New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ChicagoVPS database leaked? ChicagoVPS customers - change your root passwords immediately!
This discussion has been closed.
Comments
.... off topic > Anyone else's CVPS server in Chicago just drop out? Both of mine did.
Are you really this stupid? Please don't answer that.
what for?
Mine is dead. Going to rebuild it anyways. Suggest other people do as well as they may have already been fully compromised.
and our we sure he is using the origional skype client?
Where is the 'Thanks'-button when you need it?! This ^!
Even if what they wrote was true (that their users did have bad passwords), then still this would be a concerns since that would indicate they would know their users' passwords.
I'm getting popcorn.
Also I don't think we should be pointing fingers at ALL. Though I will state knowing that my password is fully unhashed for my servers is a much better knowledge then trying to guess what info is fully out there.
@mpkossen You don't know, you assume, you assume people use insecure passwords.
Yes I know I said the word assume. Assume and be safe, or don't and be sorry is how I look at it.
But the only reason that it matters is that they were hacked and their DB got leaked. It'd be like if you ran an alarm company, and your master list of addresses and codes got compromised, and your only response was to tell your customers: "We understand a lot of you are really shitty at coming up with codes, so we're resetting them to give you another chance."
It's intellectually dishonest. Whether it's intentional or not, it makes it look like you're trying to cover up what happened. Perception is everything, and good luck shaking the perception that your company is dishonest.
@Damian I feel that most of the "I want the database!" probably stems from this. So....
@CVPS_Kevin I also find it very discouraging that all the people asking for the DB here are providers, and likely have malicious intents with it,
big +1's for Damian and Kevin
... and a big -1 for GetKVM for showing a complete lack of regard for the privacy of CVPS's customers by requesting the database which contains their info, which is really ironic since in the"new LEB rules -no private WHOIS" thread GetKVM whined that it would be an invasion of his privacy to divulge any info that would verify his business identity.
Looks legit, and maybe it's just a coincidence but didn't the DDoS attacks on UK providers start soon after that US company entered the UK market.
Well there should have been an email that described how to create a good password.
and settings in place with in thier install of soulus to make them use tougher passwords.
didnt see that, so pubcrawler is gone now too?
GetKVM is a she IIRC.
and settings in place with in thier install of soulus to make them use tougher passwords.
And maybe, I don't know, some mention of the fact that they were hacked, and that you should maybe change your password in other places, and that you might be getting bombarded with spam email shortly because we're a bunch of idiots who can't secure our system...
This is a much bigger problem than whether or not you have a strong password.
Seriously, the level of ignorance coming from a lot of HOSTS in this thread is fucking scary.
From the original e-mail:
The way I read it, they know (if this scenario were true) and not assume. Otherwise, how could they tell their user's passwords are weak? There's no assumption between a plain-text password and a weak encrypted one.
Just a note to all the people which are affected and use the same passwords for all of your accounts like email/instant messagers/other things. You might want to change those to. Because when things like this happens it's a prime example on when to not use the same password everywhere.
Then you should learn how to respect other customers' privacy just like they respect yours.
I think it is fair, if you are a customer, to request the portion of your own data to see how much was leaked, but requesting the whole dump? I don't think so...
There's a fair bit i've seen in this thread that I don't like...
Where did i request to see the DB?.. Oh that's right, i didn't.
I made a joke about verifying how big they were, everyone knows me and Chris aren't exactly best friends. Get your facts right before trying to make me/GetKVM look bad.
@Corey 2 week ban by chief
@mpkossen Ever asked somebody to help you with something? So the host asks for your password for the account and logs in. I am sure most of us who host have seen these passwords that are not secure.
I like the careful wording:
Hello Everyone,
I just wanted to give a quick update, since a lot of you are looking for one and had a few questions.
First off, I want to start out by saying thank you to all of you that have been clam during this event and understand that sometimes things do happen.
In no way, has WHMCS been effected from this, so no customer personal information such as credit cards, emails, etc. has been stolen. ChicagoVPS will also
be implementing a regular backup service for all OpenVZ products. We will start out in Chicago and work to Buffalo, then to LA.
We want to assure you that we are doing everything we can to make sure nothing like this can happen again, and that you can still rely on us for your hosting needs.
If you have any additional questions, please feel free to open up a support ticket.
Thank you all again for your business.
Regards,
Chris Fabozzi
Director of Operations
ChicagoVPS
@mpkossen
Perhaps they got to see parts of the leaked db as "proof" that it was leaked and from those reversed passwords decided to send out the email?
I haven't given my password to people for that past couple of years. I do get your point, though, but it's thin. You could even argue that most users that need the kind of help that requires a root password are the ones that have a weak root password. Or that they change it to something weak just for the ticket (this is one tactic I would use). In any case, it would really surprise me if that were the way anybody would draw conclusions about their users' passwords.
Perhaps they got to see parts of the leaked db as "proof" that it was leaked and from those reversed passwords decided to send out the email?
Could be, in which case they would have a point
Seen what people are saying over here, though, I doubt that's the case.
Quick, quick, somebody post the 'dis gonna be good' image
@Soylent Not being ignorant. There are several steps that should have happened, that didn't.
I explained in my last post how we can tell easy passwords are being used.
It is not just CVPS it is software that don't allow !*?%#$ in the passwords and such.
It is peoples lack of being able to remember secure passwords.
It is use of the same password everywhere.
It is a problem if this was the fault of a former employee, now the employer is left holding the bag.
It is the employers fault for giving the employee that much access with out a contract that allows them to sue him.
So in the real world where people actually run legitimate companies, here's the email I want:
(Salutation), $_MyCompany Customer
It has recently come to our attention that on (date) some of our internal systems were compromised. Owing to this alarming development, we have instituted an immediate password reset across our affected systems. Customer emails were affected by the leak, and so we advise you to change your passwords if you use the same password with other services.
You can change your password by (blah).
(Insert disclosure here of whether or not billing systems were impacted.)
All of us at $_MyCompany are embarrassed and concerned about this ordeal, and we've begun an immediate review of our security policies. These events are an unfortunate part of doing business online, and we appreciate your patience as we work to ensure that this doesn't happen again. At the same time, it's important for us to be up front and honest with our customers, because we take the privacy of your data very seriously.
If you have any questions or concerns, feel free to contact us (contact information here).
J.R. "Bob" Dobbs
President and CEO
$_MyCompany
People will still be pissed at you, and they should be, but at least you'll come off like you actually give a shit, and aren't just spinning a bunch of bullshit to cover your ass.
@mpkossen you haven't done that for a long time. But what about noobs? They do it all the time.
@Soylent Mind if I hire you when I need some public ass kissing done?
Beautiful letter! You may be called upon at some time to do some writing for me as that was very well written in my personal opinion.