×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WHMCS Data Compromised By Good Old Social Engineering

Unknown Lamer posted about 2 years ago | from the the-classics-never-get-old dept.

Security 87

howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

87 comments

In case you wonder who or what WHMCS is... (5, Informative)

clickety6 (141178) | about 2 years ago | (#40075585)

""WHMCS is an all-in-one client management, billing & support solution for online businesses. " For some reason, their website is currently down..

Re:In case you wonder who or what WHMCS is... (1)

Anonymous Coward | about 2 years ago | (#40075633)

For some reason, their website is currently down..

You didn't refresh enough... I got it to come up.

Re:In case you wonder who or what WHMCS is... (4, Funny)

Mathinker (909784) | about 2 years ago | (#40075685)

> ""WHMCS was an all-in-one client management, billing & support solution for online businesses.

FTFY

Re:In case you wonder who or what WHMCS is... (1)

Kalriath (849904) | about 2 years ago | (#40081765)

Web hosts didn't stop using WHMCS when it was discovered that you could submit a ticket which WHMCS would execute as PHP, allowing entire databases to be stolen (no social engineering involved) - this sure isn't going to stop them.

Re:In case you wonder who or what WHMCS is... (0)

Anonymous Coward | about 2 years ago | (#40081921)

and Hostgator.com (the stupid fucks who got duped) WAS a "world-leading provider of web hosting service" (quote from hostgator.com)

captcha: fooled

Re:In case you wonder who or what WHMCS is... (1)

Anonymous Coward | about 2 years ago | (#40078145)

This is exactly the first question I had. Dammit slashdot, why wouldn't this be in the summary? Isn't it kindof important WHO this victim is?

I need to find a better tech news source. This is infuriating.

Re:In case you wonder who or what WHMCS is... (1)

mcgrew (92797) | about 2 years ago | (#40078287)

Thank you. How hard would it have been for the submitter to include that in the summary? What would a nerd know about client management and billing, except for writing software for it?

What does WHMCS stand for, anyway?

Re:In case you wonder who or what WHMCS is... (0)

Anonymous Coward | about 2 years ago | (#40078551)

To the best of my knowledge: WHM Complete Solution

It was designed to provide fully automated solution for WHM/cPanel based hosting servers but has since been expanded to include support for other platforms and control panels. The name stuck though.

Of course the above is to the best of my knowledge. I could be wrong.

Passwords Are Safe, But ... (2)

WrongSizeGlass (838941) | about 2 years ago | (#40075605)

the passwords are “stored in hash format” so they’re safe, but the credit card information may be at risk, along with the contents of all the recently submitted tickets.

How do companies repeatedly let this happen? Encrypt that shit!

Re:Passwords Are Safe, But ... (1)

another random user (2645241) | about 2 years ago | (#40075645)

How do companies repeatedly let this happen? Encrypt that shit!

"WHMCS is an all-in-one client management, billing & support solution for online businesses" - and would anyone now trust this to store their billing data in as they obviously can't keep their own billing data safe.

Re:Passwords Are Safe, But ... (3, Insightful)

P-niiice (1703362) | about 2 years ago | (#40075657)

It was social engineering. Encryption cannot help with human gullibility.

Re:Passwords Are Safe, But ... (3)

WrongSizeGlass (838941) | about 2 years ago | (#40075695)

It was social engineering. Encryption cannot help with human gullibility.

But encryption can protect sensitive data if security is ever breached.

Re:Passwords Are Safe, But ... (5, Informative)

bmo (77928) | about 2 years ago | (#40075783)

>But encryption can protect sensitive data if security is ever breached.

Encryption only works until you give the key away for a candy bar in a social engineering scheme.

Then all bets are off.

--
BMO

Re:Passwords Are Safe, But ... (4, Interesting)

bmo (77928) | about 2 years ago | (#40075881)

Replying to myself so others may read a story I am referring to in case they missed it back in 2004.

http://news.bbc.co.uk/2/hi/technology/3639679.stm [bbc.co.uk]

And it still applies today.

