WHMCS.com hacked

Sure, but the blog was not updated enough, and I would not trust the blog at that time, it was also ddosed. Also WHMCS Twitter account was taken over. Anyway, I only posted this so that DA users that are customers at WHMCS should know about it, so that they can cancel their credit cards. If you don't feel like reading the 55 pages in the forum thread at Webhostingtalk, then The Register sum it up nicely: http://www.theregister.co.uk/2012/05/22/whmcs_breach/
 
It seems WHMCS Limited has sent emails to their customers:

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.
Click to expand...
 
I don't know why, but I never receive any "mass mail" from WHMCS, so also this time, I have not received anything on email from them. Anyway, now also the server hosting the forum (used vb), blog and documentation is hacked, and it's taken down.
 
I would not know what they will do in the future. However, I saw it with my own eyes that forum.whmcs.com was hacked, so that is the reason for downtime. It was running vb. So the last days, they have had the main server running whmcs.com and everything hacked, viped, and then all content on server was made available for download on Twitter, then they have in following days been ddosed several times, then the last thing is now forum.whmcs.com was hacked.

Edit: I now see that also whmcs.com is down. So they might have taken everything offline to protect them self, or more likely they are being ddosed again. No doubt the security on WHMCS servers was really bad, and they are using "managed" servers from Hostgator, so of course it is not secure.
 
Last edited:
Seems to be running now. In one of those posts you probably didn't read (out of about a million or so), they did say they were working towards other hosting solutions. Their forum site pops up an .htaccess password and says:
A username and password are being requested by http://forum.whmcs.com. The site says: "Upgrade in Progress. Please check back soon..."
Click to expand...
I'm guessing that's just to keep people out while letting their staff in; I didn't try my forum login password. I'm guessing they're updating the forum software.

We spent time the last two