cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
NCIX customer and employee data is allegedly available for sale as data brokers have purchased the servers, cracked the passwords in less than 5 minutes and are selling volumes of confidential customer and employee data for tens of thousands of dollars. Every single credit card record, address, business name, email address, phone number, IP address and unsalted MD5 hashed passwords; literally everything was allegedly saved on the servers when the company went bankrupt. Even the data from the air-gapped servers, data that was considered so confidential extra steps were taken to secure it from the outside world, has been copied and cataloged for sale to foreign and domestic entities. 13TB of data here, another 3 million records there and Travis Doering of Privacy Fly hadn't even scratched the surface of the data available for sale.

By this point I couldn't believe my eyes, the data I had seen today contained some the most damaging and extensive records I had ever come across covering at least seventeen years of business transitions. Data breaches by external actors are common in todays digital world but what makes this set of data so damaging is that it contains every record NCIX ever held. Including their backup files which had been kept in a segregated air gapped machine that regardless of skill level no external attacker would have plundered.
 
You missed the good stuff!

"From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china."
 
Why would the passwords matter now? Just for rubes who still have it on another site?
 
Great. I thought the recent uptick in spam from the email addy I used for my NCIX account was solely because my branding too weak, my insta-stories too big and my penis too small.
 
You missed the good stuff!

"From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china."
I didn't want to quote Travis's entire article, but that snippet WAS my original quote. I had to flip a coin in my head and the other quote won.
 
I don't remember what account I would have been using for NCIX let alone my password for it, going to change my passwords regardless it's been a while since I last updated them anyways.
 
All I can say is "Damn!" as a former regular customer of NCIX spanning many years of ordering. I wonder if all the data is out in the wild or not...
 
Even for a company going bankrupt, it seem that they didn't do anything close to due diligence to protect the data. Don't know much about Canadian Law but it would seem possible that the individual executive level employees might have some civil liability here for this data breech. If not the NCIX folks, the auction folks could be a target. Be interesting to see the auction listing where this stuff was sold to see if the data was part of the deal or just along for the ride.
 
Even for a company going bankrupt, it seem that they didn't do anything close to due diligence to protect the data. Don't know much about Canadian Law but it would seem possible that the individual executive level employees might have some civil liability here for this data breech. If not the NCIX folks, the auction folks could be a target. Be interesting to see the auction listing where this stuff was sold to see if the data was part of the deal or just along for the ride.
The company execs or management would not have handled that. It would have been a court appointed handling company.

Looking things up, it seems Able Auctions handled liquidating the NCIX assets. http://bid.ableauctions.ca/NCIX-Richmond-Auction_as51658?ps=100
 
FFS. :mad: Well at least my old card expired and my new one has a different security code
 
well isn't this a find how do you do.

good thing i only spent around 40 grand there.

I used to work there. Apparently our SIN numbers are on there so what can we do about that?

quote from the LTT forums.

wow. WU really fucked the dog here.
 
I've bought stuff from them a long time ago. It's probably been at least 10 years? Hell, I can't remember.
Every password I have is unique. My password challenges (what high school did you go to) are random crap and unique. I'm good there.
Credit card? Hmm...I know some of mine have been reissued do to other breaches. My expiration for certain would be different (although I don't count that as a security feature).
 
image0.jpg.e9fb217e6ebad25aaf52b24ea25a87cc.jpg


apparently it was.

https://linustechtips.com/main/topic/974112-ncix-data-breach-2018/?page=1
 
I've bought stuff from them a long time ago. It's probably been at least 10 years? Hell, I can't remember.
Every password I have is unique. My password challenges (what high school did you go to) are random crap and unique. I'm good there.
Credit card? Hmm...I know some of mine have been reissued do to other breaches. My expiration for certain would be different (although I don't count that as a security feature).
That isn't so much the problem. The problem is phone numbers and email addresses being sold to spammers and scammers.
 
If you're spear-phishing someone, getting additional passwords they used can turn into a pattern to predict future passwords. Not all value in such things are immediately realised.

In order to guard against such things, one must think how to do it to the nth degree + 1. Always get better than any potential theat you could face 5+ years away.

Why would the passwords matter now? Just for rubes who still have it on another site?
 
I ordered 2 items from NCIX in 2013, anything I can/should do now? This implies all of my personal info is out there. It seems like the cc# would not be a risk since it would have already expired.
 
Here's hoping the ex-execs get loads of legal backlash over this.
 
Here's hoping the ex-execs get loads of legal backlash over this.

Nobody's going to do shit to them.

Yet those same former execs will perform the double bird salute, while goatseing their rumps at the rest of the herd with complete impunity.

EXEXEC USES TROLL GRIN!

ITS SUPERDUPERWOOPERCROUPER EFFECTIVE!
 
That's a bummer, Ncix.ca was my go to site from 2011 to 2016. I loved their online price matching.
I have over 200 email from ncix in my mailbox, not all of them are invoice but I must have at least over 75 orders with them over the years.
At least my CC that I used with them expired in 2017 and the password I used with their site was unique.
Still not happy that my info is out there.

edit: from https://www.eteknix.com/ncix-database-servers-sold-craigslist-without-wiped/amp/
craigslistlisting-640x504.jpg
 
Last edited:
Here's hoping the ex-execs get loads of legal backlash over this.

From what I understand, NCIX did not sell this data or servers, they were confiscated for not paying rent etc and the land lord knew about the data and servers and was selling them off to recover owed rent. The deals were also very shady and they KNEW what they were doing, as they were "renting" out the room with the servers in them, and allowed whoever access to it, at the price of $15k a pop, in other words, they were not selling the data, they were just renting an expensive room, that just happened to have the servers and data in it with all the means needed to copy the data....What you did with your room rental time is up to you...

To me, that is the land lord etc that needs to have the law come down like a hammer on.
 
Meh right before NCIX went bankrupt people on the forums were giving away points like crazy. I got something like 10,000 points enough to get a nice power bank for free. Suck it NCIX.
 
I ordered 2 items from NCIX in 2013, anything I can/should do now? This implies all of my personal info is out there. It seems like the cc# would not be a risk since it would have already expired.

You must change all of your personal info. Change your passwords, replace your credit cards, change your email address, get a new phone number, move, change your marital status, change your name, get a sex change, change your date of birth, etc..
 
From what I understand, NCIX did not sell this data or servers, they were confiscated for not paying rent etc and the land lord knew about the data and servers and was selling them off to recover owed rent. The deals were also very shady and they KNEW what they were doing, as they were "renting" out the room with the servers in them, and allowed whoever access to it, at the price of $15k a pop, in other words, they were not selling the data, they were just renting an expensive room, that just happened to have the servers and data in it with all the means needed to copy the data....What you did with your room rental time is up to you...

To me, that is the land lord etc that needs to have the law come down like a hammer on.

NCIX left it all unencrypted.
 
NCIX left it all unencrypted.

That's like telling the cops "but they left their front door unlocked, that's why I stole everything". Poor security measures from NCIX? Sure, but they didn't sell the data, the servers were "cracked" and the data was willfully sold, knowing full well what they were doing.
 
Meh right before NCIX went bankrupt people on the forums were giving away points like crazy. I got something like 10,000 points enough to get a nice power bank for free. Suck it NCIX.
We're any of them mine?

I gave away like 30000.

Was saving for shit loads of free shipping.
 
Back
Top