cancel
Showing results for 
Search instead for 
Did you mean: 

Fasthosts Security Breach

RobDickson
Grafter
Posts: 633
Thanks: 2
Registered: ‎06-08-2007

Fasthosts Security Breach

I'm not sure if this is the right place to post this, but if anybody has a Fasthosts account, then you need to change your passwords.
I've just had an e-mail from Fasthosts telling me that one of its servers has been successfully hacked into.
I can't find any reference to this on the Fasthosts website, but the e-mail looks genuine.
13 REPLIES 13
MikeWhitehead
Grafter
Posts: 748
Registered: ‎19-08-2007

Re: Fasthosts Security Breach

Just a follow up to what you have said.
Link
Peter_Vaughan
Community Veteran
Posts: 14,469
Registered: ‎30-07-2007

Re: Fasthosts Security Breach

Not just one server, their main internal servers containing all customer data, including logins and passwords were compromised. The email said portal, FTP, MySQL and all EMAIL passwords should be changed!!!!
My company has a reseller account with them and we have a lot of passwords to change AAAARRRRGGGG!!!!!!
RobDickson
Grafter
Posts: 633
Thanks: 2
Registered: ‎06-08-2007

Re: Fasthosts Security Breach

Thanks. I wasn't sure whether to post this, because I couldn't find any other evidence of it.
Peter_Vaughan
Community Veteran
Posts: 14,469
Registered: ‎30-07-2007

Re: Fasthosts Security Breach

Important information about your Fasthosts account
Dear <name>
 
We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.
We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.
We therefore recommend, as a precaution, that you now change the following passwords on your account, both for your personal use, and for your customers:

  • Your main account control panel login password

  • All email (Standard, Advanced and Exchange mailbox) passwords for you and your customers' mailboxes

  • All FTP passwords

  • All MySQL and MS SQL database passwords


These can all be changed within your control panel. Further details on how to change your passwords can also be found in the support section of our website.
We strongly recommend that you choose secure passwords so that they cannot easily be guessed. These passwords should include the following:

  • It should be a minimum of 8 characters long

  • It should contain an upper case and a lower case letter

  • It should also contain at least one number (numeric)



We recognise that this may cause some inconvenience and concern, and for that we sincerely apologise. Please be assured that your account security is extremely important to us, and we have taken every step possible to secure your information against any future intrusion attempts.
If you have any questions relating to this, please contact our Customer Support team on 0870 888 3600 or customersupport@fasthosts.co.uk who will be happy to help you.



Yours sincerely,
The Fasthosts Internet team

James
Grafter
Posts: 21,036
Thanks: 2
Registered: ‎04-04-2007

Re: Fasthosts Security Breach

I think Bob hosts his domains through them aswell.
pcoventry76
Grafter
Posts: 950
Registered: ‎27-08-2007

Re: Fasthosts Security Breach

i dont host with them but i have changed my login password on UKREG which they also operate
Peter_Vaughan
Community Veteran
Posts: 14,469
Registered: ‎30-07-2007

Re: Fasthosts Security Breach

RobDickson
Grafter
Posts: 633
Thanks: 2
Registered: ‎06-08-2007

Re: Fasthosts Security Breach

I've had no e-mails from UKReg, but it's always worth being careful, especially since they combined both control panels together recently.
VileReynard
Hero
Posts: 12,538
Thanks: 615
Fixes: 19
Registered: ‎01-09-2007

Re: Fasthosts Security Breach

Does PlusNet store any unencrypted passwords?

"In The Beginning Was The Word, And The Word Was Aardvark."

pjmarsh
Superuser
Superuser
Posts: 3,306
Thanks: 1,004
Fixes: 8
Registered: ‎06-04-2007

Re: Fasthosts Security Breach

On the PUG forums Bob says yes they do encrypt users passwords.
Phil
zubel
Community Veteran
Posts: 3,789
Thanks: 1
Registered: ‎08-06-2007

Re: Fasthosts Security Breach

Quote from: axisofevil
Does PlusNet store any unencrypted passwords?

My guess would be no, however I would guess they're stored in a reversible encryption scheme.
I would assume that Plusnet have a central RADIUS server that stores all the authentication information.  When each  service that requires authentication makes a request for the password, it should be encrypted on-the-wire in whatever format the service requires.
When dealing with large-scale deployments of distributed authentication it is actually fairly common practice to store the passwords in this manner.  When you're dealing with authentication requirements that span over several operating systems, through several services and even across realms (BT authentication for the ADSL connection for example) then actually storing the passwords in an irreversibly encrypted form would make inter-communication incredibly difficult.
Lets take the Portal as an example - when you log into the portal, my guess would be that the portal servers request the credentials in one particular encryption format.  The RADIUS server would then provide the password to the portal servers in that format for comparison.  Anyone sniffing the traffic would only be able to see the encrypted hash of the password.  Perhaps the CCGI servers (running a different OS than the portal servers) don't support that particular encryption type, so they would make a request under their own encryption type, et al.
Storing the passwords in a reversible way means that the RADIUS server has the option of decrypting and re-encoding them in whatever encryption mechanism the end-service requires.
I'm sure the RADIUS boxes are physically secure, and I would assume that they are hidden deep within Plusnet's internal network.  No doubt there will be a flurry of auditing to double check their electronic security following this story though Smiley
B.
Tamlyn
Grafter
Posts: 268
Registered: ‎11-04-2007

Re: Fasthosts Security Breach

I have a ukreg account (now part of fasthosts) and had some fun trying to change my password. I went to the login page, typed in my username and password and was redirected to a 404 page. I tried again and the same happened. So I tried a different password and was redirected back to the login page with a message saying 'incorrect username or password' next to a big green tick mark! Eventually I went to the fasstohosts login form and that worked but it then offered me to change both my 'owner' password and 'account/owner' password  Roll_eyes All changed now and hopefully no harm done.
RobDickson
Grafter
Posts: 633
Thanks: 2
Registered: ‎06-08-2007

Re: Fasthosts Security Breach

Probably lots of people trying to change their passwords at the same time.
Hasn't UKReg always been owned by Fasthosts? It has been for the last 3 years, at least.