WHMCS.com Hacked?

[Peter M Dodge]

I contacted my Credit Card company last night. We went through the account manually and examined the transactions and balance.

 

I am not happy.

 

I am not going to soapbox here, I'm just going to say one thing:

 

My credit card was compromised as a direct result of this hack.

 

I'm having the CC company send me a full detail statement of the accounts, trace #s everything to do my own fraud investigation in cooperation with them.

 

If you had a CC in their system you need to talk to your CC company right now, if you haven't already.

Edited May 22, 2012 by Peter M Dodge

[minadreapta]

anyone here knows if domain reseller information is compromised? eg: ResellerClub details and passwords, Enom, etc. Anything bought/received for free from WHMCS ?

 

thanks.

[ExsysHost]

Not to continue apparently sounding like an a$$, but anyone notice that the site itself is FLYING, despite the fact that it is jammed with traffic? Also, I notice that the Ticket system is back and operational here on whmcs.com. While you all are jabbering about how much this and that stinks, Matt is getting things DONE.

 

Good job Matt.

 

Glad he is getting things back online, but this is not the first time this has happened, most of us are concerned with what he is going to be doing going forward to make this not happen again...

 

Like following PCI compliance rules and regulations, or moving our card data from the Quantum Gateway to the Quantum Vault where they are protected from such attacks.

 

There is a history here and it is not too much for us to ask that our cards be protected when they have let us down twice now in this regard.

[WebsiteIntegrations]

yes we know, we've read it the 1st 20 times you've posted

[Peter M Dodge]

I think will be filing a full complaint to VISA regarding my card having been stored and thus compromised in a system that was not following PCI compliance.

 

Also, relevant to the hack, this popped up on WHT as a link:

http://pastebin.com/KrRG81e4

[dotter]

anyone here knows if domain reseller information is compromised? eg: ResellerClub details and passwords, Enom, etc. Anything bought/received for free from WHMCS ?

From what is currently known, everything you shared with WHMCS via email/support tickets is compromised.

 

Remote installations have not been compromised, but very important data (like IP, path) of all remote installations has been made public.

[WebsiteIntegrations]

Also, relevant to the hack, this popped up on WHT as a link:

http://pastebin.com/KrRG81e4

 

so that picture on there is supposedly the punk behind this?

[MarkEliasen]

More info here: http://whmcs-hacker.soup.io/

[Peter M Dodge]

so that picture on there is supposedly the punk behind this?

 

Supposedly, according to this other hacker group, however I know for a fact the information they have about the CloudFlare directconnect and hosting is correct, so I don't have reason to question the personal details they also gathered.

[twhiting9275]

On a completely relevant (??) note, I just got off the phone with PayPal, and here's what they suggested.

 

Since my own business needs this card (esp. around this time of the month), it's important for me to have the card (or an alternative) on hand @ all times... For people like me, they suggested the following

 

1. Login to Paypal
   
2. Click on the 'debit card' link on the right side.
   
3. Towards the top of the page, find 'Request a new card'
   
4. Request a new card... [1]
   
5. Wait 7-10 days
   
6. When card arrives, deactivate old one, report it lost/stolen [2]
   

 

 

[1]This must be done under a new name, but it can be a derivative of yours. For example, Tom/Thomas/Tommy , Bill/William/Billy, etc. According to the person on the phone, this doesn't matter

 

[2]If you do wait, make sure that you keep a very close eye on your paypal transactions for the next few days. Obviously, if something comes up, let them know immediately, and report it stolen.

[jonhardison]

Is anyone else getting emails from companies that pulled the leaked info already? Man this sucks. Changed all the PWs already but do we even know for sure they're not getting those too?

[Peter M Dodge]

Is anyone else getting emails from companies that pulled the leaked info already? Man this sucks. Changed all the PWs already but do we even know for sure they're not getting those too?

 

I have not, but it seems inevitable that there will be a typical mix of profiteers looking to make a buck off the release, and spammers who will harvest the emails in the database.

[easyhosting]

very important data (like IP, path) of all remote installations has been made public.

 

this has always been available by adding /?licensedebug to the end of the installation URL

[easyhosting]

Is anyone else getting emails from companies that pulled the leaked info already? Man this sucks. Changed all the PWs already but do we even know for sure they're not getting those too?

 

yes got 1 from AJ Online Services. reported this as spam to spamcop and to the senders server provider (RackSRV) and ISP (Virginmedia) and both are going to take action as they have used stolen information

[dotter]

this has always been available by adding /?licensedebug to the end of the installation URL

not the path. but ok, all this on itself is not that important...

 

the problem I see is that if an exploit in WHMCS is discovered, the leaked DB could be used to take advantage over remote installations. it just makes things that much easier.

[Peter M Dodge]

yes got 1 from AJ Online Services. reported this as spam to spamcop and to the senders server provider (RackSRV) and ISP (Virginmedia) and both are going to take action as they have used stolen information

 

Good on you. Anyone who gets spam as a result of this leak should report them to their respective ISPs for both hosting and connection as it is using stolen information as noted.

 

I haven't received any yet, although it may just be that my spam filter has caught them and deleted them.

[Digitalized Media]

That. Is. Fantastic. Would you believe me if I told you I have a relative down state that went to school with this kid?

[gromett]

Got the ajonline services one as well. How bloody irritating.

[everythingweb]

What's the spam about? Just regular spam?

[ecayer]

We are also being spammed by these guys

 

http://www.smartbrief.com/index.jsp

 

whmcs@ajonlineservices.co.uk

[Peter M Dodge]

The one I saw floated on WHT was basically profiteering: they'll secure your website which uses the "clearly insecure" WHMCS stuff for a low fee! Or something like that. The WHT thread's grown another 10 pages and I don't feel like wading through it again to find it.

[easyhosting]

The WHT thread's grown another 10 pages and I don't feel like wading through it again to find it.

 

I stopped reading after page 30 and most of them were just repeated info as users could not be bothered to read through the other pages

Edited May 22, 2012 by easyhosting

[Hitakashi]

Really guys? If they didn't get access from hostgator then they probably would have hacked it either way. You all should blame hostgator a bit more, they gave them the details to the hackers and allowed them to get the password email. They should have not given the password to a number that wasn't Matt number.

 

Either way, whmcs probably would have been hacked either way.

[easyhosting]

Pastebin have now taken down the download page 8 hrs after i reported this to them

[Hitakashi]

Yea I reported the pastebin about 1 hour ago.