WHMCS.com Hacked?

[Digitalized Media]

Not to sound like a total a$$hat here, but are we the only company with multiple cards and internal measures for such an issue? Your inconvenience is your own fault, really. You sound international, and you roll with one credit card?

 

Jeesh. Maybe this is a welcome wake up call. Internal financial security and assurance of solid cash flow is basic business 101. Just chalk it up as a learning experience and a business expense. My accountant calls it a tax write-off.

[ExsysHost]

<<snipped>>

 

I am not about to trump up whmcs it has its flaws in itself, but they do get worked on and fixed as soon as possible.

 

This immediate issue, unconfirmed other than the email stating how this happened. comes back to the host service of WHMCS not to WHMCS.

 

The fact a support worker at their host did not follow protocol and verify without doubt that the person was who they said leaves their hosting provider with this problem. but look at it this way. Anybody could find out your host, and make steps to become employed with them if they so had the inclination to disrupt your business.

 

The only true safe solution is your own servers in your own datacentre. this is something we all initially trade off as a viable pass to try to start a business that we can later build into a thriving hosting business with our own datacentre. This has to be the one thing that all hosts have in common, we all want to stand on our own two feet, both financial and hardware.

 

WHMCS are doing all they can. If you are at all in doubt, change all your passwords if you have given any (you should be cycling passwords anyway to reduce risks with static passwords) and cancel any credit or debit cards that have been provided to WHMCS.

 

I have done all of this and i have never even given WHMCS my login details, better to be safe than sorry in the long run.

 

 

My main concern here is that WHMCS does need to allow us to delete card details or do it themselves, and change emails too. they know our email addresses, if they so choose they can write a script to reset our passwords, thats going to be a pain in the backside.

 

 

You know what I think is crazy... that WHMCS violated two of the required PCI compliance rules... and you continue to try and "defend" them and pass the buck on their hosting company.

 

I am not attacking WHMCS... what I want to see from this is that they improve their ways, we have a right to be concerned that WHMCS was storing our cards on a system that was not PCI complaint.

 

The fact is if they had followed those two simple PCI compliance rules, then their hosting company would have never had the password to give out in the first place.

[Iceman]

Errr seriously, nobody really cares about what your doing man..

 

... yet, you took a few seconds to reply!

[ExsysHost]

Your looking to the wrong source for finger pointing, datacentre support permitted unauthorised access to the server. its been said several times.

 

It doesnt matter how strong your password is, i personally use the cpanel password generator with all its bells and whistles active and full length.

 

Even with this, if somebody "gives out your password" then it isnt a safe password no matter how challenging you make it.

 

again if your system is PCI compliant your host would not have your password to give out.

 

Something with your arguments makes me fearful for your customers

[gOOvER]

so where is the money your paying whmcs for using their name and logo on your forum at http://www.whmcs-germany.com ?

 

Don't talk about things, you don't know

 

And: if you don#t know from what are you talking, stop asking stupid, sensless Question. There is no need to answer you, because, you are not involved in some things

 

But thank you for the Traffic

Edited May 22, 2012 by gOOvER

[Andrew-FH]

Allright Guys, this maybe breath of relief for some and may not be for some

 

Check your email address (whmcs client portal email address) if it's validly present in the database,

 

Thanks to the uploader of this script

 

For some people hae reported, allthough they are part of whmcs, their emaill address isn't present in the db dumped by hackers, so it looks like hackers weren't able to get the full db, various reasons, big db size, timeout problems etc...

 

Fortunately, my email address isn't present there and i'm not in DB

 

Check here :- http://whmcs.h02.org/index.php

[ExsysHost]

This shows what you know. This would actually be scotland yards domain as they are a UK based company. That or interpol as the breach occured in the usa.

 

I think they should bring in the CIA instead or MI6 to take out the support worker that made such a prolific error.

