All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hosterlabs data breach
NobodyInteresting
Member
Just got this email:
We are writing to you because of an incident involving access to information associated with online purchases made on our website www.hosterlabs.net. Although we are unaware of any actual misuse of your information, we are providing notice to you and other potentially affected customers about the incident, and about tools you can use to protect yourself against possible identity theft or fraud.
What Happened?
We were discovered on June 22, 2021 that our website www.hosterlabs.net experienced an intrusion the day June 21,2021. The intruder or intruders placed malware on the our servers, and by doing so gained access to our customers’ data. To date, the investigation indicates that the intrusion began around the 21st of June ca. 9 AM.
At first we noticed our website hosterlabs.net/panel/ was offline and not working. Further investigation seemed to reveal a problem with the databases, we thought they were corrupted. After further investigation we found messages from "hackers" threatening to make the information on the databases public/selling them and they asked us for money in exchange of them returning us the information, because it was deleted. We do have backups that we do on a daily basis and as such we decided not to pay any ransom. We have disaster plans and prevention on all servers and platforms. We have had false alarms of hackings in the past, hence all our systems are extremely secured but unfortunately there is nothing that can not be hacked. The hack came through our Wordpress main site hosterlabs.net/ where hackers possibly injected viruses through a vulnerability within one or more plugins we have. These vulnerabilities have been fully isolated and fixed. For now security is really tight but we will add further security in the upcoming days as well as changing how our systems are designed internally.
What information was included?
Name, Last Name, E-mail, Address and personally identifiable information.
Passwords were most likely not stolen, nevertheless, please change your passwords for your VPS/Hosting accounts and your control panel account.
No credit card information was stolen, no intrusion in any other systems took place. Please make sure to change your password in all of our services.Is the breach fixed?
Yes we have tracked the malware and it has completely been removed from our sites.
What did you do to increase your security?
We have added further firewalls, active monitoring and we are working as of now with law enforcement to track the perpetrators of the crime. We have notified the FBI and we expect to do forensics on our servers, for which we have backed up all logs and accesses.
What kind of security do you have/ how do we know our information was protected?
Your information was protected to the best of our abilities as we have experience aiding and making sure other peoples' servers are secure. We have seen/traced/removed similar hackings from customers. Most of our servers are unreachable outside our working spaces and require special authentications. This breach was just exploiting a plugin we had on our Wordpress site. We will revise all our security policies and keep you updated.
Comments
At least they make me laugh ...
Also , but could also be me missing something, I did not find any mentioning of the data breach on their site.
Security wise it's not the best Idea to have Wordpress and billing system on same vhost.
If you're going to host them on the same server for best security have billing hosted on a separate vhost eg subdomain running as a different php user as long as its setup properly if the main site is compromise billing should be fine.
We had planned to deprecate Wordpress and use Gatsby in the near future. Again our apologies.
P.D. No VM data, no server credentials, credit cards or passwords were leaked.
I know many people will come out and say that, when used correctly (patched every day, WP as well as plugins, correct permissions, well isolated, no shady plugins or from shady sources, etc) WP is safe but almost everything is safe this way.
The general idea is to use something with a low attack surface.
IMO, a flashy (both senses of the word!) site for a host is not really needed, just highlight the packages in a clearly readable form as well as ToS/AUP payment methods and that is about it.
Using heavy CMS with tons of plugins is probably not a good idea in most situations.
And this is why, we use html for everything minus billing and forum. Better yet, each of them run on their own server and none talks to other
Yes!
Btw. HTML5 is damn good enough and when dealing with customer data security should be more important than eye candy.
One more reason to like NexusBytes / @seriesn.
@Hosterlabs - FYI "Delaware" is misspelled on your main page.
Apparently it was a quiz maker plugin for WordPress that involucrated the security...
In my opinion the issue is poor deployment. Is not even Wordpress the issue, as long as you have WP with a decent WAF just like wordfence you are good to go. But putting this aside the real problem here is the deployment of the systems and wordpress in the same account.
As very useful and also very basic rule always separate crucial systems from website. Basically just deploy anything in sub domains or different domains, but that's just step 1. Hosting is so cheap nowadays that I would say NEVER host two things in the same account or VHOST. Just changing the way you think about this and applying this... you are making your stuff more secure.
Step 2) Only host in the same server if you have cageFS (cloudlinux) or an equivalent system that put some walls around each account and prevent an exploit or a hack from jumping into the other account. In this case it was all deployed in one account, super easy for any attacker to compromise the other system. Also is even more secure if you just use different servers for each system, by doing this you are not depending on CageFS implementation. Just setup different servers and use subdomains (if using the same domain as the website) or just other domains and create an A record for those servers.
Step 3) Have a WAF in place, harden the systems. A WP well hardened and using well implemented plugins is solid... period. Even if you were irresponsible and left the WP with pending updates over a long period, if you have a good WAF (with real time updates) it will catch and block such attacks. Highly recommend wordfence , even the free tier. Make sure to configure it properly.
Let's get it done correctly.
Cordially / Respectfully
Shit happens.
Providers need to focus on proactive security measures.
Giving real details when you sign up with a host makes it even harder with this kind of news. Fortunately you can edit most of them after you place an order and your service is active but some hosts don't allow personal details change at all. That's not really a problem until something like this happens.
@Hxxx
Sorry, no.If a provider feels the need to have a WP (or other) machinery driving their eye candy sigte, they can do so - but on another server that is completely separate.
The core that holds and deals with customer (and other confidential business) data should be
A WP (or similar) based system is pretty much the recipe of how not to do it.
Pun intended?
That "FBI" part was hilarious
Please read. That's what I said.
No, a stupid mistake. Corrected, thank you!
Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch. People use wordpress just to not mess with HTML or PHP directly, just convenience that a CMS provides.
Be informed please, You just comment everywhere clueless...
Respectfully / Cordially.
You need less Jesus.
Less LET. Just the same individuals spamming the forum with wrong information.
Really? Duh!
Thanks for confirming my "clueless" view.
@jsg You are welcome. Have a nice day.
((shakes head, in disbelief as a disbeliever))
Where's that Picard meme, when you need it?
When are you going to develop such a system and make it freely available?
Actions are louder than words.
P.S. I made one with bash, not PHP, although it's superseded by Vagrant now.
https://yoursunny.com/p/vmapi/
When I get paid to do it.
(see, @AlwaysSkint I'm beginning to get it right, your efforts are not wasted
)
LMFTFY
Meanwhile, loosely on topic. This is why I keep my games (tablet, Wii/PS3 whatever), phone (no financial transactions) and laptop (web stuff, sites) separate. It's a similar principle.
It's not the CMS convenience as much as the design convenience. Yes, you can make a site look very snazzy without WP...but then you have to hire someone to make you a site or do it yourself. With WP, you can just throw up a template and it looks halfway decent and in the lowend world, that is very attractive.
An important consideration here is that providers' web sites are greater attack magnets than many other sites, so they need extra care, which argues for the approach @seriesn takes - static HTML, with interactive apps segmented. Heck, if I was a provider my web site would be completely on CDN.
https://yoursunny.com/p/vmapi/
That looks neat!
Very true, however the problems come when the average person starts adding these extra (in many cases unnecessary) themes and plugins without understanding the security implications of doing so.
It doesn't take too long on a fresh WP install until a vulnerable 3rd party plugin or theme becomes compromised and the account starts sending spam or mining.
Pure HTML is beautiful simplicity, we don't need dynamic sites (particularly PHP) for every damn thing.