Cyber Incident Victim: Domain Factory
Date:
Jan 2018
Location:
Germany
Summary
A German hosting provider experienced a data breach where unauthorized access to customer information occurred through a compromised data feed, potentially exploiting a known vulnerability variant. The exposed data included names, contact details, account credentials, financial identifiers like IBAN and BIC numbers, and dates of birth. The attacker claimed financial motives, alleging unpaid debts from the company. The intrusion remained undetected for months until public claims surfaced on the provider's forum, prompting an investigation that confirmed the compromise. The company secured the access point, notified data protection authorities, and engaged external experts while advising customers to reset all system and service passwords due to potential website compromises stemming from the leak.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Domain Factory, a German hosting provider, experienced a data breach involving unauthorized access to customer data on January 28, 2018. The incident remained undetected until July 3, 2018, when an unknown threat actor publicly claimed responsibility through posts on the company's forum. This disclosure prompted Domain Factory to temporarily shut down its forum and initiate an internal investigation. The investigation confirmed that an external party had illicitly accessed a "data feed" containing sensitive customer information. The compromised data included full names, customer numbers, physical addresses, email addresses, telephone numbers, dates of birth, account passwords, bank names, and financial identifiers such as IBAN and BIC numbers. The attacker allegedly exploited a security vulnerability described as a variant of the Dirty Cow exploit to gain access. According to public claims made by the perpetrator, the breach was motivated by a financial dispute in which the attacker asserted that Domain Factory owed them money.
Domain Factory secured the compromised access route upon discovering the breach and implemented patches to address the vulnerability. The company notified relevant data protection authorities and engaged external cybersecurity experts to assist with the investigation. Customers were instructed to immediately change their account credentials and were additionally advised to reset passwords for associated services including MySQL, SSH, FTP, and Live disk accounts due to potential secondary exposure risks stemming from the data leak. The firm publicly committed to implementing measures to prevent future recurrences but did not specify technical or organizational details of these improvements. The delayed detection timeline—approximately five months between intrusion and discovery—highlighted gaps in the company's security monitoring capabilities. Forensic analysis indicated the breach was limited to unauthorized data access rather than system destruction or service disruption.