Jump to content

WHMCS.com Hacked?


Recommended Posts

So what would you do if you lost your credit card?

 

What would you have to do when you card hits its expiry date?

 

I'm in my late 40's and have many bills.....but it's simple and not that big a deal really.

 

 

I've never in my adult life lost my card. I deal with expiring cards accordingly every couple of years. I call them then with a new card and update as is my responsibility. MY responsibility every few YEARS.

 

The ignorance of the joking and lack of seriousness of the situation is outstanding around here. Glad the users of these forums do not represent the group of individuals who run the business. Even if Matt made a mistake that extended passed WHMCS in to his personal email to lead in to this breach.

 

Fact of the matter is, it's a real issue, it's a serious issue. It involves OUR credit, our credit cards. WHMCS was not PCI compliant which is where the disgust should be directed. Not at the angry customers and the handling of their data.

 

Same reason why Sony is being sued for millions by tens of thousands.

Link to comment
Share on other sites

  • Replies 525
  • Created
  • Last Reply

Top Posters In This Topic

So true, our company takes PCI-DSS certification extremely seriously. We even ensure PCI compliance by spending hundreds each year on scans, and audits. I find it hard to believe that WHMCS would let such a thing happen! I'm not even sure if PCI will fine WHMCS for this data breach, and non-compliancy

Link to comment
Share on other sites

Why are you all tearing each other to shreds over this. Seriously people stop it, there's much more important things to be doing and worrying about as a result of what happened. Stop wasting your time nit picking at each other, it's pathetic.

Link to comment
Share on other sites

So what would you do if you lost your credit card?

 

What would you have to do when you card hits its expiry date?

 

I'm in my late 40's and have many bills.....but it's simple and not that big a deal really.

 

This has been ongoing now for 24 hours and I had it sorted in 1 hour. (less probably). Why are you sitting here 24 hours later still panicking?

 

OMG Si, please, shout up with such sensless answers.

 

He is right. We all have work, with the shitty work of the WHMCS Admin or Owner.

 

Sooo Stop such stupid senseless answers. Go out in your garden and telll such things to a tree, which is intrested in such things.

 

A Hack have to be cleared in 12h. (especially the Informations given to the Users) Every Minute over 12h, the admin don't know what he does. Just my 2 cents ;)

 

Are you paid from WHMCS to answer likje this?? If yes, read above ;)

Link to comment
Share on other sites

 

A Hack have to be cleared in 12h. (especially the Informations given to the Users) Every Minute over 12h, the admin don't know what he does. Just my 2 cents ;)

 

Where did you come up with an arbitrary time limit of 12 hours? Serious investigations/damage recovery take much longer than that for any company with more than a couple thousand clients.

Link to comment
Share on other sites

I think they'll learn and they are very quickly going to upgrade their security.

That's just it , they have not learned.

This is not the first time WHMCS has been broken into

This is not the first time WHMCS has had security vulnerabilities

Every single time they blow it off like it's nothing, and customers like yourself (fanboys) eat it up like it's the gods honest truth.

 

I also request everybody to let them work. Give them time and thighs will start getting better.

Yeah, keep your head nice and buried in the sand there. Fanboys always will.

The first time this happened, I said the same time. 3 years later, here we are, same situation, only much worse. WHMCS hasn't "learned" anything. They've gotten stupider and more lax over the years.

Link to comment
Share on other sites

Where did you come up with an arbitrary time limit of 12 hours? Serious investigations/damage recovery take much longer than that for any company with more than a couple thousand clients.

 

This was only my experience as Admin :) Servers can be up in 3h after hack. ;) Also with thousand of clients/Users ;). A Company like WHMCS need more than one Server. When i read and understand the latest News correct, they don#t have. ;)

 

I worked in past for a company like WHMCS. The had an extra Server for Logs. So Why you need time for investigatuon. Read lat Log Entries. ~ 1h ;)

 

1 Backupserver, which make incr. Backups all 30min's ;)

Edited by gOOvER
Link to comment
Share on other sites

I would have to agree, and since it's not in thier building, they are waiting on the host as well.

 

Where did you come up with an arbitrary time limit of 12 hours? Serious investigations/damage recovery take much longer than that for any company with more than a couple thousand clients.
Link to comment
Share on other sites

Then go somewhere else..

 

That's just it , they have not learned.

This is not the first time WHMCS has been broken into

This is not the first time WHMCS has had security vulnerabilities

Every single time they blow it off like it's nothing, and customers like yourself (fanboys) eat it up like it's the gods honest truth.

 

 

Yeah, keep your head nice and buried in the sand there. Fanboys always will.

The first time this happened, I said the same time. 3 years later, here we are, same situation, only much worse. WHMCS hasn't "learned" anything. They've gotten stupider and more lax over the years.

Link to comment
Share on other sites

This was only my experience as Admin :) Servers can be up in 3h after hack. ;) Also with thousand of clients/Users ;).

 

I'm sorry, but your experience as an admin must be relatively limited. A proper investigation should be done BEFORE putting files back online, regardless of if you think they're clean or not. This takes time, much more than the magical "12 hours" you've listed.

