All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
HostUS: Critical WHMCS Data Breach
Just got the mail.
We regret to inform you about a security breach that has happened with our WHMCS client billing system (my.hostus.us) caused by a recent security vulnerability identified in our WHMCS theme Lagom Client Theme, which has led to unauthorised access to our WHMCS database by a hacker. We must acknowledge the possibility that the data accessed during this breach could potentially be misused. We cannot guarantee with absolute certainty that the data that was accessed will remain secure. Therefore, we urge you to implement all necessary precautions to protect your account, services and systems.
If your service (VPS, Shared hosting etc) account password was not changed from the original password that the service was set up with please change it immediately. Please also change your HostUS Customer account password via my.hostus.us We sincerely apologise for any inconvenience this may have caused. Please understand that we are doing everything within our power to assist and support you during this time.
We are currently producing a full transparency report to provide to our customers. It’s with great sadness that this has happened. It’s with great sadness that I send you this email, please be assured we are doing everything in our power with this situation.
If you have any questions or queries please contact me directly at [email protected] We will also be emailing further updates and full timeline and transparency.
Kind Regards,
Alexander
HostUS
Comments
Next please
Wait, HostUS is still a thing?
I haven't been active on LET for a long time, but I have been lurking more on LET Recently. We are a very active company outside of LET. You will be seeing a lot more of me around here again.
I can confirm the email @noisycode has posted is real, unfortunately.
Alex
Please pay $200 to pass go.
All jokes aside, great to see you back here again!
Of course, quite well, in fact.
Great to see you again in the community.
WHMCS is good for popcorn manufactures.
I mean shit can happen to anyone tbh. Its a revolving door saying infront of hackers on a day to day. Love the transparency though.
My 2020 LEB promo openvz vps is still going strong with impressive uptime.
another one bites the dust
I understand the concept of closed source, but imho, there should be a law that oblige you to support all expenses if a data breach occurs due to poor code that the end user can’t have any control over.
The ioncube shit is a bad approach anyway… the files can be easily decoded with the free loader from the official website by a more techy person and then exploit any flaw of the code on potential thousands sites that use the suite…
But I am 100% convinced that you can sue the developer for negligence.
It's not like Lagom didn't patch this and release a patch for it a month or so ago...
Why pay for updates when you can blame WHMCS and RS Studio (Lagom) when you get hacked.
I think they released the patch for everyone, ex and current subscribers but I'm not sure 100% on that though.
I don't think it is something feasible and possible to implement. Do you have any idea how one can prove that it is the developers fault and not the misconfiguration from the client? Furthermore, there may be disclaimer of liability within user agreement rendering user responsible for security incidents (and this is how it is currently). If one requires any strong security warranty, it costs extra $$$ and is agreed individually.
Personally I think it will be faster and cheaper to implement own solution from scratch which fits your business exactly and has high level of security. However, this requires high skilled developers and due to security focus, product development will take significantly longer.
Exactly, security through obscurity sucks.
Depends on laws, agreement(s) you've signed etc.
The vulnerability was known by an attacker for over 1 month before Lagom actually patched it.
You're back! I was just looking for a 2GB KVM in SG and the offer in your sig has expired
I have operated HostUS for over 10 years and this is our first incident of the sort when hacking attempts are a daily battle. Unfortunately, this has happened but I do believe transparency is important regarding this and our communication.
Glad you are happy with your service and uptime. Thanks for your business!
The patch was released on the 27th (of January) and we patched this on the 29th (of January)
Hey! Yes I am back and here to stay! I had a look and I think this is our best offer at the moment - https://my.hostus.us/store/special-offers/2gb-asia-pacific-kvm
We are preparing offers and will be posting our first offer on LET since many years soon. Unfortunately this happening has delayed that, but we will have good new offers next month.
Alexander
Is possible that leaked contact and phone numbers?
I got by whatsapp, spam or phishing messages from South Africa.
Yes. 100% possible (and likely), assuming it's the phone number you registered on HostUS with.
In terms of customer details: Name, address (incl. city, state, country), email address & phone number at the very least.
There are other details too, but if the whole database is dumped, then the list of details is very long.
Mine's from 2015 and can't remember any downtime or issue either, but it is woefully underutilised [by me] these days. Great service, sorry to hear about the issue.
And this is why I use a PO box and VOIP number for website registrations.
Occasionally will trigger some anti-fraud heuristics, but generally a good idea.
Anyway, glad vuln is patched now.
Yeah, its the number that i registered
This incident sounds not good
but.. I have two 'small' old promo OpenVZ based VPS from HostUS since 2014, and I love them. Rock solid and reliable services.. I would like to keep them as I long can.
Welcome back, @AlexanderM
I have used HOSTUS before, and it's quite stable that it has not been restarted for a few years. I even think their hosts never need maintenance. So I'm not surprised that they haven't patched the system.😅
Now their customers are screaming “host us, host us” to other providers