|Fasthosts October Security Breach: Unchanged Accounts Get New Access In The Mail|
We were unable to connect yesterday afternoon to our sites hosted with Fasthosts by FTP. I put a call in to the support number, and got a message saying they were doing work on the servers with no estimated time of completion, so I left it for the day. Later that night our email also went down.
Today I woke up to find the email message below. In short they have changed our FTP password and the control panel password, so there is no way to access any of our sites.
I did not get any warning to change passwords on the 18th as stated, and this is the first I heard about the security breach.
The new passwords will be sent by Royal Mail, but there is no indication as to when, or which method of post they will be using. I hope they will be sent today by Special Delivery, or this weekend could be very difficult for our e-commerce sites, as I need to make some major changes.
Tried phoning today but the line is constantly engaged. Sent an email and got an automated reply asking me to include my account number and sort pin, which can be found by logging into my control panel!
[edited by: encyclo at 3:42 pm (utc) on Nov. 30, 2007]
I had this today.
It is because we didnt change our passwords when they asked us to a few weeks ago, when someone got onto their hosts.
This is a pain, as I am can not log into some of my personal sites.
I guess lesson learned for me is to do what they say, when they ask.
I have checked any we didn't get any emails about changing our passwords. Can you please tell me what date you were sent that message?
We have had a lot of emails saying our payment details are out of date when they aren't, and payment has already been taken.
If my records are correct, there were a few notifications.
18 October for FH & 19th October for UKReg.
There was also a reminder on 5th November.
In addition, I received a letter in the mail.
You should get a letter with your new access details.
I didn't get any emails or a letter in the post.
My fingers are crossed that they sent the passwords via royal mail next day special delivery. Some recorded post is taking weeks to arrive at the moment.
Tried again on the phone, and it is now possible to get in the que at position 55. Will be trying again in the early hours to beg for my password over the phone. It is already costing me a lot of sales.
luckily i did change my FTP, email and control panel details when i got the original email, so i can still access them all. but i didn't change my MySQL database passwords, and they seem to have taken it upon themselves to change them themselves.
in the interests of security, i don't mind about that. but seeing as they didn't actually notify me about it, virtually my entire site stopped working because none of the pages could access the database.
and here's the best part... i have an error logging system set up on my site which records all the php errors. and sure enough, there are about three million billion errors on there where the pages have failed to access the database. but the password they were trying to access the table with (which is presumably the password that fasthosts changed it to) is the word... 'YES'.
that is their idea of security! to change our 'insecure' database passwords to a three letter word.
fasthosts is becoming a joke.
|but the password they were trying to access the table with (which is presumably the password that fasthosts changed it to) is the word... 'YES'. |
They didn't change the password to 'YES'. If mySQL requires a password, the word 'YES' is placed in the logfile automatically instead of the real password. This is a security feature inside the software, rather than a stupidity of Fasthost.
I see one of the mods has changed the title of this thread.
'Unchanged accounts get new access in the mail' is not exactly true. The postman has just been and there's nothing from Fasthosts. Maybe it should be changed to 'unchanged accounts told they will get new access in the mail, but no indication as to when'. Also the latest security breach that caused them to change all passwords happend in November.
I spent 2 hours trying to get through on the phone last night from 12.30am to 2.30am. Went from position 54 to 18 in the que, and was cut off.
My sites are now showing items that are out of stock, and new Christmas items cannot be added.
No more communications from Fasthosts and nothing on their website.
Tried phoning again this morning and it it's just an engaged tone.
I have been with Fasthosts for 7 years, hosting several sites and in that time have had 4 very poor experiences.
Firstly, my biggest site was dropped without warning when a visitor spike caused some timeouts - after 3 days of phoning the site returned without explanation.
Secondly I had a site on a .Net package (1.1) and was given a weeks notice that this needed to be upgraded to .Net 2.0 as the server was being upgraded.
Thirdly, I had an NT resellers account since 2000, and was informed that it was closing and needed to be upgraded by 31 October (about 6 weeks notice); I started sorting this out when an email arrived in the first week of October to say that the deadline was being brought forward to 15 October. I abandoned the reseller account at that point as the notice periods were too irritating.
