New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This is good advice, I just wanted to add that there's been news that even this is not always enough (but there's very little on what can be done when this is not enough). I'm really surprised when I hear that hackers are bypassing even 2FA (in terms of how they are able to do it). I'm not surprised that there are hacks in general.
Leave the ChatGPT bot alone (-:
Usually it requires to print out backup codes and keep it safely. Furthermore, you can contact support and initiate account recovery procedure (invoices, passport etc.). There is no problem without posibility to resolve it.
There is by default a limit 10 servers.. So that should be also by passed then..
Yeah. And if someone doesn't want to give out their personal information, then what? Or an anonymous registrant? It's easier to recover your password via e-mail than to go to support and waste your time. Although if you lose your password to the mail, there may be problems too. But it is less likely.
If you use their services - you apply their terms. If not - look for another suitable company. No one forces you to use any service or tool you don't like. Wonderful freedom.
TL;DR; OP's password either leaked or was weak, in combination with the email address used.
You wouldn't believe how many people use intentionally and knowingly insecure e-mail accounts, judging from all the flame we got because we e-mailed service passwords just like every other provider out there.
The demands for somehow magically, perhaps with telepathy to give users the passwords.
This was not 1 or 2 instances. Then again it was that R named s**thole. Only place i've ever seen where that has happened, and also only place which would start a flame thread because ticket took 34 minutes to answer and resolve AND only place where a CAPITAL or non-capital letter would cause a bunch of flame (typo)
and is a process, not a project.
WHMCS sends email when you create services and supports 2FA. We actually just enabled TOTP 2FA option for users. Probably will add Yubikey soonish too.
This is true.
and Call/SMS Based -> SIM cloning exists.
Email -> if your PW leaked, probably your email is compromised too.
etc.
Not the silver bullet people think it is, and can cause issues.
Snail Mailed paper OTP is quite secure tho, and usually easy to see if tampered with in the postal service.
We dropped one supplier/wholesaler from our suppliers because they enforced Microsoft Authenticator 2FA; It just got way too annoying to even login.
I turn off 2FA wherever I can and especially avoid device based 2FA.
What if my house burns down and all my devices become ashes?
The first thing I need after the house burns down is to renew my Advin chess special and VirmAche $8.88, because priorities.
Thanks to reminding me to renew my Advin non-chess special
That's what I'm talking about.
I once traveled to another country and accidentally forgot my phone where I had to accept a password to log into Paypal.
When I needed money, I couldn't log into my account. Paypal kept blocking me from logging in because the country I was trying to log in in didn't match my country where I opened the account. They just stupidly blocked me from logging in for accepting SMS to the number I forgot at home. As a result, I was left without money and asked my friends to send me money to borrow for the way back. In the end I was able to log in to my account only after my arrival.
After that I really don't want to do it all again.
I also recently lost an 8 year old account of a domain provider because the mail on which it was registered ceased to exist. And to log in you needed a confirmation.
So really two-factor verification can do more harm than help.
This has limited usefulness but what I normally do when traveling abroad is I always leave my home computer on with remote control access enabled. It has saved my ass perhaps more times than I want to admit.
Don’t blame their security if you don’t have 2fa enabled
Just enabled 2FA after seeing this post. Thanks OP
That's true. It is your fault for not having activated 2fa. But is also true that Hetzner sucks at security level. They don't care if you get a bill, because they will make you pay it. So they can say and do anything they want because you'll have to pay anyway. And they will just blame you.
@vivucloud, did you talk to hetzner yet ?
Not always. Mine got hacked, i showed them proofs. They still requested me to pay that bill. So, it wasn't their fault for an insecure system. The customer has to pay anyway.
Since then I buy just prepaid services. No hourly bills. Not paid, no service.
Well it was your fault? Their systems aren't insecure, it's not their responsibility that you reused passwords or had your computer compromised.
Cheers. Just renewed my Advin 32GB-RAM VPS.