Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?

zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"

Talk to a Lawyer

[eldavojohn]

That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.

It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.

Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.

And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.

You have few options...

[Tolvor]

I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.

Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.

The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.

You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.

You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.

The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.

I wish you luck.

Re:Tell us who it was.

[CAIMLAS]

If it were my provider, I'd leave and tell all my friends and acquaintances precisely which provider it is.

This behavior is worse than inexcusable. Sure, it's a 'cheap' service but the reprecussions for this are massive to the user.

Re:Talk to a Lawyer

[Anonymous Coward]

The threat of a suit has considerably more weight when it arrives on letterhead from a law office.

But all that aside... TELL US WHO THE PROVIDER WAS!

Do NOT talk to a lawyer

[petes_PoV]

First of all, assess the damage. How much time has it cost you to rectify the situation? Have you got your 2 domains back? If you can come up with a reasonable figure for the time and any commercial damage that has been done, set that against the cost of "lawyering up".

If you asked for this amount. I would expect your service provider would interpret it as the opening round in a negotiation and eventually you'll probably end up with about 50% of what you ask for. So make sure you've included everything in whatever you think you're due. Add on to that the time it will cost you to negotiate a fair settlement.

The only time it's worth the time, trouble and potential cost of involving a third party (who will probably take as much of your time as you'd spend reaching a solution on your own and will almost certainly earn much, much more from this than you'll ever receive: possibly from yourself - and double that for the other guy's lawyer, if you lose) is if you get stonewalled, or counter-sued. If you can possibly reach an agreement without involving others, you stand to get the fastest and most satisfactory outcome. Remember, this is not a money-making opportunity.

You are in a negotiation here

[DG]

I don't thing you need a lawyer - yet.

You are in a negotiation. The company has made you an initial offer - the half-month free hosting - and that initial offer has a dollar value associated with it.

You have been inconvenienced, and it took time to rectify the problem. Your inconvenience and time also has a dollar value associated with it. So what is it?

I would work out the value of what you lost, add 20% for general hassle costs, and present that as a counter-offer to the company.

I would also work out the minimum value for which I would settle. It's less than getting everything I want (which you might get) but enough to counter-balance the additional hassle of hiring a lawyer and all those extra expenses.

Then negotiate. If they present an offer that is above your settle value, take it. If they don't, THEN you call the lawyer. Not only is this likely to arrive at a mutually agreeable solution without lawyers taking a cut, if you do wind up hiring a lawyer, you give him more to work with "my client made a perfectly acceptable counter offer and you refused it" etc.

Lawyers can be a useful tool, and sometimes they are necessary, but a reasonable negotiation can also work. You just need to understand your position first.

DG

Re:Co-Locate everything

[Kalriath]

What's wrong with unmanaged dedicated? The provider doesn't know your password so essentially it's the same as co-locating (i.e. the provider can get into it anyway, since they have physical access but they'll have to hack it to do so).

legally claimable losses

[dutchwhizzman]

Having to completely reinstall the server because of possible back doors left by the "thief". Business value of the domains stolen. These are most definitively damages that are a direct result of the fact that they let a stranger on his cloud server. Possible damages include lost revenue that can be proven by either actual cancellations and possibly statistics, monetary equivalent of lost reputation (reduced business income) and overhead costs like legal fees, time taken to sort out the incident and such. Even if you only take 8 hours to reinstall the server at a modest rate of $50/hour you are looking at $400 in damages. I doubt you'd be paying much more than that for an average cloud server for a whole year, so the settlement offer they give is nowhere near your costs and what your claim should be.

Re:Tell us who it was.

[dubl-u]

Whoa. That puts a different light on things. The poster, who does web development, bought a domain name learning-together.ca which was used by his client Learning Together Inc. Rackspace transferred control of the domain name from the poster to Learning Together, Inc. It seems very weird indeed that the poster is trying to keep control of that domain.

Re:Tell us who it was.

[dubl-u]

Sure, but it makes it an understandable mistake on the part of Rackspace. And if the company gave Rackspace some documentation that the poster was buying the name on behalf of Learning Together, then the transfer may have been proper.

More importantly, though, it puts the poster in a different light. He concealed material facts in his summary, and on the face of it trying to hold on to a client's domain is shady. It makes me wonder what else he's hidden.