 

(well we are going down the silly road are we not)

 

Actually... WHMCS stated in their email that the FBI had been contacted... most likely because host gator told WHMCS that they did... but I am pretty sure that is a big lie.

[Digitalized Media]

Don't talk about things, you don't know

 

And: if you don#t know from what are you talking, stop asking stupid, sensless Question. There is no need to answer you, because, you are not involved in some things

 

Sounds like someone with something to hide.

[gOOvER]

Sounds like someone with something to hide.

 

No, but what have this to do with topic?? he only not longer know, what to talk. So he start this with my Support Forum. Why i have to talk with all about this??

 

And if you mean, i do something illigal, please write a Support Ticket to WHMCS Support

 

 

@Digitalized Media: Would you talk with me about your buissness or parts of it??

[WebsiteIntegrations]

Don't talk about things, you don't know

 

And: if you don#t know from what are you talking, stop asking stupid, sensless Question. There is no need to answer you, because, you are not involved in some things

 

well you bitch and moan for 6 hours straight (now almost 7 - even though apparently your time is very valuable) about Matt and whmcs - but you have no problem using their name and logo for your own interests .... so if you have such an issue stop using their i assume copyrighted name and logo.

Edited May 22, 2012 by wwesn

[laszlof]

Allright Guys, this maybe breath of relief for some and may not be for some

 

Check your email address (whmcs client portal email address) if it's validly present in the database,

 

Thanks to the uploader of this script

 

For some people hae reported, allthough they are part of whmcs, their emaill address isn't present in the db dumped by hackers, so it looks like hackers weren't able to get the full db, various reasons, big db size, timeout problems etc...

 

Fortunately, my email address isn't present there and i'm not in DB

 

Check here :- http://whmcs.h02.org/index.php

 

For the love of god, my eyes, they bleed.

[scurrell]

My time is expensive

 

So you keep saying.

 

Makes me wonder how you can afford to spend so much time posting on here then.....

[twhiting9275]

again if your system is PCI compliant your host would not have your password to give out.

Not necessarily. Who's to say that hostgator doesn't have a 'secure' system, isolated from the internet, storing these things, called up only on demand, via intranet?

However, if WHMCS was PCI compliant, this wouldn't have happened, hands down.

If WHMCS had their head in the game re: security, this wouldn't have happened, hands down.

[gOOvER]

well you bitch and moan for 6 hours straight (now almost 7 - even though apparently your time is very valuable) about Matt and whmcs - but you have no problem using their name and logo for your own interests .... so if you have such an issue stop using their i assume copyrighted material.

 

Which intressests?? Do you know, for what the forum is?? Do i earn Money with the Forum?? No, i don't. Do i have Advertising on it??? No i don't.

 

SO PLEASE TELL ME, WHAT ARE MY INTERSESTS WITH IT??

 

YOu little smart aleck mean's you have found something, to catch me?? I'm laughing about you, because of your ignorance.

 

And stop talking in WHMCS Name

 

I wrote it above: Please, write a Support Ticket

[b0r3d]

Sounds like someone with something to hide.

 

 

You talk like a professional then you instigate. Can't make heads or tails of you. Not everyone rolls like you do, not everyone has multiple cards. This simply makes light of a serious situation. You turn this in to a "Customers fault" situation.

 

Just because some small startups don't roll like you do, doesn't mean they aren't a valued customer. Doesn't make them less of a business. If you're that large of a business wtf are you still using WHMCS for?

[ExsysHost]

Read this http://forum.whmcs.com/showpost.php?p=223716&postcount=218

 

Are you serious, you actually believe anything these CRIMINALS have said? Hostgator violated Requirement 8 of PCI-DSS not WHMCS. WHMCS servers were compromised as a result of hostgator; in addition, twitter facilitated the crime by not taking down the information or the account.

 

A boy in New Jersey was just convicted for manslaughter (I believe) because he released a sex tape of his roommate and his roommate killed himself.

