WHMCS Data Compromised By Good Old Social Engineering 87
howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."
In case you wonder who or what WHMCS is... (Score:5, Informative)
Re:Passwords Are Safe, But ... (Score:5, Informative)
>But encryption can protect sensitive data if security is ever breached.
Encryption only works until you give the key away for a candy bar in a social engineering scheme.
Then all bets are off.
--
BMO
WHMCS is Hosted by Hostgator (Score:4, Informative)
As a former employee, posting this as anonymous for obvious reasons; however, the below information is freely available if you know where to look.
WHMCS is hosted by Hostgator on a dedicated server. This can be found by:
% dig NS whmcs.com +short | head -1 | xargs dig +short | xargs whois
# http://whois.arin.net/rest/nets;q=50.116.115.104?showDetails=true&showARIN=false&ext=netref2 [arin.net]
HGBLOCK = Hostgator IP block, the Arin address is Hostgator's main office, and websitewelcome.com is Hostgator's generic domain they use for reseller server's hostnames/nameservers.
Official announcement (Score:5, Informative)
They're saying that the intruders managed to obtain credentials from their web hosting company, which allowed them to access the (I assume) dedicated servers rented by WHMCS.
Putting aside the fact that they're storing CC data on a third party server, what the blog post does not explain is how exactly this would amount to a total compromise of those accounts, as the server passwords should not even be known by the hosting company, and in any case this data should have been encrypted. It would also be interesting to know how they went from that to accessing the company's twitter account - my guess would be that the same password was used on twitter as on their servers.
So basically: no encryption, relying on an insecure third party to store critical data, and possibly the same password being used for a major hosting server and their twitter account. I, for one, would not rely on this company to handle billing & support for my customers.
Re:salty... salty... (Score:2, Informative)
the passwords are “stored in hash format” so they’re safe
Assuming their programmers know what a salt is (maybe they do, maybe they don't, he's not saying), and/or their users are not using passwords typically seen in a dictionary attack (yeah right)
A salt isn't some magic pixie dust that makes hashes more secure: you also have to use them correctly. If the code is something like
$salt = 'n1c3tryh4x0r$';
$hash = SHA1($salt . $password);
Then it's not very useful. If on the other hand it's something like
$salt = base64(arc4random() . arc4random());
$hash = $salt . '$' . HMAC_sha1($salt, $password);
Then one would have much less to worry about.
There was no hacking!! (Score:5, Informative)
Yes, they didn't break in, YOU FUCKING LET THEM IN, because that really makes a difference.