--
BMO

Re:Passwords Are Safe, But ... (0)

TheLink (130905) | about 2 years ago | (#40075905)

And how many of the people were telling the truth? Did the researchers check that?

Re:Passwords Are Safe, But ... (0)

Anonymous Coward | about 2 years ago | (#40076803)

"Would you give out your password for a Klondike bar?"
"ñ0+r3@11y"
"That's trusting of you, and here's your Klondike bar."

Re:Passwords Are Safe, But ... (1)

garyebickford (222422) | about 2 years ago | (#40076563)

I went to a security conference back in 2000, where the keynote speaker (A Navy guy) discussed their tests of social engineering. They found that the average cost for getting a sysadmin to open up the data center and access to the systems was only $7000 - at Fortune 500 companies, not just the little companies. Of course security awareness and practice has been improved greatly since then (I hope).

Re:Passwords Are Safe, But ... (2)

bmo (77928) | about 2 years ago | (#40076717)

For $7000 in Y2K dollars, you can forge documents and a search warrant and walk right in to a datacenter, pretending you're the feds and walk out with the machines themselves. While this is a crime, you are committing a crime in the first place anyway by deciding to go after the data, so I don't see this as a barrier for those who don't give a shit.

--
BMO

Re:Passwords Are Safe, But ... (1)

asdf7890 (1518587) | about 2 years ago | (#40080097)

Impersonating the feds is a higher offense than just nicking stuff, including data, unless the stuff/data is of "national security" importance.

Re:Passwords Are Safe, But ... (1)

sjames (1099) | about 2 years ago | (#40078421)

If it's done right, it requires subverting one of a very few people who have root access to the CC processing machine. I say subverting because the needed request would be obviously not part of business as usual and the people who could get the key would understand the implications.

Re:Passwords Are Safe, But ... (0)

Anonymous Coward | about 2 years ago | (#40081971)

and exept if cc_encryption_hash is in clear text in the root directory and available on pastebin

Re:Passwords Are Safe, But ... (1)

bmo (77928) | about 2 years ago | (#40087943)

Or if your debug script puts all usernames and passwords in cleartext in world-readable /tmp/ for your paid customers for chat.youporn.com.

For years.

--
BMO

Re:Passwords Are Safe, But ... (2)

ifrag (984323) | about 2 years ago | (#40075785)

But encryption can protect sensitive data if security is ever breached.

Unless the security "breached" also includes the information for performing decryption. In which case it didn't protect anything.

Re:Passwords Are Safe, But ... (1)

maevius (518697) | about 2 years ago | (#40075949)

Let's say you encrypt them with the highest standard encryption algorithms. Where are you planning to keep the encryption key?

Re:Passwords Are Safe, But ... (1)

cdrguru (88047) | about 2 years ago | (#40077337)

I think the idea is to encrypt the data and not have the key stored anywhere.

This is roughly like not having a file cabinet, just a shredder. Very secure records storage with zero possibility of any sort of disclosure. It is more difficult to access, however.

It is perhaps the only way to be truely safe.

Re:Passwords Are Safe, But ... (1)

maevius (518697) | about 2 years ago | (#40077585)

In passwords you can one way encrypt them (meaning, no key is kept) because you know that a person will remember and enter the password everytime.

The reason companies keep credit card data is so they can charge recurring fees automatically or the well known one click buy, so a computer must be able decrypt and use accordingly. If you don't keep the key, you defeat the purpose of the whole scheme. The only way to protect the data (without being truly secure) is to use a hardware security module [wikipedia.org] along with high physical security (something along PCI-DSS standards [wikipedia.org] )

To sum it up: There is NO true security. If you can't protect cardholder data, don't keep it

btw, somewhere in their website I read that the cards were encrypted but it suggested that the key was trivial to find.

Re:Passwords Are Safe, But ... (1)

achbed (97139) | about 2 years ago | (#40078291)

Remember folks - ROT13 is NOT encryption (no matter what your auditors say)...

Re:Passwords Are Safe, But ... (0)

Anonymous Coward | about 2 years ago | (#40079731)

Not when the hackers took the whole server,

they got the locks and the keys

so they got the whole damn kingdom

Im going to hack proof my computers now,

( Puling pug )

Re:Passwords Are Safe, But ... (2)

Maximum Prophet (716608) | about 2 years ago | (#40075829)

It was social engineering. Encryption cannot help with human gullibility.

