NCIX servers sold on Craigslist with 15 years of user data

NCIX is in some big effing trouble with a story breaking over the weekend that someone had access to their old servers that went for auction and were purchased, after the Canadian retailer went bankrupt in 2017.

2

The servers that were previously owned by NCIX somehow ended up on Craigslist, with Travis Doering from Privacy Fly access the servers and pretending to be someone called "Jeff" for privacy (fly) reasons. Doering was after the data on the NCIX server, making is clear he was after the contents of the HDD alone and not the juicy server hardware. Doering met with the seller multiple times, confirming that they were ex-NCIX servers and that they indeed had NXIC user and business data on it.

The used servers were sold because NCIX reportedly didn't pay their warehouse storage bills in late-2017 with over $115,000 owed, where the servers were given to the warehouse owner to sell to recoup costs. Yeah well, the NCIX servers weren't wiped and millions of customers private detailed were exposed, as well as business customers who used to buy many millions worth of goods.

Doering said that Jeff, the guy selling the NCIX servers on Craigslist, had access to "300 desktop computers from NCIX's corporate offices and retails stores, 18 DELL Poweredge servers, as well as at least two Supermicro server's running StarWind iSCSI Software that NCIX had used to back up their hard disks". Jeff also gave Doering access to even more storage, with "109 hard drives which had been removed from servers before auction and one large pallet of 400-500 used hard drives from various manufacturers".

The private data on these servers and storage drives had personal data of millions of people, with credentials, invoices, photographs of customers IDs, bills, customer names, addresses, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords. You know, pretty much everything. The database had 258,000 payment card details, all stored in plain text, and 3.8 million orders.

Even worse, Doering found the backup image for NCIX founder Steve Wu, showing just how bad this data breach could've been.

The Craigslist seller was happy for Doering to copy all of the NCIX customer data from ALL of the server HDDs, without buying any of the hardware. This is beyond sketchy, just in case you're not aware of this situation because at point, it's ridiculously bad. Jeff even told Doering that at least one other person had purchased the old NCIX data, so who knows how many people have access to it at this stage.