WHMCS.com Hacked?

[disgruntled]

I do know WHMCS is following the steps outlined on that document... I didnt hear about the hack from WHMCS, I heard about it from my merchant provider which is the same merchant provider as WHMCS uses, so I assume they did report them as dicated by that url.

 

I posted the link for informational purposes, of some of the less educated people around here.

 

and to point out that VISA and Mastercard will be interested in conducting an audit like stated in that article, to see if they are in fact PCI compliant... And because it matters to me and many others here if someone who is holding my card information is PCI compliant.

 

We have a right to be concerned here, I never stated that they would be put out of business or fined... in fact I hope they are not because WHMCS is at the heart of our business... But I do have concerns about how our information will be handled in the future.

 

 

I found out from a reseller that i bought my whmcs license, 4 hours before whmcs said anything.

 

But then there were also database connection errors 2 - 3 days ago in the client area here at WHMCS so i wouldnt be so sure this happened just yesterday, all that billing shutting down and what not.. that wasnt the hack that was the start of them "Fixing" things

[gromett]

My biggest concern is that the hackers have got hold of the source code... That could well put all our installs at risk.

 

I do however wish Matt and his team all the best and hope they can get everything resolved without too much damage.

[webfutura]

Also, as another pressing urgent matter, I have tried doing a password reset to get into my WHMCS client are, and none of the emails are coming through with the link to reset the password. I'm now concerned that if the password reset code was hacked, the hackers would be getting the password reset emails and therefore be able to reset passwords at will.

 

Any body else having this issue?

[Iceman]

 

But then there were also database connection errors 2 - 3 days ago in the client area here at WHMCS so i wouldnt be so sure this happened just yesterday, all that billing shutting down and what not.. that wasnt the hack that was the start of them "Fixing" things

 

That's a major assumption.

 

I am astounded by those on here jumping to conclusions.

Posting comments as if they were facts when you have no evidence whatsoever.

 

Anyone know the definition of "Libel" ??!!

 

Get a grip folks.

 

Paul

[disgruntled]

That's a major assumption.

 

I am astounded by those on here jumping to conclusions.

Posting comments as if they were facts when you have no evidence whatsoever.

 

Anyone know the definition of "Libel" ??!!

 

Get a grip folks.

 

Paul

 

Correct its an assumption that it started 2 - 3 days ago, but it is FACT that the first we knew about it was when they started fixing the issue.

 

Nothing i have said is libel and if they so choose they can take me to court and we will argue the toss their. lets face it, its our information out their for everybody to see and i for one would be very happy to have my day.

[disgruntled]

Also, as another pressing urgent matter, I have tried doing a password reset to get into my WHMCS client are, and none of the emails are coming through with the link to reset the password. I'm now concerned that if the password reset code was hacked, the hackers would be getting the password reset emails and therefore be able to reset passwords at will.

 

Any body else having this issue?

 

 

as far as i make out from their limited input, the system has been reinstalled. so any affected files would be gone.

 

But i wouldnt know for sure so inline with this.

 

"Posting comments as if they were facts when you have no evidence whatsoever." take my response as bullshit and assume you just gave the hackers your details

[disgruntled]

My biggest concern is that the hackers have got hold of the source code... That could well put all our installs at risk.

 

I do however wish Matt and his team all the best and hope they can get everything resolved without too much damage.

 

 

Well lets hope they did get hold of the source, then maybe we can see what is really going on with whmcs

[zlib]

So the data has been leaked

I had a look and see my personal and license details are now out there in the open.

 

How safe are the stored CC details? I see they are encrypted but does the leak contain the data required to decrypt it?

[ExsysHost]

So the data has been leaked

I had a look and see my personal and license details are now out there in the open.

 

How safe are the stored CC details? I see they are encrypted but does the leak contain the data required to decrypt it?

 

We do not know for sure, but if they were able to download the configuration.php then they have the key to de-encrypt it.

[mpkossen]

They've downloaded the entire cPanel account, so yes, the configuration.php is in there and yes, they can decrypt credit card numbers. Time to get it cancelled.

[zlib]

We do not know for sure, but if they were able to download the configuration.php then they have the key to de-encrypt it.

 

$cc_encryption_hash ?

 

That is in the open too

[MechJosh]

Sorry if this has been answered already but 14 pages is fairly large to read all the way through

 

But, how safe are our clients? With these leaks is there a threat to our clients? Could someone use the details found in WHMCS source or database and use this against our copy of WHMCS?

