WHMCS.com Hacked?

[sol2010]

Yeah, don't hold out any hope of Twitter or Pastebin responding anytime soon, these guys love dirty news stories as it only increases traffic to them. Take PB for example, they have been used so many times by the anon hakrs grp and their abuse page says they "try hard to get back to reports of abuse within 24 hours" and then just below that, "response may take up to 7 days....." go figure!

[Peter M Dodge]

Just got off the phone freezing my CC. Going to take cash advance out on the bank as a float to work from and then get a new card issued. That'll last until I either get paid next or get the new card, whichever happens first. Certainly reminds me I need to pay that thing off faster...

 

I suggest everyone do the same. CC's are in there. They have them. And god knows who else does isnce they're public.

[mramos]

Good Luck Matt!

 

Tellme if i can help you, with hosting, or programming or other activities related

 

Martin

[Digitalized Media]

Outside of cancelling your CC (done), what other actions are people taking to protect their internal DB's? It has been so long since I set WHMCS up, that I dont recall exactly what I would need to do to un-link WHMCS from my actual cPanel.

 

I already reset access pw's to whm on my servers, emails, login's, etc ...

[chadutz1]

Why risk it. Cancel the card and get it re-issued.

Nice reply and all related costs are for your users? I believe you have an issue here legally and binding. You store the stuff and your clients have to pay for the costs when you are in a security breach thanks to your bad Hostgator hosting setup?

 

Think you are missing an elemental issue here and that is "trust" Any idea what is at stake here for you?

 

If I have to cancel my credit card I need to pay US$ 80 fees, get a mark behind my name and every transaction for the next 3 month's will be scrutinized. You think your clients should pay for these costs themselves?

 

I believe that won't legally stand not to mention "taking responsibility towards your clients" in good governance

 

Leo L.

[xnaspeed]

Since the issue doesn't seem to be an issue with the WHMCS system itself, your systems should be ok.

 

As long as you don't use the same password for everything, you should be fine. If you used the same password for your WHMCS login as you do for anything else, I would change those passwords as the passwords will eventually be cracked.

 

For those who did access the site while the deface page was up, I don't believe there's any reason to worry about the security of your computers. The page didn't show any signs of infection as far as I saw.

 

Unfortunately virus scans wont really help in this situation (assuming there was a virus), as a hacker group like this is sure to keep their bots undetectable.

 

Give Matt some time. He's doing all he can to make things right. There's definitely a lot that could have been done, but yelling at him over and over isn't going to help. I know how stressed I am under a simple DDoS attack. I can't imagine an attack of this scale being good for his health.

 

tl;dr

I wouldn't worry about your systems. Worry more about your personal info that could have been stored in the database.

Edited May 22, 2012 by xnaspeed

[everythingweb]

I see someone said ticket data was not released? how is that possible? I'll be downloading the file to see what information of mine is there.

[XN-Matt]

Nice reply and all related costs are for your users? I believe you have an issue here legally and binding. You store the stuff and your clients have to pay for the costs when you are in a security breach thanks to your bad Hostgator hosting setup?

 

Think you are missing an elemental issue here and that is "trust" Any idea what is at stake here for you?

 

If I have to cancel my credit card I need to pay US$ 80 fees, get a mark behind my name and every transaction for the next 3 month's will be scrutinized. You think your clients should pay for these costs themselves?

 

I believe that won't legally stand not to mention "taking responsibility towards your clients" in good governance

 

Leo L.

 

No bank should charge for a replacement card. Maybe banking culture is different there but at least here, they do try and help you protect your money, or get it back when fraud occurs.

 

Breaches happen, even to the biggest of companies. Hell, an old address of mine might be out in the public but at least here in the UK, a Directors address is generally easily found anyway.

 

WHMCS Ltd, will have to report themselves to the ICO (http://www.ico.gov.uk/) in the UK due to the breach of data that occurred.. they would then decide if WHMCS Ltd acted negligently with their clients data. As to whether WHMCS Ltd is registered as a data collector or not, is another matter in its own right.

 

The ICO is pretty much as useless as a chocolate fire guard though, so I wouldn't expect anything to happen or any fines raised for it.

 

Matt

[Peter M Dodge]

Visa and Mastercard, however, can and likely will fine WHMCS, and may even blacklist them, if they determine the negligence was deep enough.

 

If they get blacklisted its basically game over.

[b.ahmed]

I'm amazed how people are talking about security here and their own website is not even secure enough! lol

 

Stop it guys....no system is 100% secure! WHMCS is not the first company which is victim of such kind of attack, even US military contractor Lockheed Martin was hacked!

 

So stop blaming WHMCS and just change your password, whmcs admin URL and if your credit card info was stored then it's your own mistake...you need to take care of your own stuff....

[durangod]

All this tallk about reporting to twitter and they do nothing will not stand, it is up to us all to hold twitter accountable for thier inaction. The hacker twitter site has pics of hitler all over it EXCUSE ME? That in itself is cause for deletion and perm ban in my book.

 

Look folks we all have to stand up to twitter. If they think this is a game to boost their ratings thru other peoples misery and drama then we all need to put a stop to that bs, delete your twitter account, boycott twitter and put them out of business period. This will not stand, if they dont take this seriously and play this kind of garbage off as marketing then lets see how they like being out of business.

 

The people of the world have stood up to injustices before and have taken down bigger companies than twitter. So i say let us send a message to the twitters and other companies that we trust to stop playing games when it comes to our privacy and put a stop to this kind of garbage once and for all. The only reason they get away with it is because we let them.

 

I have no problem boycotting twitter and any other company that allows these kinds of people to tweet such criminal behavior and to have accounts to do so. To me twitter is one of those disposable companies that we can live without anyway.

 

And for matt, i am sorry you had this happen to you and your company, i have had my server hacked once before and it was nothing as serious as what this was for you and i was miserable, i cant even imagine what this as like for you, i hope you can get this behind you and i hope your personal life does not suffer because of your privacy violation.

 

Let this be a lesson to each of us that we may spend tons of money on security and coding and all the other things, but if you are a business owner and you do not protect your personal information like gold someone out there is just waiting to get it and use it. We all suffer, the company, customers, everyone.

I am not saying that matt was lax, i am saying that we all need to look at how we use our personal information in our companies and who has it and how is that information and power privilage used. This goes from the lowest paid employee right to the very top of who has our data and what they do with it.

 

As company owners our company is only as strong as our weakest link. I dont know if maybe matt or any of us should be consulting a professional security advisor or not, i have considered it myself many times. I keep saying one day when im big enough i will do that, but maybe the time is now who knows. I guess the crooks are the ones who know if you dont.

 

Anyway i dont want to babble but i am firm in my belief that if twitter does not take this seriously and uses this as some kind of marketing ploy while others suffer, i will make it my mission to put them out of business, wether it be thru public outcry or the legal system or both. We should not sit by and let this crap continue to happen.

 

Sorry for being so long winded.

 

Good luck matt and whmcs crew. Hang tough!!

 

PS i guess everyone is trying to update their account, i just tried to go into whmcs and change my pw, email and cc info and got the dreaded cannot load page. So i guess the site is being overloaded now. Guess ill try later.

I wanted to be clear here, whmcs does not have my cpanel login, so if i change my whmcs login, pw, email, i should be fine right?

What about my license, do they issue me a new one or just leave it as is?

Edited May 22, 2012 by durangod

[twhiting9275]

I've downloaded the databases and can't see where they contain any credit card details (although I'm not sure I was able to open db in entirety). Can anyone confirm they have seen credit card details on the db?

Credit card details are in the database, yes.

 

So stop blaming WHMCS and just change your password, whmcs admin URL and if your credit card info was stored then it's your own mistake...you need to take care of your own stuff....

So, you're saying that it's acceptable for a company the size of WHMCS to rely on cheap hosting for 'security'? This isn't the first time this has happened, and no it's NOT acceptable. Ignoring security is never acceptable, and the vulnerabilities here are nothing more than catastrophic.

 

The fact that thousands of individuals have their credit card information revealed because of someone's incompetence and poor security here should be a huge red flag. We need to not let up on this until we are assured that this can never happen again!

[XN-Matt]

We need to not let up on this until we are assured that this can never happen again!

 

And you'll be waiting a long time. You can *never* get an assurance that it'll *never* happen again. It's not something you can *ever* know.

[Peter M Dodge]

If they invoice me before I get my new CC they're going to hear a mouthful, I'm just putting that out there now.

[Digitalized Media]

I really feel bad for Matt. Keep your head up, fella,

 

Fact is, is that hackers can pretty much do whatever they want, despite the best efforts to keep them out. These guys are really, really good. Their resume at least is pretty solid.

 

The CC I use for online expenses like these is a pre-paid MC through NetSpend, so there really isnt much that can be done against it. I just reported it lost/stolen, and in the interim until I get a new card, I'll use a virtual card number. No biggie really.

 

If a hacker really wants to hack into any website, they can. All we can do is be as responsible with our info as possible, and always have fresh backups available.

 

Hackers will always, always, always be at least 2 steps ahead of security measures.

[everythingweb]

has anyone downloaded the full cpanel source? the DB only rar contains tables up to tblemails (alphabetically)

[durangod]

Just read a couple new threads, and ill say this right up front. Matt i support you and wish you the best and hope you recover but with what i just read, i better not find out (with proof) that you went with cheap ass hosting and put security second, that will not stand in my book. I hope and pray that was not the case and maybe its just something that got blown out of proportion, gosh man i hope that is not true.

[twhiting9275]

Just read a couple new threads, and ill say this right up front. Matt i support you and wish you the best and hope you recover but with what i just read, i better not find out (with proof) that you went with cheap ass hosting and put security second, that will not stand in my book. I hope and pray that was not the case and maybe its just something that got blown out of proportion, gosh man i hope that is not true.

hostgator = as cheap as it gets for dedicated servers

[tynman]

If they invoice me before I get my new CC they're going to hear a mouthful, I'm just putting that out there now.

 

Remember, it is an automated system. I am sure considering the circumstances that they will be willing to accept it in due time.

[Peter M Dodge]

Remember, it is an automated system. I am sure considering the circumstances that they will be willing to accept it in due time.

 

If it hits my CC account while it's frozen there'll be problems for me, which will then be transferred as much larger problems for them, since I've asked them in a ticket to remove the card from their system.

[sol2010]

Matt - hope you and your team can stay healthy through this and wish you the best to bring this disaster under control. I'm sure it must be a massive headache / heartache.

 

Although I am also disappointed to hear that you use HG and live chat to manage your business, now is not the time to focus on this. I'm sure you'll provide answers in due course (if not to restore your pride, then to save your business?)

 

As for people wanting assurances - let's face it, anyone can get hacked even the US military.

 

It only takes one determined person or group to target you - whatever the reason (and these guys seemed pretty determined) and then you're Royally Fu*ked.

 

As for Twitter - yes, they need to be held accountable. But I'm not sure even if 2,000 people hung up there accounts whether they would listen! It would probably take 50,000 for them to pay attention and do you think we could achieve that, given WHMCS is a niche product (even though the story is not).

[twhiting9275]

As for people wanting assurances - let's face it, anyone can get hacked even the US military.

Yes, but does the military use fiveanddime hosting co?

Does the military store everything on one server without basic protections?

 

The answer to each is no.

The reality is that this isn't something that can be as easily blown off as "anyone can get hacked even the US military". We pay WHMCS, we have the right to expect privacy and security. We have every right to be upset over this.

 

Remember, WHMCS took over as #1 from someone else because of their own incompetent decisions. This is very possible to be done here, and should be done, as a response to this poorly handled business situation.

[ExsysHost]

I have to partly agree the sol2010 here... yes getting hacked is without a doubt going to happen when you are targeted... I have worked in the information systems security industry for years and what I have learned over the time is, while you can secure your systems to a point before they become un-usable the most important part of security is limiting what the attacker can do once he has gained access.

 

Social engineering attack or not there are a number of things Matt and team can do going forward to better safeguard our data.

 

1) Don't use bargain hosts... check out SoftLayer they have network level intrusion detection and prevention systems while these dont prevent all, they do help minimize attacks that Host Gator does not.

 

2) WHMCS uses CDGCommerce to process their credit cards.... Hint to WHMCS start using the Quantum Vault module you guys developed... Quantum has teams of security specialists who perform regular not partial but full PCI compliance audits. This way our credit card info remains safe even if you are compromised.

 

3) Use SSH keys, quit requesting that we send you passwords for SSH/FTP... you can post your public key in the client area and we can place it on our server when you need access.... This is in practice at a number of development groups one that comes to mind immediately is CloudLinux Support team. Also never put your private key on public servers, just keep it on your private desktop support PC's

 

4) Do something similar for the control panel... some sort of certificate authentication or something which results in a handshake and only your support specialists have access to the key. I say some sort of here because there is a number of ways, some more restrictive than others so it would be up to you to decide which one is secure enough and easy enough to implement on your customers whmcs installs

 

5) I know this was social engineering attack but lets face it if you didnt give your server passwords to Host Gator they couldnt of logged in or reset them unless you are on HG shared hosting? Again drop HG for SoftLayer then hire a server management firm which specializes in security, with a 3rd party management team a social engineering attack would never work as the attacker has no way of knowing who the provider is.

 

6) Dont use passwords at all... your servers should have passwords disabled, SSH keys should be used.... this is part of PCI compliance... so what you have told us, is that our credit card information was being stored on a server which does not pass PCI compliance. Visa and MasterCard frown on this (see point #2)

[Cape Dave]

I have to partly agree the sol2010 here... yes getting hacked is without a doubt going to happen when you are targeted... I have worked in the information systems security industry for years and what I have learned over the time is, while you can secure your systems to a point before they become un-usable the most important part of security is limiting what the attacker can do once he has gained access.

 

Social engineering attack or not there are a number of things Matt and team can do going forward to better safeguard our data.

 

1) Don't use bargain hosts... check out SoftLayer they have network level intrusion detection and prevention systems while these dont prevent all, they do help minimize attacks that Host Gator does not.

 

2) WHMCS uses CDGCommerce to process their credit cards.... Hint to WHMCS start using the Quantum Vault module you guys developed... Quantum has teams of security specialists who perform regular not partial but full PCI compliance audits. This way our credit card info remains safe even if you are compromised.

 

3) Use SSH keys, quit requesting that we send you passwords for SSH/FTP... you can post your public key in the client area and we can place it on our server when you need access.... This is in practice at a number of development groups one that comes to mind immediately is CloudLinux Support team. Also never put your private key on public servers, just keep it on your private desktop support PC's

 

4) Do something similar for the control panel... some sort of certificate authentication or something which results in a handshake and only your support specialists have access to the key. I say some sort of here because there is a number of ways, some more restrictive than others so it would be up to you to decide which one is secure enough and easy enough to implement on your customers whmcs installs

 

5) I know this was social engineering attack but lets face it if you didnt give your server passwords to Host Gator they couldnt of logged in or reset them unless you are on HG shared hosting? Again drop HG for SoftLayer then hire a server management firm which specializes in security, with a 3rd party management team a social engineering attack would never work as the attacker has no way of knowing who the provider is.

 

6) Dont use passwords at all... your servers should have passwords disabled, SSH keys should be used.... this is part of PCI compliance... so what you have told us, is that our credit card information was being stored on a server which does not pass PCI compliance. Visa and MasterCard frown on this (see point #2)

 

Extremely well said.

[wsa]

I hoping we see Matt response this thread also they can look in to dedicatednow.com they very stable

Edited May 22, 2012 by wsa