Jump to content

WHMCS.com Hacked?

jasonmccurry
 Share

Recommended Posts

  • Replies 525
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Mark_J Junior Member

Mark_J

Posted
Posted
I just want to say for that if anyone has ever bothered to read the patriot act, this is an act of terrorism against a company. In addition to violating multiple US and international laws.

 

the FBI should be involved at this point, but the blame falls on the lax security at HG. However as this is a UK based company, their version of the cyber crimes division should be involved.

 

We do not know which government agencies are involved at this point, and we do not need to make guesses and supposition as to the legal issues.

 

From what I've read, the email account belonging to Matt was also compromised. That doesn't sound like an exclusive HG issue to me.

 

I don't know about who gets punished or classified as terrorists but it would appear that with just a little more attention directed to security measures this specific event could have been prevented. There are also very alarming PCI Compliance issues that have apparently been brought to light as a result of all this.

Link to comment
Share on other sites
Pulsar132 Junior Member

Pulsar132

Posted
Posted

They impersonated him on host gators live chat.

 

It's something like that. I'm on my iPad ATM so don't have the download to hand. But it shows the chat transcript of matt and the host gator live help person. It seems host gator took their time shutting the server off.

Link to comment
Share on other sites
Mark_J Junior Member

Mark_J

Posted
Posted
They impersonated him on host gators live chat.

 

It's something like that. I'm on my iPad ATM so don't have the download to hand. But it shows the chat transcript of matt and the host gator live help person. It seems host gator took their time shutting the server off.

 

So much conflicting information out there it's hard to know what really happened...

Link to comment
Share on other sites
BobC Member

BobC

Posted
Posted
Aside from the fact that deleting them won't be any help, you cannot delete the card details, only change them...

 

I would advise cancelling the card anyway.

 

Deleting of one's own CC data should NOT be prohibited. After all, it is the client's information, not WHMCS' information.

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted
Aside from the fact that deleting them won't be any help, you cannot delete the card details, only change them...

You may have to get support to do this?

It may have to do with a service you're using, not sure.

I know when I first tried, I couldn't, but then support said to try again, and there was a link at the top of https://www.whmcs.com/members/clientarea.php?action=creditcard to do so.

Link to comment
Share on other sites
BobC Member

BobC

Posted
Posted
Yeah, assuming the "Reset" automatically changes your password and sends you a new one.. so trying my old one would probably not work.

 

You log in using the old one, then change it in the portal. Don't do it via email.

Link to comment
Share on other sites
AndyJ Junior Member

AndyJ

Posted
Posted (edited)

Just because I'm dumb, how exactly is HG to blame? HG Policies state that if you are able to contact and verify from your primary email, they will give you the information you request.

 

So, Assuming that the email was hacked (which it was since the twitter was comp'd too), then the security problem falls on the comp'd email account. Which I will guess (purely guess) was based on an unsecure cpanel server. The logic that HG replying to a verfied owners email is like saying, its twitters fault that the forgot password button sent back the twitter password too.

 

Don't shift blame. It was a mistake, the email got comp'd, it caused the problems all the way down the food chain. It sucks, its causing horrible problems, lots of legal issues involved, but at the end of the day. the email got comp'd. Done and Done. In the future matt needs to not use his famous whmcs email for all his secure accounts.

 

I'm not mad at HG for releasing the data, at twitter for having a forgot password button, and i'm not mad at matt for the hack. Its a good learning lesson for all, so many people use easy emails for all their secure stuff, and a simple hack of email can give someone access to your life.

Edited by AndyJ
Link to comment
Share on other sites
CavalloComm Senior Member

CavalloComm

Posted
Posted

All I would like to say is SHAME on all of you blasting WHMCS on this.

READ THE NEWS, these people are the bad guys for doing this, not WHMCS, and not the others they have hacked.

 

Let WHMCS clean this up and STOP IT.

 

And SHAME on you people that went and downloaded their data from the hackers site, YOU LET THEM WIN, and you people have violated all of us just as much as the did.

 

SHAME!!!!!!

 

Let WHMCS do their job here and get this cleaned up. You ALL with your comments are not helping.

 

Take this as a lesson and worry about your own companies and are sure YOU are safe and stop wasting your time worrying about Matt and his company. I am sure he knows what to do.

Link to comment
Share on other sites
Mark_J Junior Member

Mark_J

Posted
Posted
All I would like to say is SHAME on all of you blasting WHMCS on this.

READ THE NEWS, these people are the bad guys for doing this, not WHMCS, and not the others they have hacked.

 

Let WHMCS clean this up and STOP IT.

