Jump to content
jasonmccurry

WHMCS.com Hacked?

Recommended Posts

It really irritates me that sites like this decide they need to hold credit card information... why?? Surely they can just pass on the transaction off-site? There is absolutely no reason why my credit card information should have been stored in their database!

 

Whoa, dude. It's everybody's own choice to submit credit card details here. I've always used PayPal for this reason. People hand out their credit card number to every site they visit without thinking twice. That's not completely WHMCS' fault. They should have had better security/encryption, but you could have also chosen the safe way.

Share this post


Link to post
Share on other sites

Too frustrated to write much at the moment, just utterly disappointed that my personal details were obtained.

 

I am lucky that I always created temp accounts for support people to use, this probably saved me a great deal of pain in this situation.

Share this post


Link to post
Share on other sites
Aside from the fact that deleting them won't be any help, you cannot delete the card details, only change them...

 

I would advise cancelling the card anyway.

 

 

I concur with openmind. We all know the hassle of cancelling cards, especially if you use it for multiple subscriptions. Cancel your card ASAP and tell your credit card company the breach could have been days ago. (I have not read all the posts on this topic, but if WHMCS does not know exactly when the breach happened) this will give you protection on transactions before the breach.

 

? So we all cancel our card, subscriptions stop, does that mean WHMCS will suspend licensing shutting our systems down?

Share this post


Link to post
Share on other sites

I would be very dismissive to these very aggressive attacks against WHMCS talking about lax security and such.

These seem to be very over the top in their aggression and it is almost as if they are attempting a secondary attack against the owner to reinforce the damage that has been done.

 

Like a person told me back in 1998 when I was researching computer security "if you want everything to be completely secure then unplug your computer from the network".

Share this post


Link to post
Share on other sites

Sorry, but in this Company Size, this should not happend. And when i think about, how they come into system. Sorry Guys. I don't trust WHMCS longer. I've been looking for alternatives for WHMCS, because with this hack, i have more work, to change everything.

 

I HOPE, WHMCS GIVE's A compensation for this useless Hack !!!!! If not, i say goodbye to WHMCS and i will also recommend all User's which using WHMCS, to use an other Billing Solution. I'*m not really willing, to pay an other Update Fee, for such an incompetend Team ;)

 

As the HAcking Group said" You're be warned" ;) I Think, the WHMCS Team become BEFORE HACK a Warning, what to fix. I only know this in this Way. AND THEY IGNORE IT!!!!

 

I downloaded all; DB, WebSite, etc. And i'm appalled, what you can do with this.

 

WHMCS TEAM, THINK ABOUT YOUR PASSWORDS AND MAKE SUCH shitty HostGAtor Account SAFITIER. OR Use an own Server, not this **** HostGator

Edited by gOOvER

Share this post


Link to post
Share on other sites

Is it ironic that I just received this email from HP

 

HP Technology at Work - Stop social engineer scammers from targeting your business

 

As for WHMCS being hacked via social engineering just shows how vulnerable we are from multiple points of access. I DO NOT blame the WHMCS team, and hopefully in the future they will perform internal security audits. I will continue to use WHMCS as it's what I use to drive my business. I believe WHMCS is still secure, and it's our responsibilities in the end to ensure that we are secure.

Edited by ulawe

Share this post


Link to post
Share on other sites
Like a person told me back in 1998 when I was researching computer security "if you want everything to be completely secure then unplug your computer from the network".

 

You either might want to block all active ports on the pc since for example usb sticks are a considerable thread to.

Share this post


Link to post
Share on other sites

<<snipped>>

 

I am not about to trump up whmcs it has its flaws in itself, but they do get worked on and fixed as soon as possible.

 

This immediate issue, unconfirmed other than the email stating how this happened. comes back to the host service of WHMCS not to WHMCS.

 

The fact a support worker at their host did not follow protocol and verify without doubt that the person was who they said leaves their hosting provider with this problem. but look at it this way. Anybody could find out your host, and make steps to become employed with them if they so had the inclination to disrupt your business.

 

The only true safe solution is your own servers in your own datacentre. this is something we all initially trade off as a viable pass to try to start a business that we can later build into a thriving hosting business with our own datacentre. This has to be the one thing that all hosts have in common, we all want to stand on our own two feet, both financial and hardware.

