Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Possible Data Leak - HostDoc
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Possible Data Leak - HostDoc

Just received this email from Doc

Over the last few months, our client area has been experiencing odd caching issues which proved to be a problem to pinpoint.

Numerous fixes have been implemented with the assistance of WHMCS staff, however, none seemed to persist.
These fixes were not merely a cache flush and call it a day.

Upon an extended debug, it was found that the culprit for our sessions corruption and data leak was a tawk.to module.

Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.
This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

I would like to use this opportunity to notify all clients that access to their account or VPS was impossible.
Upon replication, data found to be leaked were:

  • Services rendered
  • Ticket status and heading
  • email address
  • Name and address

No alteration to account details would have been possible. There has been no breach to our servers nor are client accounts accessable.
It was also observed that the leak only took place under 2 conditions while the module tried to load:

  • Client was still logged in
  • Client did not log out

Till this day, not one of our clients have recieved spam as a consequence of signing up with HostDoc. We do not sell client details or disclose them to third parties.

It is unfortunate that this issue was so problematic pinpointing and addressing. I would like to thank clients who have been patient with us while we have tried to locate and rectify the root cause and apologise for any data that may have got out.
HostDoc is far from a scam operation and has jumped through hurdles to prove this over the last few years. One thing you can be sure of is that despite the time a resolution has taken to be found, security has always and will continue to remain one of our top priorities.
A further statement will be released in a few months once we have been able to monitor the client area adequately and be sure there are no further instances of this occuring.

As of now, we cannot replicate the data leak.
There has been a dramatic increase in traffic to our client area over the last few days with no sign of the issue reoccuring despite deliberate attempts to recreate.

Once again, please accept our sincerest apology for any and all data leaked during this time. It is not what you (our clients) would expect and it is far from the level of service we aim to deliver.

Kind regards
HostDoc Hosting Team.

«13

Comments

  • AlwaysSkintAlwaysSkint Member
    edited January 2020

    WebGuru said: email address
    Name and address

    Crucial information.

    WebGuru said: Till this day, not one of our clients have recieved spam as a consequence of signing up with HostDoc.

    Proof?

    Thanked by 1dahartigan
  • LESLES Member

    These guys have deleted my account for no reason... so i'm happy. My guess that they are a terrible provider has been confirmed.

  • HostMediaHostMedia Member, Patron Provider

    Names and addresses are more than enough to breach GDPR - good they emailed their customers but I don't think this line is very good "Till this day, not one of our clients have recieved spam as a consequence of signing up with HostDoc." presuming isn't a good idea when it comes to people's personal data - it isn't just spam, someone can use those details to start fraudulent activities.

    Fingers crossed it was a minor issue and no data was leaked.

  • RhysRhys Member, Host Rep
    edited January 2020

    HostMedia said: it isn't just spam, someone can use those details to start fraudulent activities.

    Deeply concerning how downplayed this is in the email.

    @HostDoc have you reported this to the ICO as a data breach? There's no mention of it in the email sent.

    Thanked by 2dahartigan limited
  • AlwaysSkintAlwaysSkint Member
    edited January 2020

    HostMedia said: Names and addresses are more than enough to breach GDPR

    This. Trying to brush it under the carpet isn't an option and hasn't been given the seriousness that it deserves.

    In this digital word, I try to sign up with only partial address details - not false information, just incomplete (though the postie knows where to find me). It's only the more draconian providers that get 'shirty' over this.

    Thanked by 1dahartigan
  • Might want to pop over to the other site to see accusations of "motivations" for de-listing HostDoc because of this. Surely my "motivations" will bear any fruit if he ran a proper ship.

    Anyway, don't believe my "motivations". See all the forum posts for yourselves.

    I hope he properly deletes customer data. If he doesn't, you are not safe even with termination.

    Thanked by 2dahartigan HostMedia
  • @WebGuru said:
    Tawk.to was not only loaded as a module in our WHMCS installtion, but was further added as code to the footer.tpl file when a new template was implemented.

    How/why?

    This created two tawk.to profiles attempting to load on the installation simultanously. It may have been noticed if you ever visited our client area and got a green chat icon rather than a blue one.
    The module, which served the green chat box, was the cause of the caching and session corruptions and has now been permanently removed from the client area.

    So two instances of tawk was the culprit?

    I would like to use this opportunity to notify all clients that access to their account or VPS was impossible.

    What a relief...

    Upon replication, data found to be leaked were:

    • Services rendered
    • Ticket status and heading
    • email address
    • Name and address

    WTF that's worse than access to my VPS!

    Till this day, not one of our clients have recieved spam as a consequence of signing up with HostDoc.

    You say that with confidence, but do you actually know that? How?

    We do not sell client details or disclose them to third parties.

    Perhaps not intentionally, but technically it's happening.

    A further statement will be released in a few months once we have been able to monitor the client area adequately and be sure there are no further instances of this occuring.

    That's not really comforting, the intermittent issue is fixed but it's probably going to come back?

  • HostMediaHostMedia Member, Patron Provider

    @Rhys said: @HostDoc have you reported this to the ICO as a data breach? There's no mention of it in the email sent.

    I would doubt that they have based on the email - if they contacted the ICO they would have been pushing out a lot more details of the breach to customers and they would have (I hope they did this) shut down (or IP locked) their WHMCS instance straight away when the issue was reported/found.

  • RossGRossG Member, Host Rep

    @WebGuru said:
    The module, which served the green chat box, was the cause of the caching

    It sounds strange that the tawk.to module could be causing customer data to be cached.

    https://github.com/tawk/tawk-whmcs/blob/master/modules/addons/tawkto/hooks.php

    The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    I hope this hasn’t been used as a “get out of jail” for a more serious issue, but it does seem like a bit of a stretch to blame this all on tawk.

  • RossG said: The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    You need to consider caching at other levels of the software stack.

    Thanked by 1yoursunny
  • @AlwaysSkint said:

    RossG said: The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    You need to consider caching at other levels of the software stack.

    Yes, but I think what he is saying is that he doesn't believe HostDoc identified the problem correctly.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @RossG said:

    @WebGuru said:
    The module, which served the green chat box, was the cause of the caching

    It sounds strange that the tawk.to module could be causing customer data to be cached.

    https://github.com/tawk/tawk-whmcs/blob/master/modules/addons/tawkto/hooks.php

    The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    I hope this hasn’t been used as a “get out of jail” for a more serious issue, but it does seem like a bit of a stretch to blame this all on tawk.

    I second this.
    I just don't see how it'd be possible to happen.

  • DPDP Administrator, The Domain Guy

    @dahartigan said:

    Upon replication, data found to be leaked were:

    • Services rendered
    • Ticket status and heading
    • email address
    • Name and address

    WTF that's worse than access to my VPS!

    That's true, if considering that the VPS is just a member of the Idle Family.

  • DPDP Administrator, The Domain Guy

    @MikePT said:

    @RossG said:

    @WebGuru said:
    The module, which served the green chat box, was the cause of the caching

    It sounds strange that the tawk.to module could be causing customer data to be cached.

    https://github.com/tawk/tawk-whmcs/blob/master/modules/addons/tawkto/hooks.php

    The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    I hope this hasn’t been used as a “get out of jail” for a more serious issue, but it does seem like a bit of a stretch to blame this all on tawk.

    I second this.
    I just don't see how it'd be possible to happen.

    Also, technically, in most cases (not all), knowing the cause should somewhat make it possible to replicate the issue, but in this case it seems like replicating was not possible?

    Thanked by 2MikePT yoursunny
  • @RossG said:

    @WebGuru said:
    The module, which served the green chat box, was the cause of the caching

    It sounds strange that the tawk.to module could be causing customer data to be cached.

    https://github.com/tawk/tawk-whmcs/blob/master/modules/addons/tawkto/hooks.php

    The code is all open source and I can’t see anything there which could cause something to be cached or modify a session.

    I hope this hasn’t been used as a “get out of jail” for a more serious issue, but it does seem like a bit of a stretch to blame this all on tawk.

    No,it is not.
    I am not blaming it on tawk.to. It was our confirguration of tawk.to that caused it but the module was caching the data.

    The modue itself had one profile which loaded a green chat bar. The footer.tpl had the code of another profile which loaded a blue chat bar.

    @Rhys said:

    HostMedia said: it isn't just spam, someone can use those details to start fraudulent activities.

    Deeply concerning how downplayed this is in the email.

    @HostDoc have you reported this to the ICO as a data breach? There's no mention of it in the email sent.

    No, not yet.
    As is evident, the cause was not immediately known. As much as it seems the root cause has now been identified, I am still worried and would like to monitor a while longer before details are submitted.


    The client area has been taken down numerous times for us to carry out work regarding this matter. It was never just left operational while knowing it was leaking.

    As much as many might not like the brand or my responses to threads/toxic comments/tickets, one thing I have always strived to provide is a decent service at the price point.

  • RhysRhys Member, Host Rep
    edited January 2020

    @HostDoc said:

    No, not yet.
    As is evident, the cause was not immediately known. As much as it seems the root cause has now been identified, I am still worried and would like to monitor a while longer before details are submitted.


    The client area has been taken down numerous times for us to carry out work regarding this matter. It was never just left operational while knowing it was leaking.

    As much as many might not like the brand or my responses to threads/toxic comments/tickets, one thing I have always strived to provide is a decent service at the price point.

    So you've known about it for quite some time, and also known that data was leaking during that time yet have failed to report it within the required time defined by the GDPR?

    "At a glance
    The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible."

    Source: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

  • WebGuru said: Over the last few months, our client area has been experiencing odd caching issues which proved to be a problem to pinpoint.

    I cannot understand why it should be so difficult to find the cause. The logical approach would be to reproduce the problem with the default theme ("systpl=six" ) and if the problem is still replicatable, disable the hooks and modules one by one until the problem is gone.

    This is quite easy in WHMCS, because you just have to remove the custom folders and files.

    It would even be possible to setup a stock WHMCS instance with the existing database to rule out a server / module problem.

    I think HostDoc has either not been interested into this issue, or it is run by amateurs.

    I could be wrong, but isn't HostDoc the one that sent a mass mail to customers in a tantrum about the closement of a location because the datacenter want to charge money for an IP change?

    Thanked by 1dahartigan
  • Maybe the EU has "motivations" for requiring reporting of data breaches within 72 hours.

    Thanked by 1dahartigan
  • @Rhys said:
    So you've known about it for quite some time, and also known that data was leaking during that time yet have failed to report it within the required time defined by the GDPR?

    "At a glance
    The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible."

    Source: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

    It took us some time to replicate it. At the time we did, we only saw services rendered leaked.

    It has not yet been feasable to submit a breach notice to ICO as we are still gathering data regarding the breach so the report is complete.

    @Tr33n said:

    WebGuru said: Over the last few months, our client area has been experiencing odd caching issues which proved to be a problem to pinpoint.

    I cannot understand why it should be so difficult to find the cause. The logical approach would be to reproduce the problem with the default theme ("systpl=six" ) and if the problem is still replicatable, disable the hooks and modules one by one until the problem is gone.

    This is quite easy in WHMCS, because you just have to remove the custom folders and files.

    It would even be possible to setup a stock WHMCS instance with the existing database to rule out a server / module problem.

    I think HostDoc has either not been interested into this issue, or it is run by amateurs.

    I could be wrong, but isn't HostDoc the one that sent a mass mail to customers in a tantrum about the closement of a location because the datacenter want to charge money for an IP change?