 

And SHAME on you people that went and downloaded their data from the hackers site, YOU LET THEM WIN, and you people have violated all of us just as much as the did.

 

SHAME!!!!!!

 

Let WHMCS do their job here and get this cleaned up. You ALL with your comments are not helping.

 

Take this as a lesson and worry about your own companies and are sure YOU are safe and stop wasting your time worrying about Matt and his company. I am sure he knows what to do.

 

I wonder, would you be saying the same thing about your Bank if your bank had inadequate security measures that led to the hacking of their database and your financial information was compromised?

 

Blame falls where it falls and ultimately WHMCS is fully responsible for the security of any financial/personal information of mine that they store.

 

But our best bet is to wait and see what happens. Once everything's sorted I'm sure WHMCS will post a summary.

 

I'm sure they will, but how credible will any statement from WHMCS be? They told us our financial information would be safe with them as well and we see how accurate that turned out...

Link to comment
Share on other sites
CavalloComm Senior Member

CavalloComm

Posted
Posted

@Mark_J

My bank was hit as well. They did what they should have done, and I am sure WHMCS will to.

If you are so mad, and so distraught, why don't you just cancel your card, delete WHMCS and move on instead of posting anymore? Stolen cards happen ALL THE TIME, so you cancel, watch your statement and get a new one.

 

Let WHMCS sort this out, and AGAIN, worry about our OWN business. Obviously you are not busy enough with that to be posting on here.

Link to comment
Share on other sites
Hitakashi Junior Member

Hitakashi

Posted
Posted
Just because I'm dumb, how exactly is HG to blame? HG Policies state that if you are able to contact and verify from your primary email, they will give you the information you request.

 

So, Assuming that the email was hacked (which it was since the twitter was comp'd too), then the security problem falls on the comp'd email account. Which I will guess (purely guess) was based on an unsecure cpanel server. The logic that HG replying to a verfied owners email is like saying, its twitters fault that the forgot password button sent back the twitter password too.

 

Don't shift blame. It was a mistake, the email got comp'd, it caused the problems all the way down the food chain. It sucks, its causing horrible problems, lots of legal issues involved, but at the end of the day. the email got comp'd. Done and Done. In the future matt needs to not use his famous whmcs email for all his secure accounts.

 

I'm not mad at HG for releasing the data, at twitter for having a forgot password button, and i'm not mad at matt for the hack. Its a good learning lesson for all, so many people use easy emails for all their secure stuff, and a simple hack of email can give someone access to your life.

 

From what I understand, They ANSWERED the security questions that Matt put. Not the email account. The guy CHANGED the email account on hostgator, which someone should have noticed that someone just called up to get the password and then changes the email...Hmmmm.

 

Most likely the password from HostGator was the same as Twitter, Or the password was stored in WHMCS for all we know.

Link to comment
Share on other sites
Peter M Dodge Member

Peter M Dodge

Posted
Posted
@Mark_J

Let WHMCS sort this out, and AGAIN, worry about our OWN business. Obviously you are not busy enough with that to be posting on here.

 

You saying someone posting here isn't paying enough attention to their business while yourself posting here, is both unhelpful, and hypocrisy. Please stop making personal attacks against posters. People have a legitimate reason to be upset about this. Proper security measures outlined by VISA and MasterCard were NOT taken here and this DIRECTLY CONTRIBUTED to the extent of the hack.

 

As was said on WHT, you can't stop a determined hacker, but you CAN prevent them from getting anything useful if they do get into the server, and that's precisely what WHMCS failed to do.

Link to comment
Share on other sites
Hitakashi Junior Member

Hitakashi

Posted
Posted (edited)
I wonder, would you be saying the same thing about your Bank if your bank had inadequate security measures that led to the hacking of their database and your financial information was compromised?

 

Blame falls where it falls and ultimately WHMCS is fully responsible for the security of any financial/personal information of mine that they store.

 

 

 

I'm sure they will, but how credible will any statement from WHMCS be? They told us our financial information would be safe with them as well and we see how accurate that turned out...

 

Just gonna say, http://www.google.com/search?client=opera&rls=en&q=bank+hacked&sourceid=opera&ie=utf-8&oe=utf-8

 

Nothing is 100% secure, Yes they banks have very very high security measures, But that doesn't mean that it can't be bypassed by persistent hackers.

 

Although I do agree, WHMCS could have done something better, Never used Host Gator in the first place. They have horrible reputation.