Yes, it can. If you data is unencrypted anyone can give it out. You use encryption along with policy so that only those that need to know can get the information. For really sensitive information, you make sure that multiple people have to each add their password before the information is allowed to be accessed.

You can also use encryption to insure that machine 'A' can talk to machine 'B' using large certs, but no human has direct access.

Re:Passwords Are Safe, But ... (0)

Anonymous Coward | about 2 years ago | (#40075963)

It was social engineering. Encryption cannot help with human gullibility.

Yes, it can. If you data is unencrypted anyone can give it out.

No, the GP is correct. Encryption, when part of an actual system, means that some human being has the key to decrypt.

You use encryption along with policy so that only those that need to know can get the information.

And this policy is going to wind up being "don't be gullible."

Re:Passwords Are Safe, But ... (0)

Anonymous Coward | about 2 years ago | (#40077215)

And this policy is going to wind up being "don't be gullible."

The main purpose of the "policy" is to impose consequences if someone lets the data out. By establishing rules and consequences for breaking those rules you make it slightly harder to convince any given employee that it's worth their while to hand over the data.

Re:Passwords Are Safe, But ... (3, Insightful)

hey! (33014) | about 2 years ago | (#40076793)

It was also lousy but unfortunately common business practices.

Suppose you're a company that handles billing and payments for clients. One of your clients asks you for the credit card information for all of *his* clients. This scenario shows why you should be very reluctant to give that data to him. And for all you know, *he's* going to use it to commit identity fraud, or sell it on the black market.

Not disclosing this information inconveniences the customer slightly, but it also protects him.

When you receive sensitive private information from someone, you should not use it or transfer it to any third parties except as necessary to fulfill the purpose for which you received it, *even if* you are just a middleman between the buyer, the vendor, and the vendor's bank. Get the money transferred into the customer's account and the order to the customer's order fulfillment people and your job is done.

These problems come from not *thinking*. End user sends you data, you automatically store it without thinking, whether you need it or not. Customer asks you for that data, and you automatically give it to him without thinking. A service agreement should be concluded between you and your customer establishing what the customer is going to do with that data, and when and how the data will be provided. You shouldn't just give him data that is not necessarily *his* by right just because he asks for it.

The underlying problem is that companies operate as if the privacy and security of their end-users is none of their concern.

Re:Passwords Are Safe, But ... (1)

devilsdean (888911) | about 2 years ago | (#40075945)

A hashed password being safe is a bold statement from a company that is suppose to be protecting credit card information. Even worse though, is the plain text credit card numbers that "may" be at risk.

Re:Passwords Are Safe, But ... (1)

blueg3 (192743) | about 2 years ago | (#40076555)

Encryption is not magic.

If you need to use the stored data, you need to be able to decrypt it. If an automated system needs to use the stored data, that means it needs to have programmatic access to the encryption key. Which means that an attacker can almost certainly get the encryption key. If they don't need to use the stored data, they probably shouldn't be storing it in the first place.

Encryption is only useful if you can exert better control over the encryption key than the encrypted data.

Re:Passwords Are Safe, But ... (1)

sjames (1099) | about 2 years ago | (#40078113)

Way back in the wild west days of the internet, I built a system that accepted CC numbers at signup for monthly billing. The numbers were encrypted with gpg before being stored in the database. The web server only had the public key.

Each month, the encrypted CC numbers were dumped to floppies and sneakernet-ed to a CC processing machine with no net connection.

I'm pretty sure nobody ever got a copy of the database, but I'm absolutely sure that if someone did, the accounts will have been closed long before they can get the numbers decrypted. Why can't they manage that now?

Re:Passwords Are Safe, But ... (1)

plover (150551) | about 2 years ago | (#40082125)

I'd like to know what makes them think the hashes of the passwords are safe. I think the thieves should paste one into Google and see what pops up (Google being well known as the world's most widely available rainbow table for common hash digest values.) What are the chances these security boffins salted their hashes?

