Huib Posted May 21, 2012 Share Posted May 21, 2012 That not good... Link to comment Share on other sites More sharing options...
Nathanael Posted May 22, 2012 Share Posted May 22, 2012 You are spreading the leaked files, stop linking! Link to comment Share on other sites More sharing options...
sol2010 Posted May 22, 2012 Share Posted May 22, 2012 We love WHMCS - Matt & Team - wishing you the best to recover from this Link to comment Share on other sites More sharing options...
Si Posted May 22, 2012 Share Posted May 22, 2012 Here to support you Matt. Sweat it not! Link to comment Share on other sites More sharing options...
Nathanael Posted May 22, 2012 Share Posted May 22, 2012 well i checked and ticket content wasn't leaked. Link to comment Share on other sites More sharing options...
aegisdesign Posted May 22, 2012 Share Posted May 22, 2012 Have to say I'm curious to see what of my data is in that dump but I don't want to go looking at other people's data. Also surprised twitter haven't given the twitter account back to Matt yet. That's not exactly quick work on Twitter's part. Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 Seems they are still hosted with HostGator even though hiding behind CloudFlare, though im sure Matt and the team is handling everything with the best of their abilities but even though it's wont delete them from having the content sending HostGaters Abuse department a notice might be able to get the current links removed. Link to comment Share on other sites More sharing options...
rodeoXtreme Posted May 22, 2012 Share Posted May 22, 2012 (edited) I have friends from Russia that would be willing to remove the waste of them. They are much more efficient than the FBI. Hehe. I hope they catch these fools. With all kidding aside: If they were hosted by hostgator, then hg knows the account holder. I know this to be a fact because I was Justin a PCI meeting where hg had a training session regarding new accounts and hg said that ALL new accounts are verified by a salesperson. Edited May 22, 2012 by rodeoXtreme Link to comment Share on other sites More sharing options...
iPhone Posted May 22, 2012 Share Posted May 22, 2012 The files don't seem to be working anymore? Leads to their website. I want to see if I am listed Link to comment Share on other sites More sharing options...
YoungL Posted May 22, 2012 Share Posted May 22, 2012 (edited) According to people over at webhostingtalk the credit card details are decryptable due to the hash being available in config files. Meaning that everyone's CC details are vulnerable. I only found out about this due to purchasing through LicensePal who emailed all of their customers. I have had no emails from WHMCS directly and I think it is time that all WHMCS customers were emailed so that they can make arrangements to prevent their credit cards and passwords being abused. Stuff like this happens from time to time but the way you deal with it is vital. The first step should have, in my opinion, been to email all of your customers to let them know of the security breach and to warn them to take measures to prevent them being victims of fraud. I can only imagine how stressful this must be for Matt and the team and of course we support them. But I think you need to work with HG and that they should seriously review their security policies. This should not be allowed to happen. Edited May 22, 2012 by YoungL Link to comment Share on other sites More sharing options...
misrajitas Posted May 22, 2012 Share Posted May 22, 2012 Where is (was) the whmcs.com hosted? Share this this guys made a big mistake... I will request my hosting to learn about this and do something extra to avoid this case... Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 I would assume you are listed as well, i just checked and found myself listed too. All information including all your address/location, name,, ip addressed, to server and license information such as licenses and location/director and ip of the licenses. Link to comment Share on other sites More sharing options...
JamieD Posted May 22, 2012 Share Posted May 22, 2012 So now they know what happened, the database has been released which includes all clients credit card numbers yet they STILL haven't emailed their customers to warn them! This is simply negligent and disgraceful behaviour. Do the right thing and email your customers! Link to comment Share on other sites More sharing options...
JFOC Posted May 22, 2012 Share Posted May 22, 2012 email is in the queue to sendout ??? Link to comment Share on other sites More sharing options...
rlshosting Posted May 22, 2012 Share Posted May 22, 2012 When I login these forums, it displays php errors. Link to comment Share on other sites More sharing options...
YoungL Posted May 22, 2012 Share Posted May 22, 2012 I stand corrected. As JFOC stated the emails are likely a queue as people are reporting to be receiving emails from WHMCS about this. I hope that WHMCS get to the bottom of this. It must be a worrying time for them. Link to comment Share on other sites More sharing options...