Link to comment
Share on other sites

Then go somewhere else..

 

Oh, believe me, I've started the process, as well as reported this flagrant breach of security to their credit card processor (which happens to be mine as well).

 

Let the fines come in, they're gonna need a few dump trucks to handle all the cash they'll be handing out this time.

Link to comment
Share on other sites

So what would you do if you lost your credit card?

 

What would you have to do when you card hits its expiry date?

 

I'm in my late 40's and have many bills.....but it's simple and not that big a deal really.

 

This has been ongoing now for 24 hours and I had it sorted in 1 hour. (less probably). Why are you sitting here 24 hours later still panicking?

 

I agreed with you 100%.

 

We all stress at times, but it seems that learning to bite ones tongue before ranting with rage and trying to immediately lay blame is an attribute time/years seems to teach best. Perhaps us "oldies" have seen it all before? ;)

Link to comment
Share on other sites

I'm sorry, but your experience as an admin must be relatively limited. A proper investigation should be done BEFORE putting files back online, regardless of if you think they're clean or not. This takes time, much more than the magical "12 hours" you've listed.

 

You're right, ok :)

 

But investigations don't need more then 12h ;) But as i said. WHMCS is a big Company. First Prio; bring back the Website and other Services like Licence Servers as fst as possible. Then you have enought time to investigate. And when you know where to search. Only my opinion and no need to discuss ;)

Edited by gOOvER
Link to comment
Share on other sites

Why are you all tearing each other to shreds over this. Seriously people stop it, there's much more important things to be doing and worrying about as a result of what happened. Stop wasting your time nit picking at each other, it's pathetic.

 

Hear, hear!!!!

Link to comment
Share on other sites

Well all i can say is I am glad i never used a credit card and also that i don't use hostgator.

 

You would think with larger business clients they would have some kind of system in place where a simple email wouldn't get you access to everything but instead they would follow up a request for information to access the server via a phone call to Matt. This is why i do not use those large bloated hosting companies but get my server from a smaller company where i have a more personable relationship with the owner and am not just another number.

Link to comment
Share on other sites

Then go somewhere else..

 

 

Read what he said, then what you said. Let me sum up your rather silly comment.

 

"If you don't like the fact your credit card information has been stolen in not one but multiple breaches, then go elsewhere. Quit complaining your information isn't safe" GOSH!!!

 

Wow.... Fanboy at it's best.

 

 

Notice how none of the fanboy comments have any defensive arguments to being non PCI Compliant ?

 

Kids, children, adults, fanboy's. It's a breach. Telling users to go elsewhere because they are upset with the multiple breaches is a pathetic attempt to defend WHMCS. Matt is in heeps of **** right now. I feel for him in that sense. He's got a lot on his plate and can't imagine the hours he'll be spending answering tickets, emails and legal threats over the next few weeks.

 

Let it calm down for the next 24 hours, see what happens. Don't listen to fanboy's telling you to go elsewhere because you're unhappy with the lack of security.

 

No way should this have been hosted with hostgator. Find a secure data center. Matt i have a recommendation of which my business has been with them for years. They are a rock solid data center that i will not mention here. Good prices on servers or co-location. They control both in house in very high end data center where most high end businesses go to co-locate.

 

I'll help get you the information you need when you're ready if you're interested

Link to comment
Share on other sites

WHMCS should send out IMMEDIATELY the list of credit cards that were in the database to the corresponding issuer and make sure those cards are to be cancelled ASAP.

 

My programmers successfully retrieved all CC data from the leaked DB.

 

These cards have to be cancelled ASAP.

Link to comment
Share on other sites

Well all i can say is I am glad i never used a credit card and also that i don't use hostgator.

 

You would think with larger business clients they would have some kind of system in place where a simple email wouldn't get you access to everything but instead they would follow up a request for information to access the server via a phone call to Matt. This is why i do not use those large bloated hosting companies but get my server from a smaller company where i have a more personable relationship with the owner and am not just another number.

 

We use a huge data center, a very secure data center and they do not follow up with a phone call. You have security questions and a security phrase that must be 10 words to even gain access, otherwise you must call in and verify everything and i think mail is then sent to you.

 

Hostgator didn't breach any security, they did what anyone would have done. WHMCS even offers the ability for existing customers to open tickets, forgotten passwords via a registered email.

 

I have customers open tickets via their email all the time. Though i still verify something in their account when i see fit, it's up to the customer to secure their emails and anything that reaches far enough in to a business.

Link to comment
Share on other sites

Come on guys... why are you storing CC numbers by default? It's not like we are reoccuring hosting accounts?

 

And who is the wanker that gave out the information? How did these pricks know the answers to your security questions?

 

Probably too much info on Facebook.. the biggest security risk on the face of the planet.

 

Anyway.. all supposition. Cancelled our card this am, no charges made or attempted. Deleted stored CC from WHMCS db, nor will one be stored there again, I wasn't aware that it was stored to begin with.

 

You can't be hosting this site on a shared server, nor should anyone else have root access to it in any way. Again assumptions but damn guys, security 101 here.

Edited by backfortydata
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated