New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
What you say makes sense when we're used to sharing the same server, each with their own virtual machine. We're also used to having multiple applications sharing the same resources.
Umm, you might want to look into some better walls if you think a wall has 5 breaks in the middle.
(That's not even close to a wall of text and looks silly. Just stick with calling him annoying, it's valid complaint, no need to add nonsense to your comment).
lol i forgot about this thread again, thanks @default
Uninstall sshd, which method then for managing the instances?
Mind control, prayer ?
We need mind control.
We agree
telnet, rsh, rlogin
We could need some testimonies from people who got hacked.
so we still pretending this didn't happen or what? Yeesh.
yes, minor data loss, all good now
https://lowendtalk.com/discussion/comment/4448589#Comment_4448589
Ahem'
Wow it's been an actual month, crazy.
A full month of sales emails in a volume never seen before - But no email to clients to explain the data leak.
It's all grand. You may buy safely because they still have their provider tag around here.
Well, well, well. Too quiet here, so we will show one more thing about Softaculous
https://imgur.com/Q8KS5bc
Seems softaculous admin team have accesses to your servers without passwords
The context of his post was security.
We’ve read the recent discussions here and across other platforms, and we appreciate the candid feedback. Transparency, accountability, and continuous improvement are core values in how we serve our customers, and we want to directly address the concerns raised about ColoCloud.
On the Recent Security Incident
We recently experienced a security incident that affected a portion of ColoCloud, our VPS division. To be precise, and to eliminate any potential confusion, this event impacted only the ColoCloud platform. Here's a summary of what occurred and the steps we’ve taken since:
What Happened
Information Potentially Involved
The attacker accessed our hypervisor panel database, which contained:
No billing data, VPS root passwords, or other personally identifiable information (PII) were stored in this database. That said, we cannot fully rule out that some VMs or their data were accessed and as part of best practice we recommend that customers rotate passwords, including their VPS root passwords.
Mitigating Actions
While we notified affected customers quickly - within hours, we recognize the initial communication lacked depth. This was intentional during the mitigation phase, as we prioritized securing the platform before releasing further detail.
What We're Doing Next
A Final Note to the LET Community
We understand that trust must be earned. We're listening. We're learning. And we’re committed to doing better.
If you have questions, concerns, or ideas for how we can better support this community, we encourage you to reach out directly.
Thank you for your time, your patience, and your honest feedback.
At least you pointed out emails, full names and VNC passwords, but root passwords were also leaked. You don't tell your customers to change their root password when they reinstall, so if they didn't, they're likely compromised or soon to be.
Even if it's a pain and a shit ton of work, consider ditching Virtualizor, they don't really care at all about security and this has been shown several times already. It's the most buggy panel I've used that I even prefer SolusVM v1.
Root passwords were not stored in the database that was accessed. ColoCloud does not store root passwords in the VPS control panel — this has been confirmed directly by the Virtualizor team.
That said, as a best practice, we always recommend rotating root passwords after any security-related event.
@ColoCrossing why did it take you 45 days to release a factual statement?
Are you fulfilling a legal requirement based on the advice of your lawyers for declaring data breaches?
Emails sent to the customers, with the root passwords, IP and more information were all included in the database's "Tasks" table, which was the biggest table of them all.
People have the database and they all can vouch. Why do you trust Virtualizor when they couldn't care less about security of their own software?
Who use same root password on different website ?
Who uses a root password? I just use keys and i store it behind the toilet at Taco Bell.