In April 2023, DataBreaches reported on an alleged incident involving TIC Hosting in Romania. No one from TIC Hosting ever responded to inquiries from this site, and inquiries to the data protection regulator for the country indicated that TIC Hosting had never reported any data protection incident to them. And that seemed to be the end of that until December, when DataBreaches was contacted again by the source for the original report. According to the source, TIC Hosting had rebranded to Torchbyte because the breach allegedly affected their business. “Now, to wash their negative image, they ask for positive reviews in exchange for additional benefits, which is against TrustPilot terms and conditions,” they wrote, asking me if I would update the article on them.
When asked what had happened after the first contacts in April and May, and whether TIC Hosting had ever been informed of the vulnerability or remedied it, the source replied:
They didn’t admit anything, they just said that the SSDs failed and that’s it. I tried to explain the vulnerability to them, but for a few weeks after the incident they became invisible, they stopped responding to anyone, in that period they probably thought of this rebranding to “wash” their negative image. As I told you a few months ago, somewhere around 300 active customers were affected at that time. Also, as I saw today with my group members, the vulnerability has not yet been fully resolved. There is a possibility of gaining access to their infrastructure again through the same vulnerability. They didn’t even bother to solve their problems, pathetic. I really feel bad for their customers.
But the source was right: if people felt that positive reviews would be rewarded by TorchByte, that appears to violate TrustPilot’s policies. So DataBreaches emailed TorchByte to ask if they had continued that offer. DataBreaches also viewed TorchByte’s ratings on TrustPilot, TrustPilot’s terms and policies, and their transparency report for TorchByte. DataBreaches also asked them to consider the issue raised by the source and to investigate if there was any merit to it.
After a number of delays, TrustPilot responded, in part:
Although I’m unable to provide specific details about any of our ongoing investigations, I can assure you that we take all reports of suspicious behavior seriously and we’ll look into torchbyte.com’s use of Trustpilot. If we find any reason to take action, we’ll do so.
We treat all whistleblower reports and our investigations as confidential, so once we open an investigation, privacy rules mean that we’re rarely able to provide details to parties other than those specifically being investigated. We understand that this can seem frustrating if you’ve submitted key evidence against a business or reviewer. However, because we have to comply with the laws in this area, we’ll only be able to provide limited updates. We do, however, appreciate your assistance.
Well, that sounded good, perhaps, but DataBreaches responded by asking them exactly what laws they felt would prevent them from providing information. Despite repeating the question, TrustPilot never replied by citing any laws that would prevent them from providing information on the results of an investigation. TrustPilot’s questionable answer notwithstanding, DataBreaches found no compelling evidence that Torchbye’s rating had been questionably inflated by their offer. There was one 5-star review submitted on the same date as the Discord post seeking reviews, but there was no other until January 23, 2024. But checking 1-star reviews, DataBreaches came across a verified review from August, 2022, in which the reviewer wrote, in part, “FAKE REVIEWS, offers services in exchange for reviews.” So how often has TorchByte offered services in exchange for reviews? If this is the second time, what is TrustPilot doing?
And will TorchByte get compromised again? It seems somewhat obvious that the person contacting DataBreaches has a gripe or issue with Torchbye. Why the animosity exists is unknown to DataBreaches, but with that level of persistence, Torchbyte customers may want to ask Torchbyte more about their security and whether they maintain and test usable backups that are protected from attack.
Another Hosting Company Also Suffers a Breach
Torchbye isn’t the only Romanian hosting firm DataBreaches was contacted about recently. On January 23, a message on Telegram began, “Hi, i would like to report a databreach.” The individual, who described himself as a former customer of ITITAN Hosting, provided DataBreaches with a screencap allegedly of a notice of the breach, and two files.
In machine translation, the screencapped message from an ITITAN admin called @IustyTitan read:
Unfortunately, the data of Node 2, node 3 and Node 4 have been deleted. Whoever was hosted on one of these nodes will receive 10 extra days at the host, free.
If you receive an email saying that your data is on the dark web, do not be scared. Your data is not public on the internet, the emails were sent with a tool for email marketing (I checked) to scare you.
Today we started to reinstall the affected dedicates and by tomorrow (inclusive) will be 90% of the services functional.
I apologize again for what happened!
The files provided to DataBreaches were an sql database and a directory of files. Both appeared to be real.
According to the former customer who received the email, the administrator locked the chat and banned him when he started asking questions about the breach.
He was not the only person to contact DataBreaches about this breach. DataBreaches received several emails from another individual. In addition to providing some of the same context the Telegram contact had related, the email correspondent, who described himself as being part of a discord scam checking team from Romania, wrote that customers also received a follow-up email, presumably from the attackers, giving them information on how to complain to the data protection authority about ITITAN Hosting.
“We got in touch with the administrator of the company and he confirmed everything that happened,” the contact wrote. “They think the servers were hacked by the competitors and they sent those emails to take down the company. After talking to them, they also announced it on the public announcement channel. From what I can see, they don’t want to publicly announce to their customers that they have the right to make a refund request (exactly as it says in their terms and services). A moderator on their discord server spoke to a customer and told him that no refunds will be offered. How would customers know that they can make a refund request as long as they don’t officially announce it?”
At the time that email was sent, ITITAN’s site was down. It has since been restored. DataBreaches does not know if ITITAN Hosting ever did officially announce the possible refunds on their discord, but their terms of service, as published on their website, read:
We offer a full refund only in the following situations:
- the contact data provided by the customer must be completely real;
- the problem is caused by our services and cannot be fixed (this will be determined by our team).
On January 25, DataBreaches sent email inquiries to iTITAN Hosting, including to their admin’s Gmail address. The email asked how many customers had their data destroyed, whether ITITAN had usable backups of client data, whether there were any extortion demands, and what ITITAN was doing in response to the incident and to mitigate harm to clients. There was no reply. DataBreaches also sent an email inquiry to the data protection regulator to ask whether ITITAN Hosting had notified them of what appeared to be a cyberattack that involved personal information of customers. The regulator has sent DataBreaches an acknowledgement of the inquiry but a substantive response has not been received yet.
This post will be updated when a reply from the regulator is received.
Updated February 19. The data regulator replied to the iTITAN Hosting inquiry, writing in part:
Up to now, following the internal checks, please be informed that the National Supervisory Authority for Personal Data Processing was not notified by the controller iTitan Hosting about the personal data breach nor did receive complaints from data subjects.
At the same time, we inform you that the aspects presented by you were retained in order to exercise the control powers of the supervisory authority.
As to the TorchByte incident, see this update with an explanation from the firm.