Xoolon

Nothing in my downloads folder except the index.php file so maybe luckier here. The response I got from support was 'We would be unable to advise for definite as to why this happened, perhaps your server logs can provide some insight. It is possible that your WHMCS installation was accessed.'

Yes it was running 5.2.8 when this happened, I upgraded to this on 4th October. Since then I've received plenty of emails saying username changed to aes-encrypt etc. Since regaining access today I have upgraded to 5.2.9 then 5.2.10. As you say the info should be considered compromised, but when it's live customers and products in there as designed, what can you practically do about it except reset passwords?

I couldn't get into my WHMCS install today, and had to reset the key. When I got in I could see an unrecognised login 24 hours ago, with no IP address shown. I downloaded the access logs and look to this time, and can see it's an IP address assigned to Lagos, Nigeria... not a good start. The relevant lines are attached. Looks like they reference a password-cracking service on the first line? 20 seconds later admin login screens, and appears to be access to several config screens. Can anyone tell how bad this is, I have changed the admin directory name and reset my password to a strong one. What else might have been compromised? accesslog.txt

I have now regained access by using the link to enter a new key and providing the one I originally used. So looks like the license key was lost, I'm not sure why.

Same thing has happened to me today, hoping it's not hacked as two security releases of WHMCS have been released in the last couple of days while I was away. I am running 5.2.8 at the point where this happened. Waiting to hear from support.