Peter M Dodge Posted May 22, 2012 Share Posted May 22, 2012 Well, they basically now have an IP of all WHMCS installs. Hope you all have been tightening the bolts, so to speak. I know I've been putting a few more locks on my internet door, so to speak. Not that it'll keep them out if they got a hold of the source and found an exploit.. Link to comment Share on other sites More sharing options...
vasil Posted May 22, 2012 Share Posted May 22, 2012 I've downloaded the databases and can't see where they contain any credit card details (although I'm not sure I was able to open db in entirety). Can anyone confirm they have seen credit card details on the db? Link to comment Share on other sites More sharing options...
desynced Posted May 22, 2012 Share Posted May 22, 2012 Well if you read the news feed inside of your WHMCS install, you have links to the DB, their website files, and their CPanel files. DB in rar (compressed) is 64MB, but the database itself is 806MB. WHMCS web site in rar is 249MB. "All WHMCS files including CPanel" in rar is 1.7GB. So on that note, I think they got mostly everything. Also opening this in Notepad or Write makes Windows cry. I found things by uploading it to a linux box and greping everything (last name, etc). Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 Your twitter has been compromised too. Yeah The Twitter account is still being used, as recently as 38 minutes ago. Link to comment Share on other sites More sharing options...
CavalloComm Posted May 22, 2012 Share Posted May 22, 2012 @desynced, since now that everyone knows their information is in the database, you should delete what you downloaded. While I understand that people may have wanted to check to see if something was there, shame on anyone else that downloads it. You know what's there, so keep out of their stuff now. It's just as criminal as the people that are downloading it for mailicious activity. Link to comment Share on other sites More sharing options...
sol2010 Posted May 22, 2012 Share Posted May 22, 2012 I'd rather see the team focus on getting the links removed before worrying about sending out emails. I didn't download it. Anyone who has will likely be hearing from the FBI Link to comment Share on other sites More sharing options...
rodeoXtreme Posted May 22, 2012 Share Posted May 22, 2012 I don't understand that if the FBI is already involved, why are they allowing Twitter to release card holder data? Especially since there is an active crime. I see it like they are chasing a serial killer; would they wait and let the killer kill his next victim before making an arrest? I have not downloaded the files nor do I want to. We have always used temporary passwords and a user account for 3rd party support is needed and once they are finished, we immediately change the password. This is a PCI requirement. Our firm is considering filing a criminal complaint regarding the card holder data but when we spoke with our local FBI officer. they asked if an actual crime has been committed or we just lost the information - unbelievable. I hope some resolution can be resolved soon. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 I reported https://twitter.com/#joshthegod to twitter, i cant believe they allow a known hacker group to have a twitter account. Others need to do the same, maybe we can get their acount deleted, i know it dont mean much but we cant just sit and do nothing, ya know. Maybe twitter will notify law inforcment if enough people complain and we can get them arrested, this is considered a form of piracy in my book! I fully agree with your line of thinking, but IME Twitter support, especially on these kinds of issues, is virtually nonexistent. I'm not telling anyone not to report this user, just that don't be surprised if Twitter does nothing. I reported a similar user for the same thing, and I got back a BS reply that Twitter "doesn't restrict freedom of speech." FYI for this very reason what happend today is why last month they support ask me for my cpanel login and ftp i refused to let them have it. Not that i dont trust whmcs, i do. But becuase of this very issue. I am so glad i never gave them my login. Also why I never give out my main login details to 3rd party vendors/WHMCS addon developers, etc. If access is really needed I create a new admin account and give them that, and then delete the account after the work is done. Even that's not foolproof, but it's some measure of safety. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 (edited) Just in case this may be of use to others reading this thread, don't forget that in addition to a client area password, you have a password here for the forums, and there may be other associated with WHMCS (blog.whmcs.com, docs.whmcs.com). Change them all. And because forums seem to be hacked so frequently, I always use an email alias/forward for all forums, that forwards to an email I read. That way if the forum gets hacked and your email address gets sold to spammers, all you have to do is delete that alias and create a different one. A few years ago I think it was WHT that got hacked (can't remember for sure, but I think it was them). This was YEARS ago, and I still get access attempts to "forum_replies@mydomain.com", which I find morbidly amusing. Edited May 22, 2012 by Blueberry3.14 Link to comment Share on other sites More sharing options...
Recommended Posts