Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Deleting WHMCS accounts at providers you no longer use
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Deleting WHMCS accounts at providers you no longer use

rm_rm_ IPv6 Advocate, Veteran
edited October 2013 in General

Sooo, with all those vulnerabilities going around, I decided that I don't see any reason to leave all my personal details in the WHMCS databases of providers with whom I no longer have any services and don't really plan to use in the future.

Went around some providers and found out the following:

  • There is of course no button to click to "Delete my account";
  • Some do allow editing of all personal details, so I could change name/surname/address all to "none" or the like, and save changes. However I wonder if previous values are also kept in the DB, and could provider reverse my changes if they wanted (does anyone know this for sure?);
  • Some don't allow any editing, not even of the E-Mail address.

And here's the best part: Ticketed one provider who is established and well known around here, asking to delete my account. "Sure, done, no problem!" However with me still being logged in in the browser, I found out that all they did, was to edit my E-Mail adding "DELETED" to the end. Without removing all of my other details such as name, address, E-Mail, phone, postal index, country etc. Everything still there, up for grabs for any script kiddie to exploit ther WHMCS, the only difference being is that now just me locked out of my account and supposed to think it "no longer exists".

So the lesson to learn here is to never provide your real personal details to every summerhost of the week to begin with. Probably can't fake the name and country (else Paypal and Maxmind will be unhappy) but everything else can and should be completely made up.

What's put out there, can never be deleted for certain.

Comments

  • shovenoseshovenose Member, Host Rep

    So you're saying to commit fraud for every hosting/VPS/dedi/cloudVM you buy. Wow, why didn't we think of this earlier??

    Thanked by 1Nick_A
  • There is this problem with deleting - the user id (a number) is referenced by invoices, past products, etc. Providers are required by local laws to keep accounting information (invoices) for some years, and to keep information that is necessary to answer the question of "who used IP address x.x.x.x at time Y in the past". So deleting this information is usually out of the question, for local laws reason.

    That being said we don't allow any user that had any services with us and did any payment to be deleted. We can only delete users that registered but never had services or did a payment.

    We do allow the users to change their details in the future, if they choose to. However we still have ways to get the previous information, because every such details change generates an email message, and the email messages are logged and stored (on a different server).

    Thanked by 1William
  • AnthonySmithAnthonySmith Member, Patron Provider

    Yes we can change your name etc back as upon you editing anything it generates an email notification, deleting all traces of you simply is not practical due to linked invoicing etc however it is not unreasonable for you to request any identifying information to be altered e.g. phone, email, name, address, as that at least leaves an accounting record.

    The only time I do not grant a removal is when an account has been abandoned and closed with an unpaid balance.

  • For tax / legal reasons as others have said, this can't be deleted. How does a provider show earnings otherwise if a full audit does happen? Sure there are invoices, but they need to be matched up.

  • I'm sure that the provider should have weekly / daily / bi-weekly backups which backup all this information, or have it linked to professional software which does all the auditing for you.

    For UK Companies I personally pull the DPA Card, for instances where data is not secure, it breaks a rule, however it is argued against since it's still 'in time for use'.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Yep fair point, with 4 daily backups I could always put your data back in at any point, so the bottom line being, if your going to enter your details in to a system it is going to be hard to remove all sources.

  • rm_rm_ IPv6 Advocate, Veteran
    edited October 2013

    Guess what I want is something like this:

    EU bill gives web users 'right to be forgotten' by enabling them to force firms such as Facebook or Amazon to take their personal information off the internet or to delete it from their internal servers unless they can give a compelling reason to say No. It also gives users the right to take their data away from one company and give it to another.

    And no, "I like to know all those people who used my service ten years ago" is not a "compelling reason". All the "legal stuff" and "tax reasons" are not a justification to keep it forever. There are specific periods stated in those laws, for which you are required to keep that information. AFAIK most legal/tax bookkeeping requirements are never longer than 3-5 years tops.

    So until something similar to that bill is enacted into law, giving as much fake details as you can get away with is the only way to go, really.

  • Speaking for myself, someone who knows my full name could easily get my address and phone number from a Google search and whois of any of my domains. So, if someone bothers to hack a provider's whmcs and found out the same information, I couldn't care less.

    Now if whmcs were storing my credit card info or my PayPal password, I'd be concerned. Otherwise, no.

  • Now if whmcs were storing my credit card info

    Some providers like ChicagoVPS do store credit card info in WHMCS and there is no way to completely remove the credit card info from the customer side (the only option is to update the credit card info, or to have your credit card company cancel the card when you cancel your services as I did).

    When the provider is storing your personal info and credit card info online and has been hacked 3 times in the past year and fails to follow the exact database breach notification procedures that are spelled out by various state laws, and by Visa/Mastercard regulations this is a problem both for the customer, and for the provider who didn't follow proper procedures (especially the parts about filling out the required paperwork with the state AG and notifying their merchant bank and Visa/Mastercard of the breach of their billing database). It's a problem for the provider because the fines they can get hit with for failing to follow the letter of the law are very large.

  • AnthonySmithAnthonySmith Member, Patron Provider

    @rm_ yep makes sense, obviously tax and accounting is a justifiable reason (actually I believe for 7 years in the UK) however if you asked me for example I would simply replace all of your details with a reference number and print a hard copy of your records for local storage only, so it is not impossible for a registered company to simply work with you in order to comply with your request.

  • MaouniqueMaounique Host Rep, Veteran
    edited October 2013

    As someone who uses fake data since the nineties and even seen people faking IDs because porn "actors" were not keen to give their real identity to prove the age, I agree that hacking can be an issue, however my main problem is with unscrupulous providers that could actually be using it to steal money or impersonate me or both.
    I have a debit card linked to paypal, I only put money there as needed, I have internet banking and can do it at any time and is free, that will shield me from stealing money, but for identity theft, not really.
    When i hear I need to provide photos and documents to "prove" something, I also dismiss the provider as idiotic not thinking that this actually keeps the legit people away and is not hindering criminals, those have already everything prepared and nobody will be able to check the data as you cant just phone police in their area and ask hey is this guy with this ID in your register ? And even so, it could be stolen (as the majority are) and it will match.

    However, deleting the data is not really possible due to taxation. Sure, no need to keep it forever, you can also convert it into paper or make sure it is restoreable from back-ups, I would really like a feature of WHMCS where you can vacuum the db and remove any accounts that are inactive and replace them with a date and a number, but that is not there yet. Asking your regular LEB provider to keep papers or manually delete and back-up is not going to win you any sympathy, after all, apaperwork in this day and age ?
    The compelling reason to say no is that in this case money were involved and it has nothing to do with facebook data which should no longer be public or the mined data that could be kept and sold, this is a different situation, you cant go to the bank and demand your data to be erased nor to your ISP or credit bureau and that is more closely related to the situation at hand than to the facebook situation. I could say I had 20k customers each forking 100 quid every month so I can wash 2 million a month.

  • I'd never use my CC with any of these providers TBH. Paypal is good for me.

    RE Your details... keep your email address unique per account you sign up with. Use a PO Box for your physical address if you like.

    For me, I don't really care. An 'unscrupulous' provider or security-lax provider may leak my email address and a hash password which in turn has the potential to get access to more valuable accounts, but this applies to every online account out there.

  • what @rds100 said.

    We have to store invoices (in paper even) for a long time and keep customer data for tax stuff, no removal possible once paid invoices (also if refunded) exist.

Sign In or Register to comment.