ColoCrossing Database Breach

unsafetypin · May 2025

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

zGato · May 2025

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

HostPapa owns ColoCrossing
https://www.linkedin.com/in/jon-biloh

jsg · May 2025

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

As far as I know @jbiloh is at least remotely related to CC ("consultant" or similar). And anyway AFAIK he founded CC, so I guess he does care whether they risk to go belly up ...

wadhah · May 2025

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

Yeah ColoCrossing owns LowEndTalk and LowEndBox, @jbiloh is an employee of CC and the admin of LET

unsafetypin · May 2025

@jsg said:

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

As far as I know @jbiloh is at least remotely related to CC ("consultant" or similar). And anyway AFAIK he founded CC, so I guess he does care whether they risk to go belly up ...

yeah I knew the part where cc is owned by hostpapa who seems at least partially involved in a few shit shows now

unsafetypin · May 2025

@wadhah said:

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

Yeah ColoCrossing owns LowEndTalk and LowEndBox, @jbiloh is an employee of CC and the admin of LET

are you serious...? this is owned by a company? that i didn't know at all. what the fuck?

Rubben · May 2025

@unsafetypin said:

@jsg said:

@unsafetypin said:

@jsg said:

@skyandy said:

@Teko said:

@zed said:

@zed said: Not even a customer, my point was your confirmation isn't confirming anything, help us out here.

Fair enough.

Even if I provided the chat screenshot and proof from the hacker compared to my panel data, you can still say it is fake as I'm nobody.
So, whether you trust me or not depends on you.

Those who come to waste our time, don't even try. You're only wasting your own time. Please write on the matter at hand.

Also, please, ColoCrossing users, write to the tickets in billing with a request to the administration to contact us at the following contacts: [no profit for thugs!]

And those who want to support us, here are our crypto wallets:
[no profit for thugs!]
[no profit for thugs!]
[no profit for thugs!]

From my point of view, you and other thug scum like you can - and should - get a bullet to the head, problem solved. Simple as that.

But there's one single good thing, this heinous crime brings: a severe warning shot at all providers.
Providers, remember: major parts if not all of your software is based on crappy code in a crappy language. So you'd better at least do anything possible to tighten your ship as best can be done!

@jbiloh a lot of us, and especially your customers, are waiting for a clear, transparent, and honest statement!

wait is this biloh guy actually involved in cc or hostpapa? why are demands being made to this guy. excuse me for being ignorant here

As far as I know @jbiloh is at least remotely related to CC ("consultant" or similar). And anyway AFAIK he founded CC, so I guess he does care whether they risk to go belly up ...

yeah I knew the part where cc is owned by hostpapa who seems at least partially involved in a few shit shows now

that is only mildly concerning

dustinc · May 2025

@MaxTakeba said:
Do we know what the warning was that was sent? How much time was CC given?

I have a VPS that is under virtualizor but it's not with CC... (That VPS is also going to be decommed this weekend).

From what I understand (which could explain your situation), three brands under ColoCrossing. HudsonValleyHost, ChicagoVPS, and ColoCrossing Cloud were using a shared Virtualizor panel. Based on details shared earlier in this thread, between all brands, and aggregate of 10k virtual machines were affected.

It seems ColoCrossing's primary business itself, including its dedicated server and colocation customer portal (portal.colocrossing.com), as well as its billing and support systems, were not impacted. We aren't seeing any indicators, and operations there are smooth sailing for that separate platform.

If you're wondering whether your hosting provider uses Virtualizor, you can check by looking at the port in your control panel’s URL. If it uses port :4083, that’s a sign the control panel is running on Virtualizor. If your provider is running on Virtualizor, it might be worth checking in with them to confirm they haven't recently engaged with Virtualizor Support in any manner that would require sharing credentials with their team. This is quite messy in general. Wishing all affected a speedy recovery, and if you haven't backups are recommended too.

unsafetypin · May 2025

has there been any official release statement or are we just totally ignoring this until it doesn't blow over?

Void · May 2025

@phin said:
they just published their database. Not posting it here for obv reasons but

..but it wouldn’t be too bad if you shared it in dm, for educational purposes?

PuDLeZ · May 2025

@dustinc said:
It seems ColoCrossing's primary business itself, including its dedicated server and colocation customer portal (portal.colocrossing.com), as well as its billing and support systems, were not impacted. We aren't seeing any indicators, and operations there are smooth sailing for that separate platform.

Yeah, I got a cheap dedi from CC from their BF sales (needed lots of ram for a short project that was taking place over xmas) and also got a vps just to try them out. I actually used a different email addresses between the two since they were different systems and I only got the mail on the VPS one so it seems that it's just their cloud/vps.

P.S. Happy Racknerd isn't impacted!

4pple5auc3 · May 2025

@dustinc said:

@MaxTakeba said:
Do we know what the warning was that was sent? How much time was CC given?

I have a VPS that is under virtualizor but it's not with CC... (That VPS is also going to be decommed this weekend).

