Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Softaculous Data Breach
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Softaculous Data Breach

Just got this email:

Internal Infrastructure Security Breach
Salutations,

We are writing this email to inform you about a security breach in our infrastructure.

- We have detected an unauthorised access to some of our mirror servers.

- We have taken immediate steps to move and secure our infrastructure, isolate and protect customer data and engage with third party experts. While doing so customers had experienced some downtime from our websites and servers.

- None of our customers servers are impacted in this incident. Our server software products Softaculous, Virtualizor and Webuzo v3 are audited regularly by 3rd party auditors and security experts with each new version launched. We have also initiated an additional audit of all our software.

- These servers hosted the customers name, address, license information and hashed passwords of customer accounts who license our software (with individual salts per user for encryption). No credit card information was stored on these servers.

- We store the account's password in an encrypted format with a unique salt per user which would be infeasible for anyone to derive your original password from. Hashed passwords are secure, but we recommend you change your account's password and will be setting an expiry on existing passwords. When you reset your password, please use a strong and unique password.

- As an added precautionary measure we recommend customers take immediate action on their own infrastructure and reset any credentials or authentication details that have been shared with our support team while our security team and third party experts continue to assess the nature of this issue.

- API keys of NOC users (if any) which are used to purchase/renew/cancel licenses will be restricted to be accessed by 1 IP only and will expire on 15th August 2022 to avoid any possible license manipulation. You can login to your NOC account and generate new API keys to continue using the NOC API using API Key based authentication.

- We have taken several steps to improve the security of our infrastructure and our customer base at large.

- We apologize and reassure you that security of our software and infrastructure and our customers data is very important and will continue to be a priority for everyone at our company.

If you have concerns, you are welcome to get in touch with us at [email protected]

Sincerely,
The Softaculous Team 

Ruh roh!

Thanked by 1mrTom

Comments

  • MannDudeMannDude Host Rep, Veteran

    Figured they've known for at least a week now.

    Helpdesk access stopped around that time, no password resets worked and wasn't receiving email from their end.

  • @MannDude said: at least a week now.

    Doesn't that break laws in some jurisdictions, with regards to how quickly you need to report data breaches? 🤔

  • MannDudeMannDude Host Rep, Veteran

    No idea. It's also possible it was just a suspicion on their end and that they locked things down at that time, but didn't discover until later.

  • XorXor Member

    @Daniel15 For GDPR purposes data breaches should be reported no later than 72hrs after the company becomes aware of it

  • @Xor said:
    @Daniel15 For GDPR purposes data breaches should be reported no later than 72hrs after the company becomes aware of it

    Could they say that they didn't aware of it?

  • Daniel15Daniel15 Veteran
    edited August 2022

    @Xor said:
    @Daniel15 For GDPR purposes data breaches should be reported no later than 72hrs after the company becomes aware of it

    That's what I was thinking of. It's the same in California with CCPA, which is California's version of GDPR.

  • hostdarehostdare Member, Patron Provider

    Yes really , we should submit these to all countries and states/counties govt , seems feasible to me .

  • Daniel15Daniel15 Veteran
    edited August 2022

    @hostdare said:
    Yes really , we should submit these to all countries and states/counties govt , seems feasible to me .

    As a provider, you should know that if you have customers in a region, you need to comply with laws that apply to customers in that region, regardless of business location. If a company doesn't want to comply with laws in the EU (like GDPR) then the only other choice is to block customers in the EU from ordering. Fines for breaking GDPR are quite steep.

    Thanked by 1mrTom
  • vyas11vyas11 Member
    edited August 2022

    @Daniel15 said:

    @hostdare said:
    Yes really , we should submit these to all countries and states/counties govt , seems feasible to me .

    As a provider, you should know that if you do business in a region, you need to comply with laws that apply to customers in that region, as these laws are based on customer location, not business location. If a company doesn't want to comply with laws in the EU (like GDPR) then the only other choice is to block customers in the EU from ordering.

    Does not work in every jurisdiction that way. Sometimes, having customers alone is not sufficient. Having a physical presence/legal entity requires compliance though. Suffice to say many of the (often called) FAANGS are opposing precisely what you alluded to.

    P.s does GDPR or CCPA apply for B2B companies?

    Thanked by 1hostdare
  • @Daniel15 said: As a provider, you should know that if you do business in a region, you need to comply with laws that apply to customers in that region. If a company doesn't want to comply with laws in the EU (like GDPR) then the only other choice is to block customers in the EU from ordering.

    - These servers hosted the customers name, address, license information and hashed passwords of customer accounts who license our software (with individual salts per user for encryption). No credit card information was stored on these servers.

    This is exactly what they did, as it seems.
    They are selling to hosting providers, not to end customers directly, so all the data in the breach should belong to the hosters, i.e. licenses etc and not the full list of users of a given provider.

    Thanked by 1Daniel15
  • hostdarehostdare Member, Patron Provider
    edited August 2022

    @Daniel15 said: block customers in the EU from ordering. Fines for breaking GDPR are quite steep.

    Effectively like no free internet or business , seems so socialist to me . They cannot enforce fines in another country . Courts in home countries will make it null . Having a physical presence will make difference though where they can take capture all company resources of that branch .
    These rules are made to tax the big companies who are expert in tax evasions like apple,google,etc

    lets back to topic .. how did the breach happen ? if any software issue , then we need to update

  • Daniel15Daniel15 Veteran
    edited August 2022

    @vyas11 said: Does not work in every jurisdiction that way. Sometimes, having customers alone is not sufficient. Having a physical presence/legal entity requires compliance though

    If you do business with any customers in the EU, you're supposed to comply with GDPR and have an agent in the EU, even if your business is not in the EU, and even if most customers are not in the EU. The law is very clear about this. The purpose of the law is to protect EU residents, so it wouldn't be as effective if companies could simply move out of the EU to avoid it.

    @vyas11 said: P.s does GDPR or CCPA apply for B2B companies?

    Yes, it applies to anyone performing business with any "entities" located in the EU.

    @vyas11 said: FAANGS are opposing precisely what you alluded to.

    Not sure about the others, but Facebook, and parts of Google, are GDPR compliant.

    Thanked by 1Xor
  • @hostdare said: ets back to topic .. how did the breach happen

    I'd guess they gained access to Softaculous servers by gaining access to an employee's account that had a weak password, and pivoting from there (eg finding an internal Virtualizor server using the same password). People tend to be the cause of a lot of breaches :)

  • LeviLevi Member

    @Daniel15 said: Doesn't that break laws in some jurisdictions

    From their contacts: Maharashtra, India. It is highly unlikely that GDPR would apply there or if apply - process as should be.

  • BingoBongoBingoBongo Member
    edited August 2022

    @Daniel15 said:

    @vyas11 said: Does not work in every jurisdiction that way. Sometimes, having customers alone is not sufficient. Having a physical presence/legal entity requires compliance though

    If you do business with any customers in the EU, you're supposed to comply with GDPR and have an agent in the EU, even if your business is not in the EU, and even if most customers are not in the EU. The law is very clear about this. The purpose of the law is to protect EU residents, so it wouldn't be as effective if companies could simply move out of the EU to avoid it.

    @vyas11 said: P.s does GDPR or CCPA apply for B2B companies?

    Yes, it applies to anyone performing business with any "entities" located in the EU.

    @vyas11 said: FAANGS are opposing precisely what you alluded to.

    Not sure about the others, but Facebook, and parts of Google, are GDPR compliant.

    Europe != world
    World != Europe

    Your information are correct.
    But

    They must need a good doctor to cure their colonial hangover

    @LTniger said:

    @Daniel15 said: Doesn't that break laws in some jurisdictions

    From their contacts: Maharashtra, India. It is highly unlikely that GDPR would apply there or if apply - process as should be.

    They already moved their headquarter to UAE now they only have support office in Maharashtra India

    Thanked by 1hostdare
  • vyas11vyas11 Member
    edited August 2022

    @Daniel15 said:

    @vyas11 said: Does not work in every jurisdiction that way. Sometimes, having customers alone is not sufficient. Having a physical presence/legal entity requires compliance though

    If you do business with any customers in the EU, you're supposed to comply with GDPR and have an agent in the EU, even if your business is not in the EU, and even if most customers are not in the EU. The law is very clear about this. The purpose of the law is to protect EU residents, so it wouldn't be as effective if companies could simply move out of the EU to avoid it.

    @vyas11 said: P.s does GDPR or CCPA apply for B2B companies?

    Yes, it applies to anyone performing business with any "entities" located in the EU.

    @vyas11 said: FAANGS are opposing precisely what you alluded to.

    Not sure about the others, but Facebook, and parts of Google, are GDPR compliant.

    Second part- interesting. Business as an "Entity" - in that case first also to be factored in as you put it.

    Third- Probably we will veer off topic, so I will leave it as is.

    @LTniger said:

    @Daniel15 said: Doesn't that break laws in some jurisdictions

    From their contacts: Maharashtra, India. It is highly unlikely that GDPR would apply there or if apply - process as should be.

    Who are their investors?.
    Edit: From their site (and ROC): Funding Raised: Nil, Completely Bootstrapped

  • luckypenguinluckypenguin Member
    edited August 2022

    @vyas11 said: Who are their investors?

    They are just a bunch of Indian guys who are making panels and automated install scripts.
    Not exactly a Fortune 500 company that needs investors, board of directors, etc :)

    Thanked by 1hostdare
  • HxxxHxxx Member

    HERE COMES THE GDPR PEOPLE...
    There is always ... one ...

    Thanked by 2hostdare BingoBongo
  • ArkasArkas Moderator

    @Hxxx said: HERE COMES THE GDPR PEOPLE...

  • @Arkas said:

    @Hxxx said: HERE COMES THE GDPR PEOPLE...

    Looks like @ehab is back from vacation.

    Thanked by 1ehab
  • serv_eeserv_ee Member
    edited August 2022

    Russian providers on GDPR

  • @Daniel15 said: If you do business with any customers in the EU, you're supposed to comply with GDPR and have an agent in the EU, even if your business is not in the EU, and even if most customers are not in the EU. The law is very clear about this.

    EU law is very clear about this. It's (un)fortunate that you're only subject to EU law in the EU.

    Part of me wants to go in to politics so I can get a law passed that every time an EU citizen falls afoul of DMCA a minister of parliament chosen at random gets stripped naked, painted red/white/blue, and then slapped with a three day old octopus. See how they like being subject to other jurisdictionary laws.

    Thanked by 1hostdare
  • The way I see it GDPR is a EU law, it's the same as laws in other countries, outside of the country jurisdiction it totally un-enforceable.

    The only way a non EU company could get in trouble GDPR wise if the company has any entities or directors in a EU member states.

  • hostdarehostdare Member, Patron Provider
    edited August 2022

    @skorous said: random gets stripped naked, painted red/white/blue, and then slapped with a three day old octopus

    exactly so most hosts doing dmca free seedboxes located in europe, so all hosts outside europe is gdpr free .GDPR is to tax big corporations , I do not think they care or can enforce outside EU for tiny companies .

    here we do offtopic again ...

  • ehabehab Member

    @vyas11 said:
    Looks like @ehab is back from vacation.

    i know you missed me so much.

    Thanked by 2vyas11 skorous
Sign In or Register to comment.