[Damo]

There's been nothing mentioned that whmcs source code was taken. I can't imagine that whmcs would keep unencoded source files on the server.

 

I am reading with Interest at just how many posts are made about how whmcs is lacking in security when everyone using whmcs and a credit card gateway in use is doing the exact same thing. Whmcs manages it's clients (us) using whmcs so our card details are encrypted using the hash found in the configuration file. They gained access to the hash and to the database. That's all that's needed to decrypt the stored details.

[disgruntled]

Sorry if this has been answered already but 14 pages is fairly large to read all the way through

 

But, how safe are our clients? With these leaks is there a threat to our clients? Could someone use the details found in WHMCS source or database and use this against our copy of WHMCS?

 

Our client data is not the issue, it is our company data that is the issue, this is isolated to direct clients.

 

As stated previously if anybody has provided login details in the support system then those things need sorting on your server. although they should have been already,

 

Not that i suspect whmcs would do anything at all untoward here but if you have to give access your own security policy should be to either provide access on a useraccount that can be deleted afterwards of change the password after access has concluded.

 

 

To answer the question on support tickets being encrypted. You are correct, they are not.

[ExsysHost]

There's been nothing mentioned that whmcs source code was taken. I can't imagine that whmcs would keep unencoded source files on the server.

 

I am reading with Interest at just how many posts are made about how whmcs is lacking in security when everyone using whmcs and a credit card gateway in use is doing the exact same thing. Whmcs manages it's clients (us) using whmcs so our card details are encrypted using the hash found in the configuration file. They gained access to the hash and to the database. That's all that's needed to decrypt the stored details.

 

 

This is not true... there are many tools crackers have access to to decrypt ioncube... all they would have to do is download it and decrypt it

 

Also like I stated in my post, WHMCS uses CDGcommerce as their merchant provider which provides Quantum Vault... if they had been using the Quantum Vault instead of the default Quantum Gateway then none of their customer card data would have been compromised... to add Quantum Vault undergoes regular PCI compliance audits and by that I mean full audits not just a half baked security scan... Quantum Vault has to be Full PCI compliant.

 

 

Here are some interesting requirements from the PCI compliance regulations found here: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

 

8.5.2 Verify user identity before performing password resets. Many malicious individuals use "social engineering”—for example, calling a help

desk and acting as a legitimate user—to have a password changed so they can

utilize a user ID. Consider use of a “secret question” that only the proper user can

answer to help administrators identify the user prior to re-setting passwords.

Ensure such questions are secured properly and not shared.

 

8.5.6 Enable accounts used by vendors for remote access only

during the time period needed. Monitor vendor remote access

accounts when in use.

Allowing vendors (like POS vendors) to have 24/7 access into your network in case

they need to support your systems increases the chances of unauthorized access,

either from a user in the vendor’s environment or from a malicious individual who

finds and uses this always-ready external entry point into your network.

Monitoring of vendor access to the car**older data environment applies in the

same way as it does for other users, such as organizational personnel. This

includes monitoring and logging of activities as required by PCI DSS Requirements

10.1 and 10.2, and verifying that usage of vendor remote accounts is in

accordance with the policy as defined in Requirements 12.3.8 and 12.3.9.

 

8.5.7 Communicate authentication procedures and policies to

all users who have access to car**older data.

Communicating password/authentication procedures to all users helps those users

understand and abide by the policies, and to be alert for any malicious individuals

who may attempt to exploit their passwords to gain access to car**older data (for

example, by calling an employee and asking for their password so the caller can

“troubleshoot a problem”).

[disgruntled]

There's been nothing mentioned that whmcs source code was taken. I can't imagine that whmcs would keep unencoded source files on the server.

 

Likely not, its likely there is a server somewhere with it on, most likely an in house box for development as obfuscation at every change would be very limiting to speed of development.

 

 

I am reading with Interest at just how many posts are made about how whmcs is lacking in security when everyone using whmcs and a credit card gateway in use is doing the exact same thing. Whmcs manages it's clients (us) using whmcs so our card details are encrypted using the hash found in the configuration file. They gained access to the hash and to the database. That's all that's needed to decrypt the stored details.

 

Well not all of us take payments on website, myself included.

 

 

Apparently this was a cPanel breach due to an incompetent support worker (not whmcs) bad day or not protocols are in place to prevent this and if that person has broken protocol they should be reprimanded.