I guess (2)

slashmydots (2189826) | about 2 years ago | (#40075617)

Hmmm 24 hours of criminals posting tweets detrimental to your business on their own account which is displayed in their own software. I guess everyone over at WHMCS must be on vacation...OR ARE COMPLETE MORONS! Maybe they forgot their security question though, lol.

Re:I guess (1)

egamma (572162) | about 2 years ago | (#40075653)

Hmmm 24 hours of criminals posting tweets detrimental to your business on their own account which is displayed in their own software. I guess everyone over at WHMCS must be on vacation...OR ARE COMPLETE MORONS! Maybe they forgot their security question though, lol.

Or the ugnazis changed the security question/answer...

Re:I guess (1)

CanHasDIY (1672858) | about 2 years ago | (#40075787)

Hmmm 24 hours of criminals posting tweets detrimental to your business on their own account which is displayed in their own software. I guess everyone over at WHMCS must be on vacation...OR ARE COMPLETE MORONS! Maybe they forgot their security question though, lol.

Or the ugnazis changed the security question/answer...

And here I thought that was obvious...

salty... salty... (2)

vlm (69642) | about 2 years ago | (#40075679)

the passwords are “stored in hash format” so they’re safe

Assuming their programmers know what a salt is (maybe they do, maybe they don't, he's not saying), and/or their users are not using passwords typically seen in a dictionary attack (yeah right)

Re:salty... salty... (2)

Tanktalus (794810) | about 2 years ago | (#40075801)

And you're assuming that the passwords are valuable enough to spend sufficient CPU cycles to attempt to crack. If they can find some important users, maybe their passwords are valuable enough to try. I would guess that most users are likely not valuable enough to attempt.

Re:salty... salty... (0)

Anonymous Coward | about 2 years ago | (#40075911)

And you're assuming that the passwords are valuable enough to spend sufficient CPU cycles to attempt to crack. If they can find some important users, maybe their passwords are valuable enough to try. I would guess that most users are likely not valuable enough to attempt.

If they're not salted and stretched, rainbow tables will give them the entire database in short order.

Re:salty... salty... (0)

Anonymous Coward | about 2 years ago | (#40075919)

CPU cycles are practically free, thanks to ubiquitous windoze machines and the botnets they operate. Of course it still makes sense to hit the juiciest targets first.

Re:salty... salty... (2, Informative)

Anonymous Coward | about 2 years ago | (#40076067)

the passwords are “stored in hash format” so they’re safe

Assuming their programmers know what a salt is (maybe they do, maybe they don't, he's not saying), and/or their users are not using passwords typically seen in a dictionary attack (yeah right)

A salt isn't some magic pixie dust that makes hashes more secure: you also have to use them correctly. If the code is something like

$salt = 'n1c3tryh4x0r$';
$hash = SHA1($salt . $password);

Then it's not very useful. If on the other hand it's something like

$salt = base64(arc4random() . arc4random());
$hash = $salt . '$' . HMAC_sha1($salt, $password);

Then one would have much less to worry about.

Re:salty... salty... (1)

vlm (69642) | about 2 years ago | (#40076769)

Well, yeah, but first you have to know what a salt is and why you'd want to use it.
I thought the language of the quote was interesting, “stored in hash format” not “stored in hashed salted format”. Neither makes any sense when passing thru a journalist filter so we can assume the quote did not pass thru a PR filter or a journalist filter and that's, unfortunately, the actual technical state. Its probably by their own admission just a simple hash of the bare string that will momentarily be rainbowtabled.
Luckily they don't have email addresses, and users never use the same email addrs/password combo at multiple web sites, so everyone will be OK (LOL)

raising awareness (-1)

gandhi_2 (1108023) | about 2 years ago | (#40075721)

i really hate when people talk about "raising awareness", as though someone out there hasn't heard about cancer.

however, this stunt ugnazis pulled got my attention, and got me to check out their tweets and websites.

i never knew that UFC (really, Dana White) was supporting SOPA.

Being a Jiu Jitsu purist, I already find UFC (and most MMA) to be a loud-mouth lowest-denominator of society. But now I have a reason to actively boycott their events.

Thanks ugnazis! You raised my awareness!

Re:raising awareness (0, Funny)

Anonymous Coward | about 2 years ago | (#40075917)

So I gather you're doing some Japanese Jiu Jitsu, not those Brazilian upshots...

Actually, the data is already out there it seems (0)

Anonymous Coward | about 2 years ago | (#40075739)

Both the salt and cc decrypt key were stored in the configuration which was downloaded along with the DB.
From what I've heard, it's trivial to recover the file and all the data

WHMCS is Hosted by Hostgator (4, Informative)

Anonymous Coward | about 2 years ago | (#40075803)

As a former employee, posting this as anonymous for obvious reasons; however, the below information is freely available if you know where to look.

WHMCS is hosted by Hostgator on a dedicated server. This can be found by:

% dig NS whmcs.com +short | head -1 | xargs dig +short | xargs whois
# http://whois.arin.net/rest/nets;q=50.116.115.104?showDetails=true&showARIN=false&ext=netref2 [arin.net]

HGBLOCK = Hostgator IP block, the Arin address is Hostgator's main office, and websitewelcome.com is Hostgator's generic domain they use for reseller server's hostnames/nameservers.

It's easy (2)

Stargoat (658863) | about 2 years ago | (#40075811)

Amateurs target systems, professionals target people. The weakest part of any IT system is the users. We know all this. For example, Mondays have the most downtime, as they are associated with changes made over the week. A user that installs a gotoassist to 'help' the IT department. Etc etc.

Official announcement (5, Informative)

Solozerk (1003785) | about 2 years ago | (#40075831)

The official post on this from WHMCS is interesting: http://blog.whmcs.com/?t=47660 [whmcs.com]
They're saying that the intruders managed to obtain credentials from their web hosting company, which allowed them to access the (I assume) dedicated servers rented by WHMCS.

Putting aside the fact that they're storing CC data on a third party server, what the blog post does not explain is how exactly this would amount to a total compromise of those accounts, as the server passwords should not even be known by the hosting company, and in any case this data should have been encrypted. It would also be interesting to know how they went from that to accessing the company's twitter account - my guess would be that the same password was used on twitter as on their servers.

So basically: no encryption, relying on an insecure third party to store critical data, and possibly the same password being used for a major hosting server and their twitter account. I, for one, would not rely on this company to handle billing & support for my customers.

Re:Official announcement (1)

creedfeed (701791) | about 2 years ago | (#40076111)

The owner of the company suggested that the hackers gained access to his email account which was used to social engineer the hosting company to gain access to the servers. The hosting company had knowledge of the server passwords because Hostgator offers fully managed dedicated servers. Hostgator handles all of the managing and security of the servers, thus they have and need the server passwords.

Re:Official announcement (1)

Anonymous Coward | about 2 years ago | (#40076937)

The hosting company had knowledge of the server passwords because Hostgator offers fully managed dedicated servers. Hostgator handles all of the managing and security of the servers, thus they have and need the server passwords.

In most cases, that isn't true. A typical provision for a dedicated server involves installing a public key that we use to access via root. The root password is usually only needed if we're accessing via IPMI/iDRAC and need to login from the remote console, or if the user has removed the public key from /root/.ssh/authorized_keys, or if public key authentication for root has been disabled, either by request due to security reasons, or because the client felt it necessary.

Sincerely, former Hostgator employee

Re:Official announcement (1)

longk (2637033) | about 2 years ago | (#40076427)

Actually the CC info is stored in encrypted form in the WHMCS database. This is quite common and protects against database leaks through injection, etc. Unfortunately, because the hackers had complete root access, they were also able to obtain the decryption key as well.

Re:Official announcement (1)

Solozerk (1003785) | about 2 years ago | (#40076887)

The CC info should IMHO have been encrypted with a combination of the user's password and such a key - that way, even WHMCS doesn't have access to it, except at the very moment a transaction needs to occur (when the user types in his password).

