Jump to content

WHMCS.com Hacked?

jasonmccurry
 Share

Recommended Posts

bear Senior Member

bear

Posted
Posted
This shows what you know. This would actually be scotland yards domain as they are a UK based company. That or interpol as the breach occured in the usa.

And the above is incorrect. As the issue/breach occurred on US soil (the server), it's US based authorities that would be contacted.

FBI: http://www.answers.com/topic/what-does-the-fbi-do

Better not to cast stones until you're sure you're right. ;)

I think they should bring in the CIA instead or MI6 to take out the support worker that made such a prolific error.

Unsure about MI6, but the CIA doesn't deal with this sort of thing.

https://www.cia.gov/about-cia/faqs/index.html#whatdo

 

To those of you yelling that WHMCS is insecure?

From what Matt stated, and I have no reason not to believe it, it was a compromised email account that was used to gain all sorts of other access. I find it plausible. Has nothing to do with the security of the script, so calm down a bit and get a grip.

Link to comment
Share on other sites
  • Replies 525
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

gOOvER Member

gOOvER

Posted
Posted

When i read this:

 

"We have reported these sites to WHMCS before and they did not take any action whatsoever to stop the illegal activity. By releasing their files, we wanted to make it known that we are watching; and will continue to be watching.”

 

Matt, be glad, that you not are living in Germany. The you would get bust.

 

The Hacker Inform you, and you do nothing. They told you about Leaks, and you don't do anything. That's really poor.

Link to comment
Share on other sites
gOOvER Member

gOOvER

Posted
Posted (edited)
Here's the latest on what's happening currently: http://forum.whmcs.com/showthread.php?t=47672

 

Matt

 

Not really fresh News.

 

Kick this HostGator ****, take a Server in the Good Old EU and setup all. You have an DDoS Attack atm at your servers ;)

 

 

I'm really pissed of of this hack and all cost i have, will will give you

Edited by gOOvER
Link to comment
Share on other sites
Andrew-FH Junior Member

Andrew-FH

Posted
Posted

Matt, i feel very sorry for what's going in past 24 hours, your site is currently under huge DDOS attack from UGNazi's, allthough you are senior and have more knowledge, but i would say take whmcs site offline, close all the accounts for next 24-48 hours, pack you stuff and move to a new datacenter DIRECTLY, not through a host, DIRECTLY buy a multi server infrastructure with DDOS protections enabled and lots of security, unpack yourself there and say hi to everybody, !

 

it's going to be definitely hard time keeping up at this stage, what if the payments of new clients signng up for whmcs are at risk, what if the gateways have a new email id to send the payments to ? well there's a lot to inspect and seriosuly, go down offline for some hours and then come as a strong man with security.

 

Good luck

We are with you !

Link to comment
Share on other sites
scurrell Senior Member

scurrell

Posted
Posted

Matt, be glad, that you not are living in Germany.

 

 

I'm glad too, if it's full of idiots like you.

 

 

I'm really pissed of of this hack and all cost i have, will will give you

 

 

What costs? It costs nothing to cancel your card, and reset a few passwords.

Link to comment
Share on other sites
iserver Member

iserver

Posted
Posted
The fact of the matter is this: WHMCS makes an embarassing amount of dosh a week. They can afford their own network technician, and their own hardware colocated at a reputable datacenter. If we assume the lowest licenxse price for every customer in the DB it's something like 500k a month. That's the low end.

 

Instead, WHMCS have chosen to host with a company that has a frankly embarrasingly bad reputation (mention HostGator on WHT at your own peril), and not only that: they've given them the keys. And why? In case things like this happen. It's easy to blame the provider if they're the ones "managing" the server, right?

 

It's meaningful to remember: this started with a compromise of Matt's email. So they didn't just go up to HG and ask to get in, they DID compromise AT LEAST ONE system of WHMCS, Matt's email. From the sounds of it, he used that emailfor just about everything, which is poor form, because if someone did get that email, you can just reset the passwords for everything using that email and then it's not really any better than using a single login/pass on every site.

 

Furthermore, the credit card security is just bollock, and this is the most worrying. A company we're trusting to write our billing software either couldn't figure out how to, or couldn't be bothered to, properly store our cards in a PCI-compliant way. This is just terrible on WHMCS' end and if you have any fees related to freezing/reissuing your Credit Cards I fully suggest you push the matter with your CC company that this is from WHMCS' negligence, not your own. Make sure you let them know the site has been found not to be PCI-compliant.

 

The response to this from the WHMCS staff has been lukewarm at best. I still have yet to receive an email. I am sure there are many WHMCS customers that haven't - and don't know their credit cards are in the wild.

