All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
HETZNER GOT HACKED
Dear Client
At the end of last week, Hetzner technicians discovered a "backdoor" in one
of our internal monitoring systems (Nagios).
An investigation was launched immediately and showed that the administration
interface for dedicated root servers (Robot) had also been affected. Current findings would suggest that fragments of our client database had been copied externally.
As a result, we currently have to consider the client data stored in our Robot as compromised.
To our knowledge, the malicious program that we have discovered is as yet
unknown and has never appeared before.
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.
The standard techniques used for analysis such as the examination of checksum
or tools such as "rkhunter" are therefore not able to track down the malicious
code.
We have commissioned an external security company with a detailed analysis of
the incident to support our in-house administrators. At this stage, analysis
of the incident has not yet been completed.
The access passwords for your Robot client account are stored in our database
as Hash (SHA256) with salt. As a precaution, we recommend that you change your
client passwords in the Robot.
With credit cards, only the last three digits of the card number, the card type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card number.
Therefore, as far as we are aware, credit card data has not been compromised.
Hetzner technicians are permanently working on localising and preventing possible
security vulnerabilities as well as ensuring that our systems and infrastructure
are kept as safe as possible. Data security is a very high priority for us. To
expedite clarification further, we have reported this incident to the data
security authority concerned.
Furthermore, we are in contact with the Federal Criminal Police Office (BKA) in
regard to this incident.
Naturally, we shall inform you of new developments immediately.
We very much regret this incident and thank you for your understanding and
trust in us.
A special FAQs page has been set up at
http://wiki.hetzner.de/index.php/Security_Issue/en to assist you with further
enquiries.
Kind regards
Martin Hetzner
Comments
Ouch. But they atleast don't try to cover it up and most releavant details was given before they get asked about. Some people should take this as example when things go wrong...
Thats crazy but I can believe it with these hackers today hack everything they see.
I'll give them an 8/10 for their handling of it. They sent out an email immediately but they should also have posted a message in Robot that people would see when they logged in in case someone didn't receive the email (i.e. it went into their spam folder).
Compared to the post-hack responses of a few LEB providers who have been hacked (i.e. not disclosing the hack, or treating a hack as not a big deal), I'd give Hetzner a 10/10.
A lot of interesting discussion on this over at Hacker News:
https://news.ycombinator.com/item?id=5833181
Yes it is nice Hetzner is not hiding the information.
Hmmm, and what about the copies of customers' private documentation that they receive??
Aren't these the geniuses that require copies of utility bills or drivers' licenses, etc?
Wonder if those are stored electronically?
As I have said before, seems to me that some of these providers should be providing documentation about themselves rather than the other way around.
Good luck to all their customers.
They said: "The system that stores scans of ids, credit cards and so on was not compromised. In addition to that, we delete that information after 21 days."
@Spirit: I sure hope that statement is accurate. Who can prove or disprove it??
IHMO, this breach is another reason why requiring and storing (scans of customers' private documents) is not a good practice ... even if for 1 day.
I think hetzner would not lie about that, but who knows...
I agree sending any kind of private data over the internet is asking for trouble, but it is hard to avoid some things. Keeping it at minimum is a way of giving yourself a reason to sleep well at night,not really solving the problem, but really, sending official documents is bad, bad, bad.
OVH refused me service upfront and hetzner/burstnet asked for documents which in my case is the same.
Who knows, maybe it is better, i am now paying less for better services.
Why would they lie? That would be a crime.
@William, I am not saying that they are lying.
I am just saying that there is no way to independently confirm the extent of the breach. And, the way breaches sometimes play out is that, after further investigation, eventually a "discovery" is made that refutes earlier statements, or confirms worst fears.
My point is that this practice (storing personal documents) increases their risk profile instead of reducing it.
I have no more information than the next person about this incident, I just hope that the statement is accurate that they did not suffer a breach of their Customers' private documents.
Another key reason for me that I will not deal with any provider requiring this ... no matter how important or cheap whatever it is that they are peddling.
Hetzner does not even know themself how deep it is currently...
Many providers only ask for ID depending on where you sit on their risk assessment, I never needed to provide ID with Hetzner. There are plenty others too where people complain about needing to provide ID but again they never asked me.
So something does not add up if you are being asked for it. Your choice of course to provide it or not.
@W1V_Lee, correct me if I am wrong, but I thought that some of the providers requesting this type of documentation ask for it after you place an order; forcing you to cancel and hope that they will let you cancel without a fuss?
Just curious
@geekalot - Not sure to be honest as I don't usually get asked. But of course they would ask after you order, they can't really ask for it before can they.
However I think what you are getting at it they take payment and then ask for the ID. Don't really think there is a way around that though.
OVH.ie is an exception to that. When US buyers place their first order through the .ie site they are required to provide ID verification before OVH takes any credit card information. After the info is verified (which can take a few days sometimes) buyers are given a link to a payment page where they can enter their credit card info and pay for the order.
If you're in the UK, then no ID verification is needed. Hetzner only requires ID of non-EU residents on their first order so they can verify that the customer is exempt from VAT.
I am not sure about that, Romania is in EU, they still asked me.
Also Uncle himself had problems with OVH.
Yeah, I don't buy that either, I know quite a few people in the UK/EU who have been asked for ID from Hetzner.
I had a Hetzner server while back and required ID aswell (uk)
We need ID as well if account data does not match up or tax fraud is possible (non-EU address -> EU IP/PayPal/CC).
This is mainly for our own protection ("supporting tax fraud", you can't really deliver proof that you ARE NOT supporting tax fraud..), hell ID doesn't even protect from chargebacks and Paypal in reality (if a good fake or a real one is sent in)..
Probably by one of their own customers. The shit hoster OVH & Hetzer and a few seem to host half of the criminal who attempt to harm others' businesses
Sounds like someone is upset that they didn't secure their own server. Worry about your own backyard.
What's up with all the necro's today?
Necroing a 6 year-old thread deserves a capital punishment.
Ban the girl.
Hey guys ( @sob @jar ), I hope you saw that this dates back to June 2013!
This thread is 6 years old.