Of course, if recurring automatic payments or similar are needed, then WHMCS does indeed need to keep the CC details readable (and even then I'm not 100% sure of that, as I believe a lot of banks payment APIs offer some sort of token mechanism defining a CC details for a specific purpose - IE, not usable for other payments). But in that case, it should have been handled on a separate server or even better: through the use of one of the many cheap, dedicated, PCI-compliant services that do exactly that.

Re:Official announcement (0)

Anonymous Coward | about 2 years ago | (#40079859)

And recurring billing would work how?

Re:Official announcement (0)

Anonymous Coward | about 2 years ago | (#40076755)

Come on. This is standard practice with banks, after all.

Re:Official announcement (0)

Anonymous Coward | about 2 years ago | (#40077755)

Putting aside the fact that they're storing CC data on a third party server, what the blog post does not explain is how exactly this would amount to a total compromise of those accounts, as the server passwords should not even be known by the hosting company

In this case, they were on a single managed server, so the provider (Hostgator) did in fact have the root password.

UGNazis eh? (1)

Viol8 (599362) | about 2 years ago | (#40075887)

Read: A bunch of stupid glory hunting kids who have no concept of what real nazis were like or they wouldn't use such a poor taste name.

Re:UGNazis eh? (1)

xero314 (722674) | about 2 years ago | (#40077435)

I know just look at some of the claims of the 25 point program:

The right to determine matters concerning administration and law belongs only to the citizen.
We demand that the state be charged first with providing the opportunity for a livelihood and way of life for the citizens.
All citizens must have equal rights and obligations.
Abolition of unearned (work and labour) incomes. Breaking of debt (interest)-slavery.
In consideration of the monstrous sacrifice in property and blood that each war demands of the people, personal enrichment through a war must be designated as a crime against the people.
The State is to care for the elevating national health by protecting the mother and child, by outlawing child-labor, by the encouragement of physical fitness
We demand legal opposition to known lies and their promulgation through the press.
We demand freedom of religion for all religious denominations within the state

Now there are some sick fucks right there. I mean seriously you put those rules in place and people stop profiting from the exploitation of their fellow man, and that my friend would certainly be a shame.

Re:UGNazis eh? (1)

Viol8 (599362) | about 2 years ago | (#40085045)

Looks like a cut and paste from a standard issue left wing student debate.

Nothing to see here....

Re:UGNazis eh? (1)

xero314 (722674) | about 2 years ago | (#40089025)

It's actually a selective cut and paste from 25 point program of the German National Socialist Party. It's good that we bring light to the atrocities of WWII but to condemn an entire group of people without understanding the benefits they brought to their country is a little near sighted.

Ads (-1, Offtopic)

Pieroxy (222434) | about 2 years ago | (#40075895)

So there is this box "Ads Disabled" ticked, but I still see an Ad for microsoft, a tiny rectangle taking up 25% of my screen real estate... What gives?

Re:Ads (0)

Anonymous Coward | about 2 years ago | (#40077221)

So there is this box "Ads Disabled" ticked, but I still see an Ad for microsoft, a tiny rectangle taking up 25% of my screen real estate... What gives?

That's a load of horse shit. If you've scrolled this far, the "Ad for microsoft" has already scrolled up and off. It's not just 25%, it's a transient 25%.

There was no hacking!! (4, Informative)

rudy_wayne (414635) | about 2 years ago | (#40076113)

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

Yes, they didn't break in, YOU FUCKING LET THEM IN, because that really makes a difference.

Re:There was no hacking!! (0)

Anonymous Coward | about 2 years ago | (#40076311)

Damn it yes! That's exactly what people forget. The founder blogs saying that's their servers were not hacked and that it was just a social engineering trick. Like this is supposed to make his customers feel better? It's like saying.. hey our servers didn't need to get hacked because we're so stupid we let them in !! :) :) :)

Re:There was no hacking!! (1)

longk (2637033) | about 2 years ago | (#40076375)

It does make a BIG difference. Tons of businesses use the same software that WHMCS uses on their server. These businesses need to know whether the used software is unsafe or not. If the compromise was purely social engineering and no software hack a lot of people will sleep better.

