Just a follow up to what you have said.
Link

Not just one server, their main internal servers containing all customer data, including logins and passwords were compromised. The email said portal, FTP, MySQL and all EMAIL passwords should be changed!!!!
My company has a reseller account with them and we have a lot of passwords to change AAAARRRRGGGG!!!!!!

Thanks. I wasn't sure whether to post this, because I couldn't find any other evidence of it.

Important information about your Fasthosts account
Dear <name>
 
We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.
We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.
We therefore recommend, as a precaution, that you now change the following passwords on your account, both for your personal use, and for your customers:

• Your main account control panel login password


• All email (Standard, Advanced and Exchange mailbox) passwords for you and your customers' mailboxes


• All FTP passwords


• All MySQL and MS SQL database passwords

These can all be changed within your control panel. Further details on how to change your passwords can also be found in the support section of our website.
We strongly recommend that you choose secure passwords so that they cannot easily be guessed. These passwords should include the following:

• It should be a minimum of 8 characters long


• It should contain an upper case and a lower case letter


• It should also contain at least one number (numeric)

We recognise that this may cause some inconvenience and concern, and for that we sincerely apologise. Please be assured that your account security is extremely important to us, and we have taken every step possible to secure your information against any future intrusion attempts.
If you have any questions relating to this, please contact our Customer Support team on 0870 888 3600 or customersupport@fasthosts.co.uk who will be happy to help you.



Yours sincerely,
The Fasthosts Internet team

I think Bob hosts his domains through them aswell.

i dont host with them but i have changed my login password on UKREG which they also operate

http://www.theregister.co.uk/2007/10/18/fasthost_police_hack_investigation/

I've had no e-mails from UKReg, but it's always worth being careful, especially since they combined both control panels together recently.

Does PlusNet store any unencrypted passwords?

On the PUG forums Bob says yes they do encrypt users passwords.
Phil

Quote from: axisofevil

Does PlusNet store any unencrypted passwords?

My guess would be no, however I would guess they're stored in a reversible encryption scheme.
I would assume that Plusnet have a central RADIUS server that stores all the authentication information.  When each  service that requires authentication makes a request for the password, it should be encrypted on-the-wire in whatever format the service requires.
When dealing with large-scale deployments of distributed authentication it is actually fairly common practice to store the passwords in this manner.  When you're dealing with authentication requirements that span over several operating systems, through several services and even across realms (BT authentication for the ADSL connection for example) then actually storing the passwords in an irreversibly encrypted form would make inter-communication incredibly difficult.
Lets take the Portal as an example - when you log into the portal, my guess would be that the portal servers request the credentials in one particular encryption format.  The RADIUS server would then provide the password to the portal servers in that format for comparison.  Anyone sniffing the traffic would only be able to see the encrypted hash of the password.  Perhaps the CCGI servers (running a different OS than the portal servers) don't support that particular encryption type, so they would make a request under their own encryption type, et al.
Storing the passwords in a reversible way means that the RADIUS server has the option of decrypting and re-encoding them in whatever encryption mechanism the end-service requires.
I'm sure the RADIUS boxes are physically secure, and I would assume that they are hidden deep within Plusnet's internal network.  No doubt there will be a flurry of auditing to double check their electronic security following this story though
B.

I have a ukreg account (now part of fasthosts) and had some fun trying to change my password. I went to the login page, typed in my username and password and was redirected to a 404 page. I tried again and the same happened. So I tried a different password and was redirected back to the login page with a message saying 'incorrect username or password' next to a big green tick mark! Eventually I went to the fasstohosts login form and that worked but it then offered me to change both my 'owner' password and 'account/owner' password  All changed now and hopefully no harm done.

Probably lots of people trying to change their passwords at the same time.
Hasn't UKReg always been owned by Fasthosts? It has been for the last 3 years, at least.