 

If face Boo or Google + i lcik on "Like me"

 

On others words...

 

Bad excuses

Bad professionalism

BAd protocols of work

Y en españa decimos

"La pela es la pela..."

Link to comment
Share on other sites
TommyK Senior Member

TommyK

Posted
Posted
When i read this:

 

"We have reported these sites to WHMCS before and they did not take any action whatsoever to stop the illegal activity. By releasing their files, we wanted to make it known that we are watching; and will continue to be watching.”

 

Matt, be glad, that you not are living in Germany. The you would get bust.

 

The Hacker Inform you, and you do nothing. They told you about Leaks, and you don't do anything. That's really poor.

 

Nowhere in that text does it say they told him that information leaked. I'm starting to beleive you're trolling now.

Link to comment
Share on other sites
gOOvER Member

gOOvER

Posted
Posted (edited)
I'm glad too, if it's full of idiots like you.

 

Cool down and stop annoying. That's my opinion. If you don't like it, don't post. Or did you see in an mirror during Posting?? ;)

 

What costs? It costs nothing to cancel your card, and reset a few passwords.

 

 

It Cost's my time, because of a BIG Comapany wants to save money and hosts at a Big unsecure Hosting Company. Or did you work for 0 Money ;)

 

If yes, please give me your site, then i order a lot for nothing ;)

Edited by gOOvER
Link to comment
Share on other sites
gOOvER Member

gOOvER

Posted
Posted (edited)
Nowhere in that text does it say they told him that information leaked. I'm starting to beleive you're trolling now.

 

Tommyk: Read also Twitter. Maybe you start to troll?? This post was the second post of the Hackers. WHMCS was informed about leaks. ;) I Work for a big ISP Hosting Panel; AND BEFORE HAcker try to Hack your server, you get a Warning. SO plaese; same for you: Stop insulting. prove the contrary.

 

If you agree with this situation, that's ok. I don't agree and i post my opinion. ;)

Edited by gOOvER
Link to comment
Share on other sites
UH-Matt Senior Member

UH-Matt

Posted
Posted

Unsubscribing from this thread as it appears to now be full with 70% idiots.

 

WHMCS are not responsible for any costs or refunds.

 

They supply software that you use, and you continue to be able to use.

 

Get over it and give Matt a chance to get on top of this malicious attack.

Link to comment
Share on other sites
D9Hosting Senior Member

D9Hosting

Posted
Posted
I'm glad too, if it's full of idiots like you.

 

What costs? It costs nothing to cancel your card, and reset a few passwords.

 

You put it so much better than I could!

 

There's really no need for so much hysteria - change your passwords and call your bank and ask them to put a fraud watch on any card you used with WHMCS.

 

Worse case scenario; someone makes a fraudulent purchase using a compromised card, so you call up the bank and report the transaction, they refund you the money and send you a new card, all sorted in a few minutes!

 

That's not to say I'm making light of the obvious security flaws in WHMCS's server setup, but hopefully now it's been publicly divulged it will force them into re-evaluating all the systems they have in place, which can only be a good thing. If you still don't feel comfortable with using them then take your business elsewhere, but there's no need to act like a bunch of hysterical children about it - we are all adults. (allegedly!)

Link to comment
Share on other sites
gOOvER Member

gOOvER

Posted
Posted
Unsubscribing from this thread as it appears to now be full with 70% idiots.

[/qoute]

 

... and you are one of it ;)

 

WHMCS are not responsible for any costs or refunds.

 

Yes, they are. WHMCS is the owner of the Server and they are responsible for all, what happend with and on the Server ;)

 

They supply software that you use, and you continue to be able to use.

 

No one said something other. But the trust in WHMCS is not longer given ;)

 

Get over it and give Matt a chance to get on top of this malicious attack.

 

I would, but the informations are not really much, they give to Users. ;)

Link to comment
Share on other sites
Pulsar132 Junior Member

Pulsar132

Posted
Posted
Unsubscribing from this thread as it appears to now be full with 70% idiots.

 

WHMCS are not responsible for any costs or refunds.

 

They supply software that you use, and you continue to be able to use.

 

Get over it and give Matt a chance to get on top of this malicious attack.

 

Exactly! WHMCS have already stated they got access from their host. Not through any loophole or exploit within the WHMCS software. Throughout the situation most of you still used WHMCS and it worked fine. A couple of you had problems with the license checker so were locked out a while. But your client area still functioned. So you was still able to take payments, orders and such.

 

Yes your security and card details where accessed but as long as you changed them like most of us already have there isn't much the hackers can do. apart from send us spam and attempt to gain access to our servers.

