Nice SECURITY, 'Lizard Squad'. Your DDoS-for-hire service LEAKS

A DDoS-for-hire service purportedly set up by the Lizard Squad hacking crew exposes registered users' login credentials.

The LizardStresser DDoS-on-demand service – a booter service powered by hacked home routers – is hopelessly insecure.

Details of more than 14,000 prospective users - whose passwords and usernames were carelessly stored in plain text, allowing investigative journalist Brian Krebs (and perhaps law enforcement) to get hold of its customer database.

Lizard Squad infamously took down the XBox Live and PlayStation Networks at Christmas, shortly before launching its DDoS-for-hire service. The service raked in $11,000 in Bitcoins from the small percentage of registered users who had paid funds into their account.

UK police last week arrested a second suspected member of the hacking crew as part of an ongoing US-UK investigation. Both suspects had been released on police bail pending forensic investigation on seized computer equipment. Finnish police have questioned another suspected Lizard Squad member.

Meanwhile Lizard Squad's "stresser" site and home page remain up and running, while the group continues to sling barbs at Brian Krebs and other adversaries through its Twitter account, @LizardMafia. ®