Finally this debacle, no notice just total removal of service. Made an email support query asking why and was referred to a non-existant earlier email and given a number to ring, which even the email intimated would not be answered.
It's the lack of notice that hurts the most - with notice almost anything is forgiveable.
Against this is the 24 hour support that I have always found useful. Hmmm...
After 3 hours on hold I did get through and after answering some security questions (far more indepth than usual!) was able to access stuff and get the sites back.
I realise that some other people are waiting for the post. In December! With the Royal Mail's reputation?
What were they thinking of?
I decided to bite the bullet on Sunday night, as there was no way I could go on without access to my sites for any longer.
Phoned at 9pm and finaly got through at 2am Monday morning. Answered a few questions and got my new password. Wasn't sure if they would even give it to me over the phone but I had to try. Will be interested to see my phonebill, as I also sat on hold for 2 hours on Saturday night before giving up and it's an 0870 number.
Judging by the amount of time it took me to get my password, and how long it took to move one position in the telephone que, there was only one person answering the phones, two at the most. I couldn't hear anyone else in the background either.
Still haven't received anything in the post so it's a good job I stuck with it. Also still no idication if the password has even been posted yet, or by which method.
Feel sorry for anyone trying to call today as it's not even possible to get in the que, just an engaged tone.
I've moved from position 6 to position 4 in 20 mins on their support no.
I received a letter yesterday which gives me a control panel password for one of my domain names (and doesn't work anyway), but not the password for my actual reseller control panel.
They seem to be treating their customers with absolute contempt.
The fact that they were storing passwords in cleartext, or any decipherable form is just bad practice.
And then they lock you out of your own account.
Then they are making a profit on their premium rate number out of their error.
They can't help you by email with password questions.
Thes plus previous issues I've had (similar to those above re short notification periods) leads me to want to leave fasthosts (and I've had reseller accounts with them since 2001). Of course that assumes that I can login to my account to release the domains!
Does anyone have any suggestions with alternatives? I'm inclined to split my sites amongst a few hosters - get all my eggs out of the one basket.
It may be your fault if you didn't follow through on changing the passwords but I feel your pain about the support after the fact, find another host. Those giant companies with the great deals just aren't worth it in the end. You need to find one that has the resources to compete with the big boys but small enough to keep things such as support at a realistic level.
I just went through a nightmare myself with a large hosting company and I'll never do it again. My new hosting company has a "family" feel to it, even the owner pops into the company forum once and while to answer questions as does the head of support. Of the five tickets I've had to open everyone of them was answered almost immediately and fixed within minutes of the response. I also have multiple ways to reach them.
|Then they are making a profit on their premium rate number out of their error. |
That I find intolerable, most hosts that I'm aware of would have a toll free number.
"It may be your fault if you didn't follow through on changing the passwords"
We received no instructions at all to change any passwords. I understand that some people did, but I have checked and double checked, and the only communications we had were regarding payment. It was even reported on the news that many customers were not warned.
To top it off we have just purchased a new domain via sedo, and nominet emailed yesterday to say it had been transfered to fasthosts. I need to speak to them so we know how to complete the transfer, and see it in our control panel. My guess is it will be a long time before we can take control of the domain as fasthosts are unreachable.
no body seems to have sussed that all this came about because fasthosts got hacked a few weeks back, i made a post about it then but it never got picked up, here is even a better one did you know that your data was not even encrypted?, great, and after all this my site got hacked and defaced i wonder how they got in?
i held on for 40 mins and got from position 56 in the phone queue to a helpful guy. Cost me I am sure in phone call but not too bad
I knew my user name and password which helped, and got given a new one over the phone but had to give last 4 numbers of credit card, e-mail address of main user admin, and a few other relevant details
Friday around 2.30 pm
For those with a FH account, if you haven't been notified, you have to make sure your e-mail passwords are changed by Thursday 13th December. After that time your e-mail password will be scrambled.
Also, to get support, why not use the e-mail support. You don't need to hang on the phone!
Generally, it's good practice to change passwords every-so-often, even if it is inconvenient.
We don't discuss hosting here, in general, because there are so many issues of good, bad and ugly, and invariably, it turns from a help thread to promo, or bashing. We let this thread go in the start to help the OP, and now it's probably reached the end of its natural course.