From what I understand (which could explain your situation), three brands under ColoCrossing. HudsonValleyHost, ChicagoVPS, and ColoCrossing Cloud were using a shared Virtualizor panel. Based on details shared earlier in this thread, between all brands, and aggregate of 10k virtual machines were affected.

It seems ColoCrossing's primary business itself, including its dedicated server and colocation customer portal (portal.colocrossing.com), as well as its billing and support systems, were not impacted. We aren't seeing any indicators, and operations there are smooth sailing for that separate platform.

If you're wondering whether your hosting provider uses Virtualizor, you can check by looking at the port in your control panel’s URL. If it uses port :4083, that’s a sign the control panel is running on Virtualizor. If your provider is running on Virtualizor, it might be worth checking in with them to confirm they haven't recently engaged with Virtualizor Support in any manner that would require sharing credentials with their team. This is quite messy in general. Wishing all affected a speedy recovery, and if you haven't backups are recommended too.

wow 10k vm's affected...

Mumbly · May 2025

@gruhpndo said: Why does this always happens to me... I bough a VPS on OVH a couple of weeks before their datacenter burned down a few years ago. I bought a domain on Epik and they got breached a month after that. I buy a VPS on CC literally three days ago and now this... I think I'm cursed...

Mind putting together a quick list of the companies you're using? Just making sure we're not... spiritually aligned.

Rubben · May 2025

@Mumbly said:

@gruhpndo said: Why does this always happens to me... I bough a VPS on OVH a couple of weeks before their datacenter burned down a few years ago. I bought a domain on Epik and they got breached a month after that. I buy a VPS on CC literally three days ago and now this... I think I'm cursed...

Mind putting together a quick list of the companies you're using? Just making sure we're not... spiritually aligned.

BWAHAHAHAHAHAHA OMFG ok this was funny i wish you a $7/y deal

default · May 2025

If you are reading this and you can still access your data, backup now!

Backup fast!

Edit: forgot the popcorn gif...

CloudHopper · May 2025

@default said:

If you are reading this and you can still access your data, backup now! Backup fast!

Just got to the end of reading this thread and was going to say exactly this!

There's no indication the network isn't still compromised, or that the attackers don't intend to sabotage/steal data from the VMs, (in fact all indications suggest they may), so rescue your data and trigger an OS reinstall so they have nothing to steal and blackmail you with

wadhah · May 2025

@CloudHopper said:

@default said:

If you are reading this and you can still access your data, backup now! Backup fast!

Just got to the end of reading this thread and was going to say exactly this!

There's no indication the network isn't still compromised, or that the attackers don't intend to sabotage/steal data from the VMs, (in fact all indications suggest they may), so rescue your data and trigger an OS reinstall so they have nothing to steal and blackmail you with

they will never be able to blackmail me over my love of Sopranos

PuDLeZ · May 2025

@CloudHopper said:

@default said:

If you are reading this and you can still access your data, backup now! Backup fast!

Just got to the end of reading this thread and was going to say exactly this!

There's no indication the network isn't still compromised, or that the attackers don't intend to sabotage/steal data from the VMs, (in fact all indications suggest they may), so rescue your data and trigger an OS reinstall so they have nothing to steal and blackmail you with

yeah, none of the data on my VPS is worth while but I did just trigger a wipe. First a reinstall image with a lame password and then a good ol dd zero to vda before shutting it down, I can deal with it after CC comments/etc

Hopefully others are lucky enough to backup their data (really, they should have been already and if not, this is a wake up call for them) and don't need the VPS up.

shallownorthdakota · May 2025

It's Memorial Day long weekend in USA so @jbiloh is probably at the cottage on Lake Michigan, counting his money right now.

nghialele · May 2025

Fucking missed 10 pages.

And how tf CC give Bean Man a b-day gift like this.

nghialele · May 2025

@oloke said:

@admax said:
Fumo dodged a bullet.

This iz a crime officers!

nghialele · May 2025

@Rubben said:

@oloke said:

@Rubben said:
im so happy my website is not hosted at cockcrossing

who are you crossing your cock with again??

@nghialele

@nghialele nigalee

caracal · May 2025

Would anyone (not me, lazy) compile a list of Virtualizor using hosts?

unsafetypin · May 2025

@caracal said:
Would anyone (not me, lazy) compile a list of Virtualizor using hosts?

if they dont under virtfusion I don't want them

Xrmaddness · May 2025

@sh97 said:

@Decicus said:

@zGato said:

@lirrr said:

@zGato said:

If you haven't already (crazy if) please, for the love of god, change your root password. Leak DB contains every single fucking thing. And remove the crap qemu-guest-agent.

At this point you might as well just wait for official announcement and nuke your vm lol

did they encrypt the password (account) when storing in db?

What do you expect from Virtualizor?

This is just a Virtualizor DB dump, there's literally nothing encrypted for what I can see

root passwords for VMs aside, are you telling me Virtualizor doesn't hash control panel login passwords?

Exactly, not salted or hashed password. Just fucking raw into the DB. Was just telling this to @zGato

Xrmaddness · May 2025

Dear Customer,

We’re reaching out to inform you of a recently resolved security matter involving the control panel software used to manage your ColoCloud virtual servers.

The issue was identified on May 24th and stemmed from a vulnerability in a Single Sign-On (SSO) feature. While this did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information, the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

All ColoCloud infrastructure is fully operational and secure. With support from the software vendor, we have taken all necessary steps to address the vulnerability and harden the environment.

As a precaution, we recommend:

Rotating the root password for your virtual server container
If you reuse your Virtualizor password on other platforms, consider updating those as well
These recommendations are made out of an abundance of caution. All stored container passwords remain securely encrypted. Additionally, while we have temporarily disabled access to the Virtualizor control panel, customers may still manage and interact with their virtual servers securely via WHMCS.

We’ve responded quickly and thoroughly to ensure platform security and prevent this from recurring. If you need assistance resetting your passwords, our support team is ready to help.

Please note: this communication applies only to the ColoCloud cloud/vps platform. It does not involve any part of the ColoCrossing dedicated server or colocation infrastructure, which operates on a separate system.

Thank you for your continued trust.

Sincerely,
The ColoCloud Team

Lunar · May 2025

@Xrmaddness said:

Dear Customer,

We’re reaching out to inform you of a recently resolved security matter involving the control panel software used to manage your ColoCloud virtual servers.

The issue was identified on May 24th and stemmed from a vulnerability in a Single Sign-On (SSO) feature. While this did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information, the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

All ColoCloud infrastructure is fully operational and secure. With support from the software vendor, we have taken all necessary steps to address the vulnerability and harden the environment.

As a precaution, we recommend:

Rotating the root password for your virtual server container
If you reuse your Virtualizor password on other platforms, consider updating those as well
These recommendations are made out of an abundance of caution. All stored container passwords remain securely encrypted. Additionally, while we have temporarily disabled access to the Virtualizor control panel, customers may still manage and interact with their virtual servers securely via WHMCS.

We’ve responded quickly and thoroughly to ensure platform security and prevent this from recurring. If you need assistance resetting your passwords, our support team is ready to help.

Please note: this communication applies only to the ColoCloud cloud/vps platform. It does not involve any part of the ColoCrossing dedicated server or colocation infrastructure, which operates on a separate system.

Thank you for your continued trust.

Sincerely,
The ColoCloud Team

the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

This isn't true.

There is evidence they compromised several VMs in the process (including ours). They also dumped the entire Virtualizor DB and sent it to several people. This wasn't "limited system metadata."

caracal · May 2025

@Xrmaddness said: All stored container passwords remain securely encrypted

o_o

beanman109 · May 2025

@Lunar said:

@Xrmaddness said:

Dear Customer,

We’re reaching out to inform you of a recently resolved security matter involving the control panel software used to manage your ColoCloud virtual servers.

The issue was identified on May 24th and stemmed from a vulnerability in a Single Sign-On (SSO) feature. While this did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information, the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

All ColoCloud infrastructure is fully operational and secure. With support from the software vendor, we have taken all necessary steps to address the vulnerability and harden the environment.

As a precaution, we recommend:

Rotating the root password for your virtual server container
If you reuse your Virtualizor password on other platforms, consider updating those as well
These recommendations are made out of an abundance of caution. All stored container passwords remain securely encrypted. Additionally, while we have temporarily disabled access to the Virtualizor control panel, customers may still manage and interact with their virtual servers securely via WHMCS.

We’ve responded quickly and thoroughly to ensure platform security and prevent this from recurring. If you need assistance resetting your passwords, our support team is ready to help.

Please note: this communication applies only to the ColoCloud cloud/vps platform. It does not involve any part of the ColoCrossing dedicated server or colocation infrastructure, which operates on a separate system.

Thank you for your continued trust.

Sincerely,
The ColoCloud Team

the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

This isn't true.

There is evidence they compromised several VMs in the process (including ours). They also dumped the entire Virtualizor DB and sent it to several people. This wasn't "limited system metadata."

Of course they'd say some shit like this 6 hours after a breach, damage control whereas they've definitely been able to check that 10.5k VMs were not comped in that 6 hours!

nghialele · May 2025

@Xrmaddness said: If you reuse your Virtualizor password on other platforms, consider updating those as well

Who in the world do this? T_T

After climbing thru 10 pages, I'll take some bro advice, especially from @zGato for how insane each host a diff key pairs

My data is with crankbis, I'm safe.

Howdy, Stranger!

Categories

In this Discussion

ColoCrossing Database Breach

Comments

If you are reading this and you can still access your data, backup now!

Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you haven't already (crazy if) please, for the love of god, change your root password. Leak DB contains every single fucking thing. And remove the crap qemu-guest-agent.

Howdy, Stranger!

Quick Links

Categories

In this Discussion

ColoCrossing Database Breach

Comments

If you are reading this and you can still access your data, backup now!

Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you are reading this and you can still access your data, backup now! Backup fast!

If you haven't already (crazy if) please, for the love of god, change your root password. Leak DB contains every single fucking thing. And remove the crap qemu-guest-agent.