True story about the CubeCart Hack

For those of you following the CubeCart Hack that has left roughly 64,000 ecommerce businesses open to full database leaks, including personal details like credit card data.

It was not my intention to publish intimate the details of this case to the world as the truth will very likely create ripples through the shopping cart vendor CubeCart. We have made multiple requests to contact us regarding this issue, all of which had been received, but not replied to.

Rather than allow a company lie to their customers about the privacy of their data, we feel that the truth is the number one priority for any business dealing in sotware that holds consumer data.

The founder of CubeCart made a public statment on their company forums

"Just after Christmas, a script kiddie hacker managed to get a malicious file on our server from a security hole in our bug tracker. They then attempted to blackmail us in the usual low life way these people do. However we refused and quickly patched all the servers software and tightened our server security settings locking them out by closing any back door access they created. We were not aware of any breech of data until now and it appears that they have data up to the first few days of January 2012.

The hacker was furious that we didn't pay them and it looks like he/she managed to steal some data from the license system database from our company server and has irresponsibly posted this information online. To add insult to injury they are twisting the facts in an attempt to scare our customers and impact our business.

Please note that;
- the hacker stole data from OUR database. They have no means or method to access any part of your stores data at all.
- most importantly we do NOT store any credit card data on our servers.
- all software license keys remain in the hands of their original owners. No 3rd party is able to unlock or reset them so they have no control or power over your storewhatsoever.
- 64,000 shopping carts are NOT vulnerable. The article title is incredibly misleading and there is no reason to be alarmed as they do not have access to your stores database.
- our server is continually scanned by McAfee Secure for vulnerabilities and we do our very best to keep all software secure and up-to-date... however keeping a server totally bullet proof is never 100% possible and from time to time companies including high profile household names such as Sony have suffered similar exploits.

The only thing we can do is to sincerely apologise and continue and to review our security policies.

They claim that they were originally hacked Christmas of 2011, and blackmailed by the hacker, but failed to warn their customers of their data being compromised. They also claim the data we have obtained was dated 2012, which would make this the 2nd hack, one that they were not aware of.

They make mention of the hacker irresponsibly posted the information online, this is in reference to a now removed link to our website. a false accusation that we are the hacker only proving they are even more clueless about what really has happed than we thought.

They claim that the hacker stole data from only the cubecart company database, we have reason to suggest otherwise. but we will get to that later in this article.

They claim that they do not store credit card data on their servers,
no? then what is this?

"they have no control or power over your storewhatsoever." "64,000 shopping carts are NOT vulnerable"

False. Anonymous Hackers have a new ZeroDay attack they can use against CubeCart to gain full Database Access using what is called SQLi, They can even use google to locate roughly 64,000 websites running your software that the vulnribility currently works on and has been verified by highly skilled security professionals.

We find your remarks to be slanderous, and a down right lie to your customers. if you contacted us rather than avoiding the issue, you would have learned this information before your customers did.

How did we learn of this massive security breech of a leading ecommerce software solution?

We have previously investigated the hacker that tried to blackmail your company, and we have information on who he is, and even his IP address right now, but i guess you're not interested in that. right?
This was submitted to us by the hacker that molested your database.

One thing we know for sure, is he does not stop at one database, and he is all about automation. this means he most likely already has all 64,000 databases sitting on his servers while he buys bulk cheetos off ebay.

Also I love how you try and place blame on McAfee, You are the effing software developer, it was your code that got 64,000 of your customers owned. don't try to spread the blame. because all blame is on you.

Next time, just email us, and we won't have to bash you in a public forum like you did to us.

There is a ton of data to add to this, documented proof, names, hackers involved, groups, etc, but I think we have invested enough time and energy into a worthless cause of defending ourselves against a company that lies to their customers.