New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
NO need for that. PCI Compliance states that the creditcard info be saved in a seperate server (not accessible via a LIVEIP) and information saved by using the tokenizing method
OR
get out of all that hassle and just use a payment Gateway that allows PCI-Compliance, so you pass the info to that payment-gateway directly (without storing the CC info) and the payment gateway charges it. You can pass flags to ask the payment-gateway to store the card for future needs. Later (on recurring payments etc), you just sent the previous transaction ID OR object-ID and ask the payment-gateway to charge it again.
Someone clearly did not sort out all these loose ends and we, the customers of WHMCS, are screwed
Ditto
You are fine, the leak doesn't contain your CC information. But it does contain your hashed password, email address, etc so you might want to change your password if you've used it on other sites.
@Asim I think ModernBill uses the method I stated, but I agree your idea would be so much better.
It contains un-hashed passwords, by default WHMCS stores them in the email log.
The dump only includes a fraction of the email table and Shane's Welcome email isn't in it. However 15k other peoples passwords are
Yeh, I wondered why it was only half of the database. I guess the entire mail log was a few GB's.
@gsrdgrdghd: Creepy. At least my password isn't there. :P
On a GPU MD5 Bruter, probably take around 20 minutes to crack.
It looks like their Twitter account is finally back under their control.
I was going to tweet "How do we know this is the real WHMCS? Please provide last 4 digits of your credit card number for us to verify..."
But that would just be too insensitive ....
Forums still are not.
And the one day I have a WHMCS question that isn't in the docs...sigh...
I bet this forces them to hurry and release a new version of WHMCS to regain subscriber base and have secured code once again.
Hell, I would release a new version even without any changes just to make people think it's different code. LoL.
Someone able to give me a quick run down? The thread is huge :P
WHMCS got hacked, all data leaked with very weak encrypted CC data which has been decrypted now. Their forum even got hacked again 1 day later.
First, they blamed HostGator for leaking root password of their server. The other day, they blamed vBulletin.
Oh Dear, now the blog has been hacked.
http://blog.whmcs.com/index.php
Lol i wonder what's next ..
LOL the hacking countdown doesn't even need to be dynamic or so, it can just be static HTML with 0 days since the last hack
Looks like http://haswhmcsbeenhackedtoday.com/ needs to be updated.
It says 0 days
Its showing yesterdays hack in the image.
Wow, this has to be a joke or something.........
How hard is it to not reconstruct the same website with the same passwords? Surely that is exactly what is happening. All fresh logins, everywhere. All clean installations. Fresh security optimization by a capable sys admin. How hard is this? It's not like they have this unbelievable wealth of data.
"Access regained to server, security audit performed, and website restored from backup"
Why not reinstall the server or move to a new one so that the old one can be audited, these guys aren't making much sense...
Matt probably used the same password everywhere, and it looks like they need to hack their sites one by one to make him change those passwords.
Just to clear up, we were not aware of this and would never use nulled software - simplexnetwork.com was in the black listed domains table. Not sure why but our WHMCS is at simplexwebs.com
Thanks.
Hmmm, he must be hosting the forum on a 286, because that upgrade script is taking a loooong time :-)
That 'upgrade script' password dialogue looked like a very blatant phishing attempt to me.
ohs nos! So I shouldn't have tried to login with my bank account credentials?
@HarrySX My understanding of the takedown notice table is that it could also apply to providers who are hosting clients who may have used a nulled whmcs. I could be wrong about that. I don't think being listed there is a specific indication of direct guilt. As for the blacklisted domains, who knows.