 

Also does anyone else noticed that whmcs.com redirects to whmcs.com/<randomstring> then back to whmcs.com

Edited by Hitakashi
Link to comment
Share on other sites
ExsysHost Senior Member

ExsysHost

Posted
Posted
All I would like to say is SHAME on all of you blasting WHMCS on this.

READ THE NEWS, these people are the bad guys for doing this, not WHMCS, and not the others they have hacked.

 

Let WHMCS clean this up and STOP IT.

 

And SHAME on you people that went and downloaded their data from the hackers site, YOU LET THEM WIN, and you people have violated all of us just as much as the did.

 

SHAME!!!!!!

 

Let WHMCS do their job here and get this cleaned up. You ALL with your comments are not helping.

 

Take this as a lesson and worry about your own companies and are sure YOU are safe and stop wasting your time worrying about Matt and his company. I am sure he knows what to do.

 

I was done posting to this topic but sorry this is just ignorance... SHAME on you for saying we should take this as a lesson about our own companies and to stop wasting our time worrying about matt... Wakeup call dude... when he stores information about our companies and card holder data in a non PCI compliant manner then yes it is that we are worrying about our companies and how he is handling OUR companies information. I don't think you quite get the seriousness of this... it wasn't the attackers fault... if Matt had followed PCI compliance regulations this would have never happened, and like most of you are saying it definitely was not Host Gators fault either, if Matt had followed PCI compliance regulations they would have never had the password to give out in the first place and the attack would not have happened... Wake up people regardless of the situation PCI compliance ultimately falls upon the company who is accepting credit cards, not their host, not their merchant provider, them.

 

With that said no one here wants to see WHMCS get into any trouble over this, WHMCS is at the core of all of our businesses, the only thing people want to see out of this is that going forward, Matt implements PCI compliance regulations on his systems...We have that right

 

and if we as web hosts cannot do PCI compliance, and Matt who creates the billing system cannot do PCI compliance, then how can we expect anyone else to? The internet is screwed if we follow advice like yours... Matt should be leading by example here just like the gateways are expected to do so.

Link to comment
Share on other sites
b0r3d Member

b0r3d

Posted
Posted
All I would like to say is SHAME on all of you blasting WHMCS on this.

READ THE NEWS, these people are the bad guys for doing this, not WHMCS, and not the others they have hacked.

 

Let WHMCS clean this up and STOP IT.

 

And SHAME on you people that went and downloaded their data from the hackers site, YOU LET THEM WIN, and you people have violated all of us just as much as the did.

 

SHAME!!!!!!

 

Let WHMCS do their job here and get this cleaned up. You ALL with your comments are not helping.

 

Take this as a lesson and worry about your own companies and are sure YOU are safe and stop wasting your time worrying about Matt and his company. I am sure he knows what to do.

 

I don't think you understand what reality is. The upset is about how our financial information is stored. You can't really avoid a hacking attempt if the hackers are good at what they do.

 

WHMCS my friend is absolutely, positively 100% responsible should they decide to encrypt our personal and financial information and or store it on a local intranet away from prying eyes.

 

The hacking attempt and success was unavoidable if the hackers are good. UGN are very good at what they do. If you found out the banks were storing your personal information unencrypted in a database and they were hacked, are you seriously telling me you wouldn't be a little upset the banks didn't take better precautions to avoid an attempt such as this?

 

You can't stop it but you can make it pointless to hackers to steal info if it's stored on an intranet or a decent encryption.

 

Lastly, don't start "SHAMING" us for downloading the information. I didn't download crap all for personal use. I downloaded it to cross my fingers and hope MY INFORMATION was NOT in the sql dump including my support tickets. Unfortunately it was (My profile not support tickets). I could care less about any other bits.

 

So get off your high horse and pipe down. It's a breach of trust. Your bank isn't exempt, Your insurance company isn't nor is WHMCS. We entrust our private details to avoid identity theft is stored safely and securely. Don't go SHAMING innocent people, innocent customers for being upset.

 

Get over yourself

Link to comment
Share on other sites
Nexxterra Senior Member

Nexxterra

Posted
Posted

Actually, Like a rape victim that may have dressed a little provocative, WHMCS and their clients are NOT %100 responsible, they are the victim.

I am sure that Matt feels horrible, but most importantly, both Matt and us as the victims can learn some valuable lessons.

I was up for a few hours changing all passwords for all servers and related services. My payments have all been through paypal, always will be when available!

The information that will be mined from the downloads made available to the public in my case, will contain useless information.

Matt, We still love ya!, a suggestion, all my security questions I have even with my bank, are answered incorectly IE: moms maiden name I may have answered with my favorite colour.... harder to remember, but harder to guess too!

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept