New on LowEndTalk? Please Register and read our Community Rules.
HTTPZoom Possible Information Breach
gsrdgrdghd
Member
in Providers
Just received this mail:
Hey There,
It has come to our attention that the recent WHMCS hacks have resulted in a breach of our security.
While the hacks were happened we implemented security such as Mod_Security rules as well as deploying the WHMCS updates ASAP, this however may not have been enough.
We are continuing to investigate and will update all customers ASAP.
Thank you,
HTTP Zoom
Since quiet a few people here got some of their very cheap servers this might get interesting
Comments
Ok, wonderfull 3 Host leaked. My data is now multiple in ethernet..... screwwww everything.
Can i do as client something in such situation?
We'll if you have a credit card in addition to a bank card I always use my smallest credit card for internet transactions. That way if things like this happens it's a simple matter to request a new credit card #. More painful if it's your bank card that all your bills are tied to though.
Httpzoom has never collected credit card details, right now it looks like names, addresses and password hashes have been obtained. We are still investigating fully.
We'll that last WHMCS hack the first part if they messed with your license first, broke the WHMCS install so the db dump part of the hack would never work.
I'm thinking it would be a good idea for providers to stop using WHMCS!!! Wow how many more of these threads do we need to see?
All you need is one person skilled at breaking into things for this to happen. It could be the most secure panel around, one person releasing a script is all it takes. Switch from whmcs, change the "hacker's" target is all. I'd rather consistency and fast reaction than switching to the software of the month.
All we can do is the same as we always do. Keep providing a solid service, if problems come along deal with them and be as honest as possible to our customers.
when did it happened?
This is why I'd never use a credit card with pretty much any hosting provider.
The NSA did it.
-nope'd-
That's doubtful Castleservers. Who were the transactions to? The only info a hacker would get is that you are using paypal as a payment method, since you don't ever enter your paypal password on any VPS page, I can't see how this would increase your risk of getting hacked............ unless you use the same password for each.
Were you silly enough to use the same password on your PayPal account as on a provider's WHMCS?
Nope.
After contacting PP, it turns out it was PayPal telling me to add a credit card and that their mail server had sent me their "Add a credit card to prevent declined purchases" email quite a few times. I was tired, lol.
I've been a httpzoom customer for almost a year and I was very satisfied with their service, but this has been a huge let down for me, to be honest, cosnidering myself as pissed would be putting it mildly. I had my real phone number name and surname in WHMCS, and personal e-mail there, and now it will be just circulating around internet? What was the password hashed with? Was there a salt?
That's really not a valid point here. WHMCS is an awfully badly written piece of software (honestly some of the worst commercially packaged production code I've seen), and switching to a different platform would almost certainly massively increase security. It doesn't even have to be 'bulletproof' - as long as it's not as much of a mess as WHMCS is, it will be magnitudes more secure. Seriously, go look at the code some time and tell me that WHMCS isn't a disaster waiting to happen.
The "everything can get hacked" mantra (which is technically not even true) stops ringing true, when the developers of the software in question have shown clear incompetence and negligence in the area of security. And even if you cannot guarantee 100% security, that is no excuse to just leave your customer data hanging by a thread that is virtually guaranteed to break.
In what language was that e-mail originally written and did anybody read it before it was sent?
I'm no longer a customer there, not have I been in a while. However, this message is just unprofessional. It doesn't inform customer what data could have leaked, it doesn't advice them to change their passwords as soon as possible and it doesn't even apologize for the (major) inconvenience this could cause.
You are typically protected against fraud when you use a credit card for purchases online. In addition, if you have Discover they can generate a one-time, online credit card number that you can use for just a single website purchase. In the event it gets compromised they can just turn it off without having to issue another physical card (plus you'd know where the leak came from).
Considering I dropped you a message on Zopim a few weeks ago about this, I am pretty shocked it took you so long to send the email out.
However unlike some providers who got hacked on here, not going to mention any names, have basically brushed the hack off as some sort of "oh it happened to everyone" and its not important to notify our clients.
So thanks for investigating this guys, and responding correctly and not trying to cover it up.
I had two messages yesterday for the same reason one from Httpzoom and another from colorhost.de and this is really so bad
Now I have to change my passwords and I'm sure that this will happen again and we will have to do the same again
@LV_Matt having checked ZopIM no message exists, if we had obtained this info sooner we could have let our users know sooner.
Yep, credit is due for transparency and better than sweeping it under the carpet.
Providers, dig into your pockets and fund an alternative to WHMCS- as you're putting your customer details at risk by knowingly continuing to use them.
The security breach notification sent to customers should have included the following information:
the estimated date of the breach
a summary of the incident
the nature and content of the personal data
likely effect on the individual
any measures you have taken to address the breach
how they can mitigate any possible adverse impact of the breach
notification that should have been sent to ICO:
within 24 hours of becoming aware of the basic facts
. Full details must be provided as soon as possible.
The ICO provides a secure online form for all notifications
overview: http://www.ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/security_breaches
detailed: http://www.ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/notification-of-pecr-security-breaches.pdf
This is the first time I've been affected by a WHCMS hack and as a result, my address and other information is out there. To top it off, only current customers get their "sorry" credit, like last customer's information doesn't matter. Add me to your blacklists now because I'm not using my real info for WHCMS ever again.
@domainbop We are not a UK based company and therefore the ICO will not need to be informed.
Coolnow, unfortunately we cannot provide none active customers with any sort of compensation.
This is troublesome that they have not made a public apology? yea they owned up to the situation but where is the apology? Sorry credit just doesn't cut it sorry. Be a man or woman and issue a public apology to your customers and former customers! Dang just good business practice.
Don't worry, I didn't want it although your support offered it to me. My point was that all you can do is offer something to current customers but there's no afterthought for the previous ones that are still affected.
Another reminder that I need to revisit the admin panels of my previous providers and remove all my personal information.
Maybe it's worthwhile building a scraper for basic WHMCS functions, I already have one for Cpanel. It seems "randomise personal details" would be popular.