Banking data fears over Fasthosts intruder Investigators are racing to establish whether the intruder who hacked into a server at Gloucester-based web host Fasthosts stole banking information. The breach was revealed yesterday. Fasthosts has told customers to change all their passwords, which were not encrypted. Fasthosts has not revealed whether the attacker gained …
This was something I was really worried about when I got news of this breach. Specially when they didn't mention if the CC data was safe. I've cancelled my cards and my fasthosts account.
As I said. Nothing is risk free but no-one is as stupid as Fasthosts...
http://www.azcazandco.com/2007/10/19/hope-you-sink-fasthosts-is-your-data-safe-peeps/
Coming from someone who works for a much smaller hosting company (who encrypts customers passwords) they've been haemorrhaging customers all year, and everyone else benefits!
Between the ineptitude of the competition (we've benefited from Rackmount's past cockups too) & word of mouth between defectors we haven't had to advertise recently. We've even had a few doing a runner from PlusNet.
Beauty fasthosts, keep it going.
I'm very disappointed with Fasthosts' handling so far. I would have sympathy for them in their plight, and I'm sure their day is worse than mine (although all our websites were hacked this morning, AFTER we'd changed all our passwords) - but they're leaving us high and dry to handle our customers with no information to defend ourselves. And they're the ones who encourage us to get all these customers in the first place, by advertising their reseller programme.
It would be very difficult for us (logistically and financially) as a small company to move all our sites to a new host, but we have to start considering that - because we have to know that our host will help us help our customers in times of difficulty.
My question is: where to go to next? How do I start dating again after a long monogamous marriage? I'm seeking a Windows/ASP/MS SQL host, with attractive rates for multiple domains, a finely-built control panel, and BSFC (better support for customers).
I phoned Fasthosts technical support up yesterday when the email came in - The bod on the other end of the phone said they were 100% confident that credit card was safe.
I am am also annoyed as I spent 3 hours yesterday changing my and all my clients account, mysql, ftp and email passwords. And then had to spend this morning dealing with people who want to know why the password they have had for the last however long has stopped working. So much for a poets day
If a hacker has got my card details can I assume he will pay off my overdraft before using it?
Now that's the reason my banking passwords are never the same. Two-factor auth apart, it is just calling for something like this to happen. While cleartext passwords are usually product of lazy programmers, there are a LOT of lazy programmers out there.
I know of at least one application that not only does this, but also puts the cleartext password *in the log*. Sheesh, even FOSS dudes can use the PASSWORD() function in MySQL, or hash functions in PHP. Stop being lazy.
I never understand this panic over someone getting access to credit card numbers. If my credit card gets defrauded because of this, then I will just ask the bank for the refund. Easy enough to prove it wasn't me in China buying that expensive bit of kit. Especially when it wasn't sent to my registered address.
And I expect the banks system would automatically block any attempted transactions anyway... they will be too far out of my "normal" purchasing patterns.
(I base this on experience of having debit cards stolen from letter boxes and getting a complete refund. Or the problems my Dad gets when he tries to buy £500 printers on his personal credit card that usually is only used for petrol and Tescos. LoL!!)
Yes - I am annoyed that Fasthosts has this kind of information in an area that can be hacked into... but I am not exactly concerned about any financial problems. :-) There are much worse cowboy outfits out there than Fasthosts... the ones who stay quiet about all the hacks. They are the ones to be real worried about... :)
(Only posting anon in case my clients are reading this... LoL!!)
Yes, that's all I got.. ONE F^£king email.. "Oh dear customer we seem to have been hacked, you might want to change all your passwords" or words to that extent.. Nothing proving it wasn't a hoax..They could have done a little more than to have sent one email.. Alink to a confirmation announcement on their website would have been the least I could expect.. I'd already threatened to walk away from them because of their handling of my DNS records, the Techie didn't seem to care.. This clinches it.. That's it.. I'm off.. Anyone got any recommendations.. I've heard a lot about GoDaddy.. anyone got any good/bad comments about them??
"Alink to a confirmation announcement on their website would have been the least I could expect..."
..from a PHISHER!
I found Fasthost's email very concise and well considered. They deliberately did NOT put a link in their message as the only way to be sure you're going to a genuine website is to type it into the address bar!
I tried to deleted my credit card from my UKREG account and get this message :
Important: under our terms and conditions, you must always keep at least one credit card on your account. After removing this card, it is important that you add another credit / debit card, or your account could possibly be suspended for not complying with our terms of service.
What a joke...
So, if you rent a dedicated server from Fasthosts, there's a lovely shiny button on your control panel to "rebuild server OS"...!
In the absence of widescale data wrecking and no large reports of people suddenly having had their servers reformatted, maybe we can safely assume the target was credit card data?
In the words of the PFY - "But my password - it doesn't explain my password!"
Think its been said before, but they havent even taken the hint on secure logins. Go to http://www.fasthosts.co.uk/ and click customer login. You're redirected to a non-secure page. You can MANUALLY stick https in your address bar, but if you dont, your user/pass is sent plain-text across the net anyway. But then, AFTER logging in, you're redirected to a HTTPS page!
Further noted is the complete absence of any strong password checking mechanism when changing passwords. Only stipulation is that is has to be 6 characters. Hmm, <clickety...> ahah "123456".
'Go to http://www.fasthosts.co.uk/ and click customer login. You're redirected to a non-secure page. You can MANUALLY stick https in your address bar, but if you dont, your user/pass is sent plain-text across the net anyway. But then, AFTER logging in, you're redirected to a HTTPS page!'
Not true - you are directed to a https, although has this just been changed??
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
