On April 30, 2023, DataBreaches reported an alleged data breach involving TorchByte (formerly known as Tic Hosting Solutions). At the time, DataBreaches had been unable to reach the firm, and the Romanian data protection authority informed DataBreaches that they had received no report from them of any breach. But the screenshots provided to this site by a third party seemed to suggest that something had happened, although what happened seemed to be in dispute.
DataBreaches reported again on February 6 after the same source for the original story contacted this site again. This time, with the help of Daniel-Alexandru Munteanu, we were able to get a response from TorchByte, who claimed they never got our original inquiries and apologized for the delay in responding. The following is a statement sent to DataBreaches by Stefan Straton in response to the allegations covered in the two articles:
First of all, the vulnerability was a misconfigured PHP server that leaked database credentials for our beta VPS management platform, which were then used to extract a copy of said database. Thankfully, the threat actors were not able to use the authentication tokens for the virtualization nodes present in the database because our firewall rejected external traffic. Also, as soon as we received a copy of our database from, possibly, one of the attackers on Discord, we sent a notice to DNSC (Romanian national cyber security and incident response team) via email and we confirmed that the personal data included in the leak was nothing more than 45 email addresses and usernames of people that participated in the beta.
In follow-up correspondence, Stefan Straton added that they had notified DNSC one or two days after the database was posted on a public forum and they discovered the post’s URL. Straton says that the firm never received any reply from DNSC, and at that time did not think they should have reported the same incident to multiple authorities.
Straton also provided more details to explain what had been submitted to DataBreaches:
The explanation we were able to find for the screenshot of the administrative panel is that the threat actors using a browser extension as ModResponse [1] (URL attached) to spoof HTTP responses from our API using the extracted database, as there were no unusual logins into any of the administrator accounts.
Access to the database was gained a few weeks before our UPS failed and corrupted our disks. It seems that the attackers waited for the right time to announce their presence, making it look like they were the ones to damage our systems. The UPS that failed that day was known to cause problems, as it would also cause some of our servers to restart when under higher loads and a UPS replacement was meant to be done by our colocation provider. Unfortunately, the replacement was not done soon enough.
The vulnerability was fixed before we got the management platform back up.
In response to the third party’s comment that the vulnerability was still not fully resolved, Straton wrote:
We confirm that there were many attempts to use the same vulnerability since then, but they were not successful and the IP addresses where the HTTP requests originated from were reported to their ISP.
Data recovery was done for 75-80% of the affected services thanks to the off-site backup being recent enough for our customers to be willing to restore it. Customers who were not happy with the backups available / newer customers that have not been through a backup at that time (back then, these off-site backups were done weekly) were helped by us to recreate their lost data (such as websites and plugins for game servers). Nonetheless, all services offered by us were extended by 14 days free of charge.
Also, we have never asked our customers to leave fake, positive reviews on our Trustpilot page. In the screenshot presented on your website, we were offering all reviewers (positive and negative) a reward for their time. We understand that this was wrong and may have influenced opinions when writing reviews and will refrain from doing similar things in the future.
DataBreaches asked Straton whether they thought the third party who was contacting this site was a competitor or someone with a grudge. He declined to speculate.