Full Report
Lizard Squad failed to encrypt its database of LizardStresser's registered users - storing details of their usernames and passwords in plaintext. A schoolboy error if ever I heard one.
Analysis Summary
# Incident Report: Compromise of Lizard Squad DDoS Service Credentials
## Executive Summary
The Lizard Squad's primary threat activity, encompassing DDoS attacks against major services like Xbox Live and PlayStation Network, was severely undermined when their own LizardStresser DDoS-on-demand service database was compromised. The incident revealed the plaintext usernames and passwords of over 14,000 users, which were subsequently passed to law enforcement agencies, putting paying customers at risk of legal action. This breach served as a significant blow to the criminal group following recent arrests of suspected members.
## Incident Details
- **Discovery Date:** January 2015 (Implied shortly before reporting)
- **Incident Date:** January 2015 (Date the database was compromised/passed to authorities)
- **Affected Organization:** Lizard Squad (Specifically their LizardStresser service infrastructure)
- **Sector:** Cybercrime / Botnet Operation
- **Geography:** Not explicitly mentioned, but implied global reach through user base, with arrests in the UK and Finland.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to January 19, 2015.
- **Vector:** Internal infrastructure vulnerability/misconfiguration on the LizardStresser service server.
- **Details:** The core database containing user credentials for the DDoS-for-hire service was successfully compromised by an unknown entity.
### Lateral Movement
- Not applicable in the traditional sense; this was a direct compromise of the service's user database, not a broader network intrusion into a victim's network.
### Data Exfiltration/Impact
- **Details:** Usernames and passwords belonging to over 14,000 registered users of the LizardStresser service were stolen. Crucially, this data was stored in **plaintext**, allowing for immediate usability.
- **Impact:** The stolen data was handed over to law enforcement agencies (e.g., FBI), placing paying customers (who had collectively spent $11,000 in Bitcoin on attacks) at high risk of arrest and prosecution.
### Detection & Response
- **How it was discovered:** External reporting, specifically citing Brian Krebs' reporting on the breach.
- **Response actions taken:** The data, revealing customer identities, was provided to authorities. The integrity of the Lizard Squad infrastructure was severely damaged, coinciding with arrests of suspected members.
## Attack Methodology
| Category | Method |
|---|---|
| **Initial Access** | Unknown external compromise of the service's user database. |
| **Persistence** | Not applicable to the data breach itself, though the group maintained operational status via Twitter post-incident. |
| **Privilege Escalation** | Not applicable. |
| **Defense Evasion** | **Insider Security Failure:** The primary "evasion" failure was the failure to use basic encryption; credentials were in plaintext. |
| **Credential Access** | Direct access to the unencrypted user database (usernames and passwords). |
| **Discovery** | Not applicable (attacker targeted existing user database). |
| **Lateral Movement** | Not applicable. |
| **Collection** | Dumped user account information (usernames and passwords) from the service database. |
| **Exfiltration** | The compromised data set was passed to law enforcement agencies. |
| **Impact** | Exposure of criminal customers to legal consequences; degradation of the Lizard Squad's criminal service credibility. |
## Impact Assessment
- **Financial:** $11,000 spent by users on attacks was rendered moot due to exposure. Estimated costs for law enforcement investigation of the service itself are unknown.
- **Data Breach:** Details (usernames and passwords) for over 14,000 users of a criminal service.
- **Operational:** Severe operational setback for the LizardStresser DDoS-for-hire service due to loss of customer trust and subsequent law enforcement action against users.
- **Reputational:** Highly negative for the Lizard Squad, emphasizing their operational incompetence ("schoolboy error" for storing plaintext passwords).
## Indicators of Compromise
*Note: Since this was a data breach of internal service credentials rather than a network intrusion *by* LS, standard IOCs against victims are less relevant. The key IOC is the data itself.*
- **Network indicators:** Not applicable/Reported.
- **File indicators:** User database dump containing plaintext credentials.
- **Behavioral indicators:** Storing sensitive authentication data in plaintext format.
## Response Actions
- *Note: Response actions listed below pertain to the actions taken by law enforcement agencies or external parties following the breach, not internal actions by Lizard Squad.*
- **Containment measures:** Law enforcement (FBI, UK, Finland police) began using the harvested data to question and arrest suspected members of Lizard Squad (e.g., Vinnie Omari, Julius Kivimäki) and potentially pursue their clientele.
- **Eradication steps:** The integrity of the LizardStresser service database was destroyed/compromised, eliminating its secure user record.
- **Recovery actions:** None applicable for the compromised entity (Lizard Squad).
## Lessons Learned
- **Key takeaways:** Criminal enterprises, regardless of perceived technical skill (as demonstrated by previous high-profile attacks), often suffer from catastrophic operational security failures, such as failing to encrypt sensitive customer data.
- **What could have been done better (by Lizard Squad):** Utilizing strong encryption (hashing and salting) for all stored passwords, as is standard industry practice, would have prevented the immediate usability of the stolen data by law enforcement.
## Recommendations
- **Prevention measures for similar incidents:** All services (legitimate or malicious) must enforce strong, modern cryptographic standards for storing user authentication credentials (passwords must never be stored in plaintext). Robust internal security auditing is necessary even for groups operating outside legal boundaries.