Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do? 176
zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"
Tell us who it was. (Score:5, Informative)
If it was my provider, I'm leaving.
As the Lawyer response has been given... (Score:2, Informative)
Step 2 is find a different Hosting provider. There's only, what, several thousand out there!
Re:Tell us who it was. (Score:5, Informative)
I'd suggest checking the submission tags; there might be a clue there.
Re:Talk to a Lawyer (Score:5, Informative)
definitely talk to a lawyer. I want to add something to it that you may not know.... some clauses that seem to protect them in one case, can hurt them in another because of legal presedents that interpret those.
For example, one that a friend told me about.... lets say you live here in MA and lease an apartment. Well, there are some legal clauses that can be put in there to protect the landlord from legal fees. However, if they are in there, and the landlord is found to be at fault, then that same clause can be turned around to make them pay instead.
This is not obvious from the wording or just reading the contract, but is well known (to lawyers) legal precident. I forget the exact specifics but....I know a friend of mine is hunting for the last remaining copy of the second page of his rental agreement because he says it contains terms that will get him treble damages in his case with his landlord. (as a landlord myself, I can also say, if the allegations are true...that guy is a douche bag, and has even entered the rented apartment without cause, permission, or even notice... among other things....)
So yes... call a lawyer.
Re:Who? (Score:5, Informative)
And people wonder why I'm against the cloud. (Score:5, Informative)
As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.
Re:Talk to a Lawyer (Score:4, Informative)
That's not really true, lawyers will very often threaten a suit before filing if doing so would be advantageous. For example, if the mere existence of a lawsuit would bring to light facts that a company would rather not make public, they may be willing to offer a settlement prior to any filing. But once the suit is filed and on the public record, the damage is done, and they may decide at that point they may as well fight to the end. Now the real truth is that non lawyers who threaten to sue generally don't, and lawyers know that. Basically, if you write a letter to your colo facility telling them you're considering the merits of a lawsuit, they'll ignore it. If your lawyer writes the same letter, they'll probably take it more seriously.
Re:Talk to a Lawyer (Score:5, Informative)
I agree that you need to talk to a lawyer, and I am coming from experience since I am a lawyer. My gut reaction is that unless you actually sustained tangible damages (such as loss of business revenue, harm to your business reputation, or having to pay out of pocket expenses to clean up the mess created by the host) you probably don't have much legal recourse against the host. However, depending on the state where you live and the state where the host is located, there may be consumer protection or privacy laws that provide for statutory penalties of some amount for acts such as this.
I practice law in Florida, and I get similar inquiries quite often and my first question is generally "what have you lost?". If all you suffered is your own disappointment and frustration with the company, it is not going to be worth the time or effort for you to keep dealing with it. Don't use the company anymore, and feel free to report them to whatever consumer protection agency you feel. But be warned that you should never exaggerate the facts, as I've also seen consumers sued by companies alleging defamation when the customer sprinkles some fantasy in with the truth. Don't put yourself on the wrong side of a lawsuit, because chances are the company will have the resources to sue you and you would be left paying out of pocket to hire an attorney to defend you.
My advice? Talk to a lawyer just to see what your options are. But don't let your emotional response govern over good sense.
Re:Talk to a Lawyer (Score:4, Informative)
>>> I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property.
Which goes right out the window when the State Law says the opposite. Example: Paypal's EULA said they are not responsible for lost funds, and the judge said that's bullshit and ordered them to return all funds to customers (I got back 100-some dollars).
Plus in this case the stolen domain names were lost through incompetence by the webhost (they accepted incomplete forms). They are liable for damage caused by their inemptitude.
Re:Talk to a Lawyer (Score:4, Informative)
Also consider talking with an executive at the company. Sometimes these conversations can be fruitful.
I once had a dispute with a datacenter that had me sufficiently upset that I was ready to leave. However, I wound up receiving a $15,000 service credit, had my monthly recurring reduced by $3,000/mo, and had them agree to provide detail on how they were going to prevent the problem from recurring. All because I flew to the CEO's office and had a polite (though tense) one hour meeting.
No lawyers or anything. Just a conversation.
Trademark your domains (Score:5, Informative)
It's helpful to register trademarks on your important domains, if they're unique enough. This means a quick win in a UDRP proceeding, and gives you the option of suing anyone who ended up with your domain. It's about $400 per domain.
More importantly, own your domains. If WHOIS doesn't have your name and address in "Registrant", you do not own the domain. You're just renting it from somebody. Your hosting provider should never have their name in there. This really matters when there's a dispute. Deal directly with your domain registrar. Do not deal with them through a hosting service.
"Private registration" works the same way. The "private registration" service owns the domain, and you have a contractual relationship with them, at best. See what happened when RegisterFly went bust. [wikipedia.org]
Re:Talk to a Lawyer (Score:5, Informative)
When you visit a lawyer for the first time, you shouldn't be doing it with a mind to threaten a lawsuit. You're going for advice. You probably have some kind of contract that governs your relationship with the hosting provider. You might not have had a lawyer read it before you signed it; do that now. Then you can ask exactly what the hosting provider may be liable for, and where they may have effectively covered their own asses. If you do think you might want to threaten a lawsuit, it's important first to know whether you have a leg to stand on.
Empty threats to sue may sound like hot air. A letter on an attorney's letterhead that specifies the ways in which the hosting provider is in breach of contract will probably be taken seriously. And 90 percent of the time, the issue will be resolved before it ever gets to court. Nobody wants court.
Also, don't assume this process will lead to you getting absolutely everything you think you deserve. Have some sort of minimum compensation in mind that would allow you to walk away feeling like you've had some justice. Your lawyer will help you figure out this number, too. Negotiations can proceed from there.
But if you won't be happy until the hosting provider is well and thoroughly punished for what they did, you will probably walk away disappointed. Especially if they're a public company, you're not going to be able to shame them into giving you what you want. The civil legal process is there to determine what you may be owed, legally. It's not there to exact vengeance for you. In fact, you'll sleep better at night if you just let that go.
Really, I think the most important thing here is to begin the process of moving to a hosting provider that will give you better service. Everything else is secondary. In fact, I would skip the "negative publicity" part, except in private. Particularly if you're investigating legal options, trash-talking the hosting provider publicly before proceedings begin could work against you. It could even become the source of a counter-suit.
Re:Protecting the guilty to trap the innocent? (Score:5, Informative)
The tag was applied by the submitter. See the Original submission [slashdot.org] and notice the link to the original source [google.com], which is a letter the submitter wrote to Rackspace about this incident.
Re:Tell us who it was. (Score:5, Informative)
It was apparently Rackspace [rackspace.com], judging by the PDF document [google.com] linked in the original submission.
Re:Talk to a Lawyer (Score:5, Informative)
Yes, exactly. On a couple of occasions a sternly worded letter from a lawyer has worked wonders for me.
My favorite was when a company who owed me for months of contract work suddenly got a case of we-can't-afford-to-pay. My lawyer wrote a letter explaining that under California law, wages had to be paid before anything else, and encouraged them to contact the very energetic state agency in charge of enforcing that if they were unclear. It was a masterpiece of subtle menace, and I got a wire transfer for the whole amount two days later. Total cost to me: a few hundred bucks. A decade later, he's still my lawyer.