Hack on PS and Xbox attackers leaks DDoS customers’ plaintext passwords

It's payback time for the group that knocked the Sony PlayStation and Microsoft Xbox networks offline in December. First came the report Friday morning that a UK man was arrested in connection with the distributed denial-of-service attacks, making him at least the second person to be detained in an ongoing investigation. Now comes word the customer database Lizard Squad members maintained as part of their DDoS-for-hire service has been breached, spilling details on more than 14,241 users.

But the comeuppance doesn't end there. According to KrebsOnSecurity reporter Brian Krebs, who broke the story about the compromised database, all registered names and passwords were stored in plaintext. The cache shows that customers deposited $11,000 in bitcoins to pay for attacks on thousands of Internet addresses. The information will no doubt prove interesting to members of rival gangs and law enforcement agencies around the world.

The database was tied to LizardStresser[dot]ru, a so-called stresser or boot service ostensibly available to test a website's resistance to attacks. In the vast majority of cases, they're nothing more than fronts for DDoS services. According to Krebs, the December attacks on the PlayStation and Xbox networks were designed to be advertisements promoting the service. Given the breach that has now leaked potentially sensitive customer information that was left woefully unprotected, it's safe to assume any buzz in underground markets surrounding the LizardStresser service is over.

Read on Ars Technica | Comments