All entries for Friday 30 November 2007
November 30, 2007
Writing about web page http://www.covscene.co.uk
I help administer Covscene, a local music website. When I got home last night I logged on as usual to check the forums and delete any spammers before going to bed only to be greeted with and error page because it couldn't connect to the database. The person who actually pays for the hosting was on MSN at teh time so I chatted with her to discover that this had been the case for a few hours by this point. Whilst chatting she recieved the following email from Fasthosts.
From: Fasthosts [mailto:firstname.lastname@example.org]
Sent: 30 November 2007 00:52
Subject: Important information about your Fasthosts account
We wrote to you on 18th October 2007 advising that you change all of the
passwords on your Fasthosts accounts (including control panel, FTP, database and
email), in order to prevent any unauthorised account access following the network
intrusion we previously communicated.
Whilst we have found the vulnerability that caused this issue, and have instigated a
system wide security audit to improve and enhance our current security, we also
advised you to change your control panel, FTP and email passwords as a
Today we have been made aware that a small number of our customers who did not
change their passwords have experienced a compromise to their FTP space.
As a result, in order to totally protect all of our customers, we have today
implemented an automatic password change for every control panel, FTP or SQL
password that was not previously reset.
In 10 days time we will also reset all unchanged email passwords.
To ensure complete security when communicating your new passwords to you, we
will first take the stringent measure of sending the new control panel
password via Royal Mail. Once you have received your new control panel
password, you will then be able to go into your control panel and immediately
change your FTP, SQL and email passwords. Please note that the email password
reminder system will not work from the time you receive this mail, to the time you log
in with your new control panel password.
If you have already changed your control panel password, you will still need to go
into your control panel and change ALL the FTP, SQL and email passwords
associated with your accounts that haven't already been changed.
UNDER NO CIRCUMSTANCES WHATSOEVER SHOULD YOU TRY TO REUSE
ANY OF YOUR OLD PASSWORDS
We apologise for the inconvenience that this will cause you during this period, but
trust you understand that our primary concern is for our customers and for the
security of their websites and data. Unfortunately, an automatic password change is
the only way of ensuring that all of our customers are totally secure.
If you have any questions relating to this, please contact our Customer Support
team on 0870 888 3600 or email@example.com, and they will be
more than happy to help you. Thank you once again for your understanding and
cooperation in this matter. Yours sincerely,
The Fasthosts Team
This is all well and good, however we had already changed our control panel password as reccommended a few weeks ago, yet it has still been reset along with all the other paswords. After over 3 hours on hold (@10p/mi) she eventually got through to their support only to be told that they could not give us a new password and we would have to wait to recieve the new one via the post, which they may or may not get sent out today. In the meantime we are unable to access the account via any means to let people know what is going on, or to move the content to another host.
In our case it is highly annoying, any commercial organistion is likely to be losing money. Fortunately my hosting for various other organisations is elswhere otherwise I would be having to field lots of complaints from people who actually could be losing money.