    Once again, initially, it was almost impossible to reproduce.
    WHMCS was involved and carried out their work and handed back the installation after making changes they thought might been the issue.
    I had no reason to doubt their judgement and admittently did not cross check.
    It was later found that the actual cause was a module which has since been disabled.

  • poissonpoisson Member
    edited January 2020

    @dahartigan do you have screenshots of names and addresses? Or just services as claimed? If you do, how long ago was it?

    Thanked by 1dahartigan
  • RossGRossG Member, Host Rep

    @HostDoc said:
    No, not yet.
    As is evident, the cause was not immediately known. As much as it seems the root cause has now been identified, I am still worried and would like to monitor a while longer before details are submitted.

    If you knew client names, addresses and emails were being exposed, you should have reported that to the ICO as soon as you found out, regardless of whether the cause was known or not.

  • HostDoc said: .. one thing I have always strived to provide is a decent service at the price point.

    I think we can all agree with this point.
    Focus ;-)

  • ok the client area is taken down for an undisclosed amount of time https://clientsarea.hostdoc.co.uk/clientarea.php

    Down for Maintenance (Err 3)
    Panel down for an undisclosed amount of time.
    For support requests, please use live chat.

    To be honest i was always impressed with their 24/7 live chat whenever i visited their site someone was live to assist but it looks like in the end that live chat module proved to be the culprit here!

    Looks like Live Chat is also taken down https://hostdoc.co.uk/

  • They are reinstalling WHMCS and going back to basic setup i believe without these modules

    It has been decided to take the advise of a few individuals and be sure the issue is totally eradicated by reinstalling our client area and migrating the database over.

    As such, the client area will be down until such a time to set up a VPS and installation is found.
    All services will remain operational and should assistance be required, please use the live chat on any of our "many" sites.

    If an invoice is due, there will be no sanctions for late payment.

    Kind regards.
    HostDoc Hosting Team

  • hzrhzr Member
    edited January 2020

    HostDoc said: As much as many might not like the brand or my responses to threads/toxic comments/tickets, one thing I have always strived to provide is a decent service at the price point.

    While I do like your promotions and past threads, the way you responded seems rather irrationally legally risky on LES, considering they are trying to warn you in good faith of GDPR, data protection, CCPA, etc. violations instead of repeatedly reloading to siphon off as much data as possible.

    Sure, while it might not be a "hack" breach, I believe your time would have been better off spent trying to do root cause analysis of such a massive, critical issue - if it happens even once, extremely concerning and not "just a bug" - instead of yelling at people.

    I can assure you that I don't think hostdoc is a "scam operation" or anything, but the handling of this multiple-occurrence incident is not what I'd consider handled well.

  • LeeLee Veteran

    If data has been leaked and from your website, you are ICO registered then I would be more concerned at your delay in reporting this.

    Service providers (eg telecoms providers or internet service providers) have certain obligations if a personal data breach occurs. These are set out in regulation 5A.

    A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data.

    If you are a service provider, you must:
    notify the ICO;
    consider whether to notify your customers; and
    record details in your own breach log.

    You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach.

    Yet you seem to have been aware of this for quite some time? You suggest that is because the reason for the breach was unknown, that is not how it works.

    Thanked by 1uptime
  • @poisson said:
    @dahartigan do you have screenshots of names and addresses? Or just services as claimed? If you do, how long ago was it?

    I do, and just under a week ago.

  • deankdeank Member, Troll

    tl;tr

    The end is nigh.

  • Just for completeness, @dahartigan, did you come across or were made aware of the issue, whilst working/collaborating with HostDoc?

  • @AlwaysSkint said:
    Just for completeness, @dahartigan, did you come across or were made aware of the issue, whilst working/collaborating with HostDoc?

    I did, the first time I saw it I told Chike and he assured me it was fixed. I have since then seen multiple people report the issue over time, mostly unresolved, but gets "fixed" temporarily.

    My access was a tawk.to login, tickets in whmcs and create/edit in virtualizor.

    Thanked by 1AlwaysSkint
This discussion has been closed.