 

At this point, everyone should midigate their risk; stop looking for another reason for blame. UGnazi are the guilty party; that is the only thing that I believe about them.

 

I hope that either the Russian Mafia finds them before law enforcement; since they will be made an example or law enforcement will get them and slap them on their little baby hands.

[ExsysHost]

wrong

Hostgator violated nothing .

Yes, they're a cheap company, but they violated nothing. Someone passed the security tests and they were given the information needed.

 

UGnazi are guilty only of downloading information and making it available to the world

WHMCS is guilty of not following industry standards here.

 

 

There is a lot of bad information being spread on here by people and PCI requirements and whos responsibility it is, please read my previous post and educate people correctly.

[Digitalized Media]

You talk like a professional then you instigate. Can't make heads or tails of you. Not everyone rolls like you do, not everyone has multiple cards. This simply makes light of a serious situation. You turn this in to a "Customers fault" situation.

 

Just because some small startups don't roll like you do, doesn't mean they aren't a valued customer. Doesn't make them less of a business. If you're that large of a business wtf are you still using WHMCS for?

 

Who say's I am a large company? I have two employees. I just would like to think that a 3rd party vendor I work with is secure with my info. At the same time, I have to be prepared for them not to be - just like I would have to be prepared for one of my employees to leave the debit card or credit card at Office Max when they pick up some supplies. I have safeguards in place for this which would prevent me from being apparently crippled for two weeks like some of these posters are stating. Apparently that makes me an a$$.

 

I'll let Matt tackle the potential trademark infringement when he gets the whole hacked database thing figured out. Will I reply to this? Nein nein nein nein!

[ExsysHost]

Not necessarily. Who's to say that hostgator doesn't have a 'secure' system, isolated from the internet, storing these things, called up only on demand, via intranet?

However, if WHMCS was PCI compliant, this wouldn't have happened, hands down.

If WHMCS had their head in the game re: security, this wouldn't have happened, hands down.

 

But that wasn't the case, check these PCI compliance rules:

http://forum.whmcs.com/showpost.php?...&postcount=218

 

you are required to disable passwords to your system for support techs when not in use... meaning your hosting company... meaning host gator should not have had an active password to give out.

[Digitalized Media]

Not to continue apparently sounding like an a$$, but anyone notice that the site itself is FLYING, despite the fact that it is jammed with traffic? Also, I notice that the Ticket system is back and operational here on whmcs.com. While you all are jabbering about how much this and that stinks, Matt is getting things DONE.

 

Good job Matt.

[jasona]

And how did that go? They were pretty indifferent and hostile about the issue with me.

 

I myself contacted CloudFlare about this, and then passed the details along as best as I could. Hackers use CloudFlare to make it a little more difficult for a power user to determine their ISP, as when you're using CloudFlare you use their nameservers, not the web hosts, and this is commonly how many people identify what webhost you're using. Also the routing path will stop at cloudflare since their machine is the one grabbing your page.

 

However, you can still dig the reverse DNS to find out who they are hosting with.

[pinarthost]

As far as I can see, Twitter deleted the hacker's account.

[gOOvER]

Sounds like someone with something to hide.

 

After your last Post, i believe you know this Forum

 

[German on]

Aber wenn Du willst, kannst Du die Domain gerne kaufen. Steh ab Morgen zum Verkauf ;. Dannkannst Du da weitermachen, wenn Du solche sätze von Dir lässt. Naja, ich tippe ja auch nen frustrierten ispCP USer

[/german off]

[gOOvER]

As far as I can see, Twitter deleted the hacker's account.

 

great, but i hope Pastebin do the same On Pastebin all Links and PW are Posted

[dArFik]

I can't find any information how/when WHMCS is going to fix missing payments. Anyone knows? Or they will not capture authorized transactions and I will have to pay again?

 

One more... did you get email from AJ Online Services ? Are they hired by WHMCS or trying to make money on that situation? They contacted me today basically for no reason

Edited May 22, 2012 by dArFik