 

WHMCS are doing all they can. If you are at all in doubt, change all your passwords if you have given any (you should be cycling passwords anyway to reduce risks with static passwords) and cancel any credit or debit cards that have been provided to WHMCS.

 

I have done all of this and i have never even given WHMCS my login details, better to be safe than sorry in the long run.

 

 

My main concern here is that WHMCS does need to allow us to delete card details or do it themselves, and change emails too. they know our email addresses, if they so choose they can write a script to reset our passwords, thats going to be a pain in the backside.

Edited by bear
.

Share this post


Link to post
Share on other sites

The Problem at all is: Everyone at the whole wide web can Downlod the Database with all Data's,. Sorry Guys, but when someone like WHMCS is not able to secure Access to an Hostingpanel, how they are able to secure a Script, they sell. I trusted WHMCS a long tiomke, but a Hack is a Hack and and the reliability is still massively down.

 

Who will pay my costs, which i have, because of the HAck??

 

Only my 2 cents ;)

Edited by gOOvER

Share this post


Link to post
Share on other sites
I've been looking for alternatives for WHMCS, because with this hack, i have more work, to change everything.

 

Change what? If WHMCS has your credit card info, have the credit card re-issued/blocked. If they do not have your credit card info, no action is needed. All in all this hack may cost you 5 to 20 minutes of your life.

Share this post


Link to post
Share on other sites

Wow I just found out that the entire WHMCS database, cpanel, root files are on public download.... yikes

Share this post


Link to post
Share on other sites
Wow I just found out that the entire WHMCS database, cpanel, root files are on public download.... yikes

 

Yes, all are for the public. That's the Problem and it seem's WHMCS don't care.

 

I Think, when they really involed FBI, the FIBI can delete all Postst on Twitter.

 

BTW: I got the File via WHMCS Twitter Account. Why you are useing the Same PW on all accounts??

Share this post


Link to post
Share on other sites
The Problem at all is: Everyone at the whole wide web can Downlod the Database with all Data's,. Sorry Guys, but when someone like WHMCS is not able to secure Access to an Hostingpanel, how they are able to secure a Script, they sell. I trusted WHMCS a long tiomke, but a Hack is a Hack and and the reliability is still massively down.

 

Who will pay my costs, which i have, because of the HAck??

 

Only my 2 cents ;)

 

 

Your looking to the wrong source for finger pointing, datacentre support permitted unauthorised access to the server. its been said several times.

 

It doesnt matter how strong your password is, i personally use the cpanel password generator with all its bells and whistles active and full length.

 

Even with this, if somebody "gives out your password" then it isnt a safe password no matter how challenging you make it.

Share this post


Link to post
Share on other sites
I Think, when they really involed FBI, the FIBI can delete all Postst on Twitter.

 

 

This shows what you know. This would actually be scotland yards domain as they are a UK based company. That or interpol as the breach occured in the usa.

 

I think they should bring in the CIA instead or MI6 to take out the support worker that made such a prolific error.

 

(well we are going down the silly road are we not)

Share this post


Link to post
Share on other sites
Yes, all are for the public. That's the Problem and it seem's WHMCS don't care.

 

I Think, when they really involed FBI, the FIBI can delete all Postst on Twitter.

 

BTW: I got the File via WHMCS Twitter Account. Why you are useing the Same PW on all accounts??

 

So you think FBI have a admin account at twitter? And you cannot think of any other reason that hackers get the twitter account details other than it must be the same as their server login?

 

Amazing thought skills.

Share this post


Link to post
Share on other sites

I just want to make something here clear.

 

Everything you give to WHMCS because your a business should be publicly available anyway.

 

Your account email should not be, nor should any billing details, but all the rest should be. If you are operating legitimately.

 

The email address to log in can be changed. If the old one gets spammed to death, close it. Personally i use one dedicated email address for whmcs. and as a result i will find if spammed, it will be deleted and a new email created. its really that simple.

Share this post


Link to post
Share on other sites
This shows what you know. This would actually be scotland yards domain as they are a UK based company. That or interpol as the breach occured in the usa.

 

I think they should bring in the CIA instead or MI6 to take out the support worker that made such a prolific error.

 

(well we are going down the silly road are we not)

 

WHMCS Team told they involed FBI ;)

 

So you think FBI have a admin account at twitter? And you cannot think of any other reason that hackers get the twitter account details other than it must be the same as their server login?

 

Amazing thought skills.

 

 

I don't say this, that FBI hve admin Access to Twitter. Please read correct ;)

 

But:Ö Why i got the Files Announcements from the WHMCS Twitter Account?? So i must think, one of the Admins use the Same Password on every account ;)

Share this post


Link to post
Share on other sites

I read the threads posted by Mat and according to the threads this is all due to the hosting provider

giving the hackers access after meeting all the challenges requested.

 

I would think that such an important client such as the WHMCS company that they would have called

and talked to Mat personally on the phone before giving that level of access.

Share this post


Link to post
Share on other sites
I read the threads posted by Mat and according to the threads this is all due to the hosting provider

giving the hackers access after meeting all the challenges requested.

 

I would think that such an important client such as the WHMCS company that they would have called

and talked to Mat personally on the phone before giving that level of access.

 

WHMCS IS SO GREEDY: They stop offering a Free Trial

WHMCS IS SO CHEAP: They use Hostgator for hosting

 

A company like whmcs that has such high profile clients can use HG for hosting.

I never use HG and I am not even close to these guys.

 

I guess the main purpose is to collect our money but dont protect us from issues like this that leads to identity theft and more

 

Shame on WHMCS TEAM for making such cheap and horrible hosting choices.

Share this post


Link to post
Share on other sites

But:Ö Why i got the Files Announcements from the WHMCS Twitter Account?? So i must think, one of the Admins use the Same Password on every account ;)

 

So it didn't occur to you at all that the twitter password could have been stored in the whmcs database?

Share this post


Link to post
Share on other sites
So it didn't occur to you at all that the twitter password could have been stored in the whmcs database?

 

No, but Matt use the same Password at all accounts as it seems ;)

Edited by gOOvER

Share this post


Link to post
Share on other sites

You would think that someone as important as WHMCS that they would have called Matt and talked to him personally before giving root access to anyone.

 

Why would they need to give anyone a free trial?

I don't get that part. WHMCS has a long vetted career with loads of documentation and references.

Share this post


Link to post
Share on other sites

This is my last posting on this subject.

 

As a reminder to all.. Cancel cards, Reset passwords, Change emails

 

After this, let sleeping dogs lie, we are understandably concerned but with the above measures in place. We can all sleep easy tonight and await another eventful day.

 

Fair well and good luck.

 

PS:: Your card provider will want full details of the attack and to be protected against fraudulent use of your card you need to report to them within 24 hours of the incident. (this means about 4PM GMT today i believe)

Share this post


Link to post
Share on other sites

 

Why would they need to give anyone a free trial?

I don't get that part. WHMCS has a long vetted career with loads of documentation and references.

 

the point is, they are eager to hold your money instead with a 30 days money back, this started when they implemented the never version 5

 

There is more to a company that eager to sell, which was whmcs main goal as security was at the bottom of there priority list.

 

I love the software but we will not continue to use it if this is how they handle privacy and security.

Share this post


Link to post
Share on other sites

The fact of the matter is this: WHMCS makes an embarassing amount of dosh a week. They can afford their own network technician, and their own hardware colocated at a reputable datacenter. If we assume the lowest licenxse price for every customer in the DB it's something like 500k a month. That's the low end.

 

Instead, WHMCS have chosen to host with a company that has a frankly embarrasingly bad reputation (mention HostGator on WHT at your own peril), and not only that: they've given them the keys. And why? In case things like this happen. It's easy to blame the provider if they're the ones "managing" the server, right?

 

It's meaningful to remember: this started with a compromise of Matt's email. So they didn't just go up to HG and ask to get in, they DID compromise AT LEAST ONE system of WHMCS, Matt's email. From the sounds of it, he used that emailfor just about everything, which is poor form, because if someone did get that email, you can just reset the passwords for everything using that email and then it's not really any better than using a single login/pass on every site.

 

Furthermore, the credit card security is just bollock, and this is the most worrying. A company we're trusting to write our billing software either couldn't figure out how to, or couldn't be bothered to, properly store our cards in a PCI-compliant way. This is just terrible on WHMCS' end and if you have any fees related to freezing/reissuing your Credit Cards I fully suggest you push the matter with your CC company that this is from WHMCS' negligence, not your own. Make sure you let them know the site has been found not to be PCI-compliant.

 

The response to this from the WHMCS staff has been lukewarm at best. I still have yet to receive an email. I am sure there are many WHMCS customers that haven't - and don't know their credit cards are in the wild.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines