A message, placed there by a hacker, warned that Helix had been hacked and its operator had been given the option to either pay a ransom or face the personal details of his subscribers being leaked out onto the Internet.
Initial reports suggested that Helix refused to pay but precisely what went on behind the scenes was hard to confirm. Nevertheless, just a week later, a second IPTV service has found itself in a similar position and has cast some additional light on the earlier attack against Helix.
Last evening the operator of IPTV service PrimeStreams made an announcement to its customers that it too had suffered a hack, albeit not a very complex one. The attacker exploited a password on the service’s billing panel and then advised the service through its own ticketing system what had happened.
“Well you have changed the password so it is obvious you have ready my ticket [sic],” a communication from the hacker read, according to a screenshot of the discussion. “Do I not get a reply or a thank you.”
The operator of PrimeStreams was polite in response, thanked the hacker for the heads-up, and offered a free account for advising the vulnerability. But that wasn’t enough.
“The bad news for yourselves is that this mistake is going to cost you,” the person replied.
Detailing internal information about how many subscribers’ the service has on the books, including around 121,000 with active subscriptions, the attacker went on to state that the business had a responsibility to protect its customers “and this is a responsibility you have failed.”
PrimeStreams’ operator did the responsible thing and didn’t attempt to hide anything from his customers. Knowing that the information would probably leak out anyway, he took full responsibility for the breach.
“100% my fault and I accept 100% responsibility,” he wrote.
Nevertheless, the attacker wanted to make PrimeStreams pay. Claiming that he/she was the same person that had targeted Helix last week, the person demanded that PrimeStreams should either shut down or pay a significant ransom.
“They are now demanding 10BTC from me 70K lol,” PrimeStreams’ operator wrote. “I have no idea if it’s the same person, I have no idea if they actually were able to use the info in the store site to get into the [database] and download it, I will say that it would be possible though.”
Interestingly the brief chat with the hacker also revealed two further pieces of information. Firstly, it claims that Helix tried to “outsmart” the attacker last week so, in response, the attacker “made a leak to torrentfreak that destroyed there business [sic].”
While we have no information about Helix’s actions behind the scenes, we can categorically deny the claim that any leak of any kind was made to TF. All of the information in our earlier report came from the notice placed by the attacker on Helix’s homepage or was culled from other public sources. At no time have we been offered, seen, or published any private information relating to the alleged hack.
The final detail is that Helix allegedly paid the ransom after the attacker began leaking information online, claims that we have been unable to confirm. Equally, we have been unable to confirm whether PrimeStreams paid a ransom after they were given just six hours to pay a huge amount in bitcoin or shut down their business.
Last evening, PrimeStreams was said to be “working diligently” to see if any logs could be found to indicate what the attacker may have downloaded or had obtained access to. This, its operator said, was to see “if this is a legit threat or just someone trolling.”
The outcome of that work isn’t clear but the latest report from PrimeStreams indicates that the issue has now been sorted out.
Given this is the second time in a week that an IPTV provider has suffered a security breach, questions will no doubt be raised about security at other suppliers.
We spoke to someone involved in the IPTV supply chain who informs us that while he prefers not to comment on operational security matters at specific providers, at the bare minimum customers should be signing up to services with a fake name and address, using a ‘clean’ email address, while avoiding PayPal, whenever possible.
“It won’t stop these low-level attacks but if they happen again only less useful info will be dumped,” he concludes.