net asked Three Lock Box for a statement. Shuli Cheng, IT Manager, responded. He states that after speaking with Chris earlier in the day, the firm immediately proceeded to contract  a technology provider.

“The shortened Christmas Eve workday added to the challenge of reaching someone who was qualified and available, ” Cheng says. “After  many  phone calls and work sessions, we successfully configured two layers of security by 3:00am PST. A faster turnaround time would have been more desirable.”

Chris’s phone call to Noah at 2 am on Christmas morning was “unexpected given our previous conversation, but still very much appreciated,” Cheng added, also confirming Chris’s claim about what was exposed and at risk.

The firm investigated the incident and found that the leak may have occurred back in early September, when they migrated the database onto its own server.

“For the sake of completeness,” Cheng says, they reviewed access logs going back six months.

Preliminary results for that time span revealed 17 unique IP addresses across 5 unique parties connecting on multiple occasions for a duration  of more than 20 seconds. Cheng says they are suspicious of connections from steadfast.net IP addresses and Amazon AWS addresses.

“We are currently unsure of the malicious intent of the linode.com node since we have also utilized linode servers for other activities that may have resulted in a brief test run on this database instance,” Cheng tells Databreaches.net.

The firm plans to notify its clients in writing of the breach (that’s how they referred to it) and reassure them that money does not move through their system. “We manually approve and initiate ACH transfers via our banking institution’s platform.”

Three Lock Box intends to send notification letters by postal mail to its clients within one business day of completing more testing of their security, including penetration testing, and patching their server.

Category: Business SectorExposureU.S.

Post navigation

← 79 escort sites hacked in past week: ElSurveillance
Criminal Hackers Target Police to Protest Perceived Injustices →

1 thought on ““Not a creature was stirring” – well, except Chris Vickery”

  1. J. Tate says:
    December 30, 2015 at 12:59 pm

    I sincerely appreciate the work your doing. We have been doing similar work in regards to getting companies more aware of the lackluster configurations on their information systems that make it low hanging fruit for persons with malicious intent. We however run into the same apprehension that you do, when it comes to “owning up” to some of these finds companies play a very unique game to ensure minimum negative attention. Which is why I believe the approach should go a bit higher in certain circumstances at the Federal, Commerce or Regulatory Compliance level. The end is not approaching with regards to these finds, and we would love to share our findings with you intandem with assisting forensically to identify the ownership of the finds you have identified.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.