 

Give Matt a break. Let him finish what he has to do. Harassing him for refunds and compensation will get you nowhere.

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted

From what Matt stated, and I have no reason not to believe it, it was a compromised email account that was used to gain all sorts of other access. I find it plausible. Has nothing to do with the security of the script, so calm down a bit and get a grip.

No, this has everything to do with the security of the company and the fact that Matt is so cheap he used one single server in one of the cheapest hosts around, simply to make a quick buck.

This shows blatant disregard for their clients and security as a whole.

WHMCS is full of security holes and exploits over the years. This, by all means, takes the cake

 

 

Get over it and give Matt a chance to get on top of this malicious attack.

History repeats itself. Why SHOULD we just let Matt off the hook here? He should have learned years ago after the FIRST hack that you need to properly secure your server.

Why should we just let Matt get away with being a cheapskate? No, explain... Why should we?

This is a very high profile company that should never have done this. This should never have happened. The fact that our credit card information is out there, in the wild is insane. This is 100%, absolutely, without a doubt, Matt's fault.

Hostgator didn't put a gun to Matt's head and force him to stay there.

Hostgator didn't put a gun to Matt's head and force him to take just one server

Hostgator didn't put a gun to Matt's head and force him to put everything with them

Hostgator didn't do anything wrong except answer a question from a legitimate source. How were they do know Matt had crappy questions? How were they to know this wasn't Matt?

Yes, Hostgator gave information to someone who wasn't Matt..... HOWEVER, that could have been it, had Matt done his job properly. He did not.

 

As a result of Matt's not doing his job properly, the world now knows all of our credit card data, all of our personal information, all of our passwords. Ease up on Matt? Maybe if this was the first time something like this had happened, but it's not.

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted
Exactly! WHMCS have already stated they got access from their host. Not through any loophole or exploit within the WHMCS software.

And with PROPER SECURITY, that access would have meant nothing.

 

Give Matt a break.

We did.... The first time something like this happened.

How did he repay us? By spitting in all of our faces and ignoring security best practices.

This isn't advanced mechanics 101 here, this is security basics.

Link to comment
Share on other sites
laszlof Senior Member

laszlof

Posted
Posted
No, this has everything to do with the security of the company and the fact that Matt is so cheap he used one single server in one of the cheapest hosts around, simply to make a quick buck.

This shows blatant disregard for their clients and security as a whole.

WHMCS is full of security holes and exploits over the years. This, by all means, takes the cake

 

 

 

History repeats itself. Why SHOULD we just let Matt off the hook here? He should have learned years ago after the FIRST hack that you need to properly secure your server.

Why should we just let Matt get away with being a cheapskate? No, explain... Why should we?

This is a very high profile company that should never have done this. This should never have happened. The fact that our credit card information is out there, in the wild is insane. This is 100%, absolutely, without a doubt, Matt's fault.

Hostgator didn't put a gun to Matt's head and force him to stay there.

Hostgator didn't put a gun to Matt's head and force him to take just one server

Hostgator didn't put a gun to Matt's head and force him to put everything with them

Hostgator didn't do anything wrong except answer a question from a legitimate source. How were they do know Matt had crappy questions? How were they to know this wasn't Matt?

Yes, Hostgator gave information to someone who wasn't Matt..... HOWEVER, that could have been it, had Matt done his job properly. He did not.

 

As a result of Matt's not doing his job properly, the world now knows all of our credit card data, all of our personal information, all of our passwords. Ease up on Matt? Maybe if this was the first time something like this had happened, but it's not.

 

 

soapbox.jpg

Link to comment
Share on other sites
Pulsar132 Junior Member

Pulsar132

Posted
Posted
No, this has everything to do with the security of the company and the fact that Matt is so cheap he used one single server in one of the cheapest hosts around, simply to make a quick buck.

This shows blatant disregard for their clients and security as a whole.

WHMCS is full of security holes and exploits over the years. This, by all means, takes the cake

 

 

 

History repeats itself. Why SHOULD we just let Matt off the hook here? He should have learned years ago after the FIRST hack that you need to properly secure your server.

Why should we just let Matt get away with being a cheapskate? No, explain... Why should we?

This is a very high profile company that should never have done this. This should never have happened. The fact that our credit card information is out there, in the wild is insane. This is 100%, absolutely, without a doubt, Matt's fault.

Hostgator didn't put a gun to Matt's head and force him to stay there.

Hostgator didn't put a gun to Matt's head and force him to take just one server

Hostgator didn't put a gun to Matt's head and force him to put everything with them

Hostgator didn't do anything wrong except answer a question from a legitimate source. How were they do know Matt had crappy questions? How were they to know this wasn't Matt?