[disgruntled]

Here are some interesting requirements from the PCI compliance regulations found here: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

 

Thats all well and good, but how do you ensure PCI compliance of your own hosting provider?

 

You can put all those steps into place, and to be quite fair, PCI compliance whether taking payments or not isnt a bad thing at all. but the undoing was the support worker at the hosting, if the previous comment on it is to be believed.

[ExsysHost]

Thats all well and good, but how do you ensure PCI compliance of your own hosting provider?

 

You can put all those steps into place, and to be quite fair, PCI compliance whether taking payments or not isnt a bad thing at all. but the undoing was the support worker at the hosting, if the previous comment on it is to be believed.

 

 

You must not of actually read the requirements so ill point them out for you again:

 

Here are some interesting requirements from the PCI compliance regulations found here: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

 

8.5.2 Verify user identity before performing password resets. Many malicious individuals use "social engineering”—for example, calling a help

desk and acting as a legitimate user—to have a password changed so they can

utilize a user ID. Consider use of a “secret question” that only the proper user can

answer to help administrators identify the user prior to re-setting passwords.

Ensure such questions are secured properly and not shared.

 

Obviously the secret question was not used or the employee was just a dumb ....

 

8.5.6 Enable accounts used by vendors for remote access only

during the time period needed. Monitor vendor remote access

accounts when in use.

Allowing vendors (like POS vendors) to have 24/7 access into your network in case

they need to support your systems increases the chances of unauthorized access,

either from a user in the vendor’s environment or from a malicious individual who

finds and uses this always-ready external entry point into your network.

Monitoring of vendor access to the car**older data environment applies in the

same way as it does for other users, such as organizational personnel. This

includes monitoring and logging of activities as required by PCI DSS Requirements

10.1 and 10.2, and verifying that usage of vendor remote accounts is in

accordance with the policy as defined in Requirements 12.3.8 and 12.3.9.

 

This one states it right in the title: Enable accounts used by vendors for remote access only

during the time period needed Allowing vendors (like POS vendors) to have 24/7 access into your network in case

they need to support your systems increases the chances of unauthorized access,

 

seems to me this one was broken as well... the support desk should not have the passwords for his system on a server that hosts card holder data except during times where they need to support the system if its a managed system.

 

8.5.7 Communicate authentication procedures and policies to

all users who have access to car**older data.

Communicating password/authentication procedures to all users helps those users

understand and abide by the policies, and to be alert for any malicious individuals

who may attempt to exploit their passwords to gain access to car**older data (for

example, by calling an employee and asking for their password so the caller can

“troubleshoot a problem”).

 

this last one you are right, it is hard to enforce this rule on their provider

 

 

But with the first two this would have never happened because the support rep would not have had the passwords to do so... so quit trying to blame shift off the fact that the system was not PCI compliant.

 

 

As stated before in a non budget data center, if he lost access to his system he could simply KVM over IP via VPN and then reboot into single user mode and reset the password.

[Redactuk]

Why can't we delete our own credit card details on this site??

[mpkossen]

As stated before in a non budget data center, if he lost access to his system he could simply KVM over IP via VPN and then reboot into single user mode and reset the password.

 

Yes, or at least the support would have been decent and wouldn't have just given out details. I would *always* be suspicious if a customer would request details via non-standard channels. I'm not saying that's the case here, but it could be.

[openmind]

Why can't we delete our own credit card details on this site??

Aside from the fact that deleting them won't be any help, you cannot delete the card details, only change them...

 

I would advise cancelling the card anyway.

[thinksynergy]

It really irritates me that sites like this decide they need to hold credit card information... why?? Surely they can just pass on the transaction off-site? There is absolutely no reason why my credit card information should have been stored in their database!

[MechJosh]

Does anyone know why the group UGNazi hacked WHMCS? Not for the bank details since they've told us they have them and even leaked them.

[mpkossen]

It really irritates me that sites like this decide they need to hold credit card information... why?? Surely they can just pass on the transaction off-site? There is absolutely no reason why my credit card information should have been stored in their database!

 

Whoa, dude. It's everybody's own choice to submit credit card details here. I've always used PayPal for this reason. People hand out their credit card number to every site they visit without thinking twice. That's not completely WHMCS' fault. They should have had better security/encryption, but you could have also chosen the safe way.

[jasonpb]

Too frustrated to write much at the moment, just utterly disappointed that my personal details were obtained.

 

I am lucky that I always created temp accounts for support people to use, this probably saved me a great deal of pain in this situation.