New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I wish wishing that this would be the case, if i has never been berohost customer before until 2 months ago 😔
I just took a deeper look at their website’s code in the browser, and I have another guess.
There are indications (hashed ID value) that they are using an outdated version of Livewire with a known RCE vulnerability.
(They might have patched it manually, but that it not how it's normally done.)
There are some conditions that have to be met, but if so, an attacker could send a specially crafted JSON payload to the Livewire update endpoint that could trick the server into executing arbitrary PHP code and, for example, dump the user database.
There are also indications (data sent to logs) that several of their Plesk servers haven’t been updated in a long time, so combined with their nonchalant answer, I would just back up my data and move on if I were their customer.
@sillycat stop smoking - it's unhealthy
I didn't get any email like that... yet.
I now received this exact email on one of my emails, that I didn't even use at bero.
I can confirm that I got an email from that metamask thing into my inbox through my email alias (SimpleLogin with custom domain) that I am using on BeroHost.
i received an email like that. but I can't figure out where the leak came from. how did you end up on @berohost ?
just got the mail
Also got such an email yesterday:
Bero-host is a reseller of synlinq.de (AS44486) or famesystems.de/resellerapi.de, so it might be worth checking whether you’re using another of their resellers or if there are other things you have in common.
Edit: @FameSystems added and tagged.
prepaid-host.com (@PrepaidHost) is one of the resellers that also advertise on LET with same or similar setup.
Well let's start here;
https://mxtoolbox.com/SuperTool.aspx?action=dmarc:scep.gob.gt&run=toolpage
https://mxtoolbox.com/SuperTool.aspx?action=spf:scep.gob.gt&run=toolpage
https://zonemaster.se/en/result/9bb0539304ff564c/
So while it's not exactly a free hole enter here it can sure as fuck be used for kinda whatever in regards to spoofing e-mails.
Not sure if that helps but it's always either SPF, DKIM, DMARC or fucking DNS with these things.
It is more important to determine where the leak is.
@FAT32, if it is reseller software that is leaking customer data and multiple LET providers are affected, it might be a good idea to postpone the provider poll for a couple of days.
Well for now there's no evidence pointing to anything but berohost.
Then explain this:
Although it would be funny if someone breached like simplelogin and started targetting only emails for specific domains to make it look like a provider breach
I wonder if only users who paid with MetaMask supported coins received these E-Mails.
Either way, E-Mail lists aren't really valuable and the phishing E-Mail seems low effort, so probably not a targeted breach.
@berohost can't be trusted judging by their response in this thread though.
Report the domains & E-Mails and move on.
I got this email at 15:10 UTC today on an address that is used on multiple hosts including BeroHost and I have no idea what MetaMask is. I paid with PayPal.
We are not a reseller. We only purchase the network uplink from Synlinq. Otherwise, we operate our own switches and server hardware.
We are currently using Livewire v3.7.11 and will be updating to the latest version 4 shortly. The version we are using has no known vulnerabilities.
We take your reports very seriously and are currently working to identify the cause. Based on the information we have at this time, no data has been stolen from our customer database. Our website and internal servers have not experienced any unusual access attempts or security breaches. However, we are working with an external security firm to analyze the issue so we can determine the cause. Since we also use various external services, the problem may originate there. However, it is often difficult to get meaningful feedback on this over the weekend.
We would like to ask all affected customers who can verify that they use the email address exclusively with us to contact us via our ticket system so that we can narrow down the cause. This helps us check important details such as the registration date, newsletter settings, etc.
I didn't find it but I actually received this too! On the 17th of Feb.
This is as well a bero-only mail address, which has never been used for any other service.
I have used PayPal & CreditCard for orders, so nothing related to crypto.
I guess there is a databreach then...?
Yes, I can see you have made some updates since I wrote the above.
It's easy to check because the id hash in script src="/livewire/livewire.js?.. changes per release.
Got the mail too.
Got the same mail here.
27/03/2026, 14:37:18 23.251.226.5 [email protected]
Also dedicated email for berohost.
Next mail to email dedicated only for berohost