Yes, Hostgator gave information to someone who wasn't Matt..... HOWEVER, that could have been it, had Matt done his job properly. He did not.

 

As a result of Matt's not doing his job properly, the world now knows all of our credit card data, all of our personal information, all of our passwords. Ease up on Matt? Maybe if this was the first time something like this had happened, but it's not.

 

Yes we all understand that. Ultimatly i'm not happy about the security practices WHMCS took. But what's done is done. We can't get back the information they stole. Yes we are going to be pissed and it's not going to look good at all. But aslong as we change our security details and contact our bank things shouldn't be took bad.

 

I think they'll learn and they are very quickly going to upgrade their security. Just give them time. Matt and the team are probably feeling very sh*t at the moment. I can't even begin to imagine how they must be feeling.

Link to comment
Share on other sites
gOOvER Member

gOOvER

Posted
Posted (edited)

And when we talk abaout Security:

 

vBulletin 3.6.8 is used here. Why WHMCS don't update to 3.8.7PL1?? There are a lot of Security Holes in this Forum Verion.

 

Only for saving Money and Time. Not more

 

@twhiting9275: You talk from my Soul :)

 

Edit: Matt: Do a Forum Update to your ToDo List ;)

Edited by gOOvER
Link to comment
Share on other sites
Si Senior Member

Si

Posted
Posted
No, this has everything to do with the security of the company and the fact that Matt is so cheap he used one single server in one of the cheapest hosts around, simply to make a quick buck.

This shows blatant disregard for their clients and security as a whole.

WHMCS is full of security holes and exploits over the years. This, by all means, takes the cake

 

 

 

History repeats itself. Why SHOULD we just let Matt off the hook here? He should have learned years ago after the FIRST hack that you need to properly secure your server.

Why should we just let Matt get away with being a cheapskate? No, explain... Why should we?

This is a very high profile company that should never have done this. This should never have happened. The fact that our credit card information is out there, in the wild is insane. This is 100%, absolutely, without a doubt, Matt's fault.

Hostgator didn't put a gun to Matt's head and force him to stay there.

Hostgator didn't put a gun to Matt's head and force him to take just one server

Hostgator didn't put a gun to Matt's head and force him to put everything with them

Hostgator didn't do anything wrong except answer a question from a legitimate source. How were they do know Matt had crappy questions? How were they to know this wasn't Matt?

Yes, Hostgator gave information to someone who wasn't Matt..... HOWEVER, that could have been it, had Matt done his job properly. He did not.

 

As a result of Matt's not doing his job properly, the world now knows all of our credit card data, all of our personal information, all of our passwords. Ease up on Matt? Maybe if this was the first time something like this had happened, but it's not.

 

You guys gOOvER and twhiting are unbelievable.

 

I guess by this stage, you have now moved to another billing system? No? Why not? You would rather sit on the sidelines and lambast someone who is already going through a tough time.

 

You set standards like this for others and come on here contributing nothing but showing your own ignorance and insincerity. What you deserve is to have your own customers treat you in the same way you are treating Matt and WHMCS.

 

Yes we all have gripes. Yes Matt made a mistake. He has held his hands up and said so. We are all in the same boat. I've been in this industry for 14 years and people like you sicken and sadden me. Just go elsewhere and stop the public beating of Matt.

 

Once you've got your database set up with another billing company, seek your recompense through the courts if you are so confident of success and quell your anger that way.

 

If not and you're staying with WHMCS, then shut up and show some support. Surely it's in your own interests to make sure WHMCS succeeds. (Or are you so small-minded you can't see that).

 

For the guy HHawk who signed up and made his first post 'Refund Time' and had the cheek to do it in bold 40 px red, you're a disgrace and if you intend to be a serious part of this community, you'd best close that forum account and start again with a fresh mind-set.

 

Matt has stated his intentions and his apologies. Now back off and let him and the WHMCS team get it sorted.

Link to comment
Share on other sites
xuser Member

xuser

Posted
Posted
Yes we all understand that. Ultimatly i'm not happy about the security practices WHMCS took. But what's done is done. We can't get back the information they stole. Yes we are going to be pissed and it's not going to look good at all. But aslong as we change our security details and contact our bank things shouldn't be took bad.

 

I think they'll learn and they are very quickly going to upgrade their security. Just give them time. Matt and the team are probably feeling very sh*t at the moment. I can't even begin to imagine how they must be feeling.

 

Wow! I simply loved your post Pulsar.

I also request everybody to let them work. Give them time and thighs will start getting better. It is just matter of time.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept