ColoCrossing Database Breach

chen369 · May 2025

@gruhpndo said:
Why does this always happens to me... I bough a VPS on OVH a couple of weeks before their datacenter burned down a few years ago. I bought a domain on Epik and they got breached a month after that. I buy a VPS on CC literally three days ago and now this... I think I'm cursed...

@MaxTakeba said:
I have a VPS that is under virtualizor but it's not with CC...

Is there a way to tell if a VPS is under virtualizor? I have a couple more with other providers and now I'm starting to worry they might also get breached if they use virtualizor...

Aye, can you tell me the next host you move to? That way I can avoid that host lol

NHNHNH000 · May 2025

same vibe

kingxuhadsd · May 2025

I have two VPS servers: one is working fine, and the other is unreachable.

Neoon · May 2025

@dustinc said:

@MaxTakeba said:
Do we know what the warning was that was sent? How much time was CC given?

I have a VPS that is under virtualizor but it's not with CC... (That VPS is also going to be decommed this weekend).

From what I understand (which could explain your situation), three brands under ColoCrossing. HudsonValleyHost, ChicagoVPS, and ColoCrossing Cloud were using a shared Virtualizor panel. Based on details shared earlier in this thread, between all brands, and aggregate of 10k virtual machines were affected.

It seems ColoCrossing's primary business itself, including its dedicated server and colocation customer portal (portal.colocrossing.com), as well as its billing and support systems, were not impacted. We aren't seeing any indicators, and operations there are smooth sailing for that separate platform.

If you're wondering whether your hosting provider uses Virtualizor, you can check by looking at the port in your control panel’s URL. If it uses port :4083, that’s a sign the control panel is running on Virtualizor. If your provider is running on Virtualizor, it might be worth checking in with them to confirm they haven't recently engaged with Virtualizor Support in any manner that would require sharing credentials with their team. This is quite messy in general. Wishing all affected a speedy recovery, and if you haven't backups are recommended too.

The last time, I had a look at virtualizor.
Permission levels where non existent

Why would someone, in their right mind, use one big fat virtualzor instance.

Levi · May 2025

There is database dump in the wild. The smokah has the screenshot. The damn passwords was raw!

cybertech · May 2025

@HostSlick better get ready for Virtfuuuuuuuuuuuuuuuuuuuuuuusion

gremeyer · May 2025

@Xrmaddness said:

Dear Customer,

The issue was identified on May 24th and stemmed from a vulnerability in a Single Sign-On (SSO) feature. While this did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information, the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

All stored container passwords remain securely encrypted.

Translation: The control panel we use had really big security holes but we're trying to downplay the breach as much as possible to save face.

MannDude · May 2025

What version of Virtualizor? Was this a Virtualizor exploit or someone just gaining root to the Virtualizor master panel server and dumping the DB?

Coldmood · May 2025

Real bad day!

ceplavia · May 2025

$7/y refugee plan when?

nghialele · May 2025

@NHNHNH000 said:
same vibe

Lucky me just put my cofffe cup down before I pressed, lmao

nghialele · May 2025

@cybertech said:
@HostSlick better get ready for Virtfuuuuuuuuuuuuuuuuuuuuuuusion

I love Virtfusion as end-user. Quite convienience.

Shakib · May 2025

I didn't get the email

CloudHopper · May 2025

@Xrmaddness said:

Dear Customer,

We’re reaching out to inform you of a recently resolved security matter involving the control panel software used to manage your ColoCloud virtual servers.

The issue was identified on May 24th and stemmed from a vulnerability in a Single Sign-On (SSO) feature. While this did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information, the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers.

All ColoCloud infrastructure is fully operational and secure. With support from the software vendor, we have taken all necessary steps to address the vulnerability and harden the environment.

As a precaution, we recommend:

Rotating the root password for your virtual server container
If you reuse your Virtualizor password on other platforms, consider updating those as well
These recommendations are made out of an abundance of caution. All stored container passwords remain securely encrypted. Additionally, while we have temporarily disabled access to the Virtualizor control panel, customers may still manage and interact with their virtual servers securely via WHMCS.

We’ve responded quickly and thoroughly to ensure platform security and prevent this from recurring. If you need assistance resetting your passwords, our support team is ready to help.

Please note: this communication applies only to the ColoCloud cloud/vps platform. It does not involve any part of the ColoCrossing dedicated server or colocation infrastructure, which operates on a separate system.

Thank you for your continued trust.

Sincerely,
The ColoCloud Team

This suggests that either ColoCrossing don't realise how badly they've been breached, or they know how bad it is and they're lying about the impact.

Neither is a good look... 😬

Levi · May 2025

"Panel is disabled". So, they know that they are screwed. Sugar coating and blatant lie is tactic to avoid litigation from big customers.

_cece · May 2025

Guess we need a shaming list who use Virtualizor 😆

cybertech · May 2025

@_cece said:
Guess we need a shaming list who use Virtualizor 😆

@yoursunny

wadhah · May 2025

@nghialele said: My data is with crankbis, I'm safe.

At CrankBis we have only been hacked 8 times and each time we bribed the hackers with one (1) feet picture (unblurred).

Your data's safety is our priority.

Let Us Crank Your Bis Today™

nghialele · May 2025

@cybertech said:

@_cece said:
Guess we need a shaming list who use Virtualizor 😆

@yoursunny

No other man for this position better than my man @yoursunny

nghialele · May 2025

@wadhah said:

@nghialele said: My data is with crankbis, I'm safe.

At CrankBis we have only been hacked 8 times and each time we bribed the hackers with one (1) feet picture (unblurred).

Your data's safety is our priority.

Let Us Crank Your Bis Today™

add nigalee feedback to the site: "my data is safe"

oloke · May 2025

@wadhah said:

@nghialele said: My data is with crankbis, I'm safe.

At CrankBis we have only been hacked 8 times and each time we bribed the hackers with one (1) feet picture (unblurred).

Your data's safety is our priority.

Let Us Crank Your Bis Today™

That's some professional service. We value commitment for data safety and alignment with (G)DPRK regulations.

Please send the 1 (one) feet picture (unblurred) to me for verification purposes.
If that turns out to be true, I'll update your review on our summer hosting guide.

Best lifeguards,
guards.re&sisters

hazarddavaj · May 2025

We might need to add this incident to this blog post as well.

What to Learn From History’s Biggest Data Breaches ?

https://www.colocrossing.com/blog/what-to-learn-from-historys-biggest-data-breaches/

Levi · May 2025

@oloke said:

@wadhah said:

@nghialele said: My data is with crankbis, I'm safe.

At CrankBis we have only been hacked 8 times and each time we bribed the hackers with one (1) feet picture (unblurred).

Your data's safety is our priority.

Let Us Crank Your Bis Today™

That's some professional service. We value commitment for data safety and alignment with (G)DPRK regulations.

Please send the 1 (one) feet picture (unblurred) to me for verification purposes.
If that turns out to be true, I'll update your review on our summer hosting guide.

Best lifeguards,
guards.re&sisters

They are USA corp, which has no legal body in Europe. They do not care for GDPR.

Reguarded reguards.

CloudHopper · May 2025

@Levi said:

@oloke said:

@wadhah said:

@nghialele said: My data is with crankbis, I'm safe.

At CrankBis we have only been hacked 8 times and each time we bribed the hackers with one (1) feet picture (unblurred).

Your data's safety is our priority.

Let Us Crank Your Bis Today™

That's some professional service. We value commitment for data safety and alignment with (G)DPRK regulations.

Please send the 1 (one) feet picture (unblurred) to me for verification purposes.
If that turns out to be true, I'll update your review on our summer hosting guide.

Best lifeguards,
guards.re&sisters

They are USA corp, which has no legal body in Europe. They do not care for GDPR.

They have EU customers so the GDPR applies to them whether they like it or not. They also have an EU location so there's potential for immediate enforcement action if an affected European customer makes a complaint to their local data protection authority.

tof · May 2025

shocking

_MS_ · May 2025

VirtFusion rn:

default · May 2025

@cybertech said:

@_cece said:
Guess we need a shaming list who use Virtualizor 😆

@yoursunny

Such a list would be very hard to make, because it would mean having services with all providers around here.

So far I've got:

GeorgeDatacenter - @georgedatacenter - uses Virtualizor, in January 2025 many VPS services were migrated from VMWare to Virtualizor.
Chunkserve - @Chunkserve - uses Virtualizor but web panel is not opening.

Levi · May 2025

@MS said: VirtFusion rn

Until it gets targeted and cracked

To keep on point, virtualizor is India based company. This alone is insane red flag. Their software:

Softaculous
SitePad
Webuzo
wpCentral
PopularFX
AMPPS
Repositery
Deskuss

And their mission:

"Our Mission is, " To help users choose the best web software through ratings, reviews and user experiences given by users around the world and installing web software with great ease."

Here is nice about page with AI generated crap (?). https://www.softaculous.com/about/

Chunkserve · May 2025

@default said:

@cybertech said:

@_cece said:
Guess we need a shaming list who use Virtualizor 😆

@yoursunny

Such a list would be very hard to make, because it would mean having services with all providers around here.

So far I've got:

GeorgeDatacenter - @georgedatacenter - uses Virtualizor, in January 2025 many VPS services were migrated from VMWare to Virtualizor.

Chunkserve - @Chunkserve - uses Virtualizor but web panel is not opening.

Hey!
Thank You for the mention. We disable temporarily Virtualizor panel to confirm couple of things with the support. We received such information "If the server API key and password are leaked, a person can use the SSO link to access the server. This is not a vulnerability in Virtualizor—it is a human error, not a flaw in the software. The issue is not from Virtualizor's end.".

However, we're not fully trusting it. Today, I scheduled a meeting with our team to start planning&developing own solution what will fully replace WHMCS and Virtualizor in the future. We also rerolled api keys, passwords and tokens for the virtualizor API&admin access. Every administrator has 2FA enforced and there is IP ACL for both Admin&API access. We're also pruning the tasks table.

rustelekom · May 2025

I interesting are security hole in Virtualizor caused by an internal bug or this is a result of a wrong system setup. In the first case, it should be read as an alert to all providers who use Virtualizor, as the number of affected providers is large enough.

Howdy, Stranger!

Categories

In this Discussion

ColoCrossing Database Breach

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

ColoCrossing Database Breach

Comments