Re:There was no hacking!! (1)

Anonymous Coward | about 2 years ago | (#40076481)

Yes, they didn't break in, YOU FUCKING LET THEM IN, because that really makes a difference.

No, the third-party hosting company let them in, which is very different. I presume this will make for an entertaining lawsuit.

Aren't you glad your data is safe in the cloud, administered by professionals?

Re:There was no hacking!! (0)

Anonymous Coward | about 2 years ago | (#40076813)

By your account, their hosting provider were the ones who let them in. I don't know the whole truth of the matter, but sometimes things like this happen. I'm more interested to see what happens with HostGators clients now that they have given hackers access to one of their major accounts.

This is why I do not like security questions/answers.

Credit Cards Were Encrypted (1)

canadiannomad (1745008) | about 2 years ago | (#40076269)

Ok everyone is assuming the creditcards weren't encrypted...
Direct from their site:
http://forum.whmcs.com/showthread.php?t=47650 [whmcs.com]
"3. Credit card information although encrypted in the database may be at risk"
So I assume that the risk is more that they got access to the dedicated server (root login maybe) and got ahold of the private key (passphrase?)

Re:Credit Cards Were Encrypted (0)

Anonymous Coward | about 2 years ago | (#40076381)

The salts used to encrypt data is in the config files of WHMCS. The hackers did get access to the box so they have the salts and the encrypted data.

Anyone? (3, Funny)

Cute Fuzzy Bunny (2234232) | about 2 years ago | (#40076535)

I was just wondering what WHCMCHSHCHSC stood for, but the article never mentions it and neither did the front page of the company's web site.

So aside from having security issues, somewhere along the line someone forgot that not everyone knows what WHCSMSHC XVIII stands for.

Re:Anyone? (0)

Anonymous Coward | about 2 years ago | (#40078265)

We Have Marginal Credit Security

Re:Anyone? (0)

Anonymous Coward | about 2 years ago | (#40080455)

WHMCS = Web Host Management Control System

I never like the guy (1)

future assassin (639396) | about 2 years ago | (#40076971)

who owned WHMCS but don't want to be in his shoes now.

From WHMCS
Initial indications are that the database of our ticketing system may have been compromised, and thus we would recommend that if you have recently sent us a ticket containing your WHMCS or FTP login details, and have not yet changed them again following that, that you do so as soon as possible. As soon as we know more about what happened we'll provide updates.

Oh I get it..it's related to /. story yesterday (1)

WOOFYGOOFY (1334993) | about 2 years ago | (#40077371)

http://hardware.slashdot.org/story/12/05/21/1915247/mega-uploads-the-clouds-unspoken-hurdle

Except it's a sort of explainer to that story.

Yeah, that's it.

WHMCS Customer Here (1)

G33kDragon (699950) | about 2 years ago | (#40079337)

My company uses WHMCS and, after downloading all the released data, I was happy to find that accounting had used a PayPal subscription to purchase the license, as all the "card number" fields in the SQL dump were blank.

That being said... they also store all emails sent to customers. Including the Welcome Email that includes the original password used for master accounts.

So, could be worse on our end, but still major suckage overall.

Check if your info was found in the leak (0)

Anonymous Coward | about 2 years ago | (#40079477)

I wrote a quick script for checking for your e-mail against the leaked database that was obtained from WHMCS.

You can access it here: http://whmcs.h02.org

Security Questions deemed dangerous (1)

MarcAuslander (517215) | about 2 years ago | (#40079515)

It has been pointed out many times that the security question system is dangerous if the user does what he's told. It is in general easier to find out what someone's high school mascot was than to guess his password! My approach it to provide nonsense answers I can retrieve for all such question. No one's going to guess that my mother's maiden name was bottleofbitsofstuff for example. You can use the same answer for all questions if they let you, or use obvious variants otherwise.

Reason (0)

Anonymous Coward | about 2 years ago | (#40090191)

UGNazis accuse WHMCS of knowingly offering services to fraudsters.

~~~~~~~~

I have an idea, how about we fuck over all of their customers, that have nothing to do with it to get back at them.

TOOLS -- - glad to hear that UGNazis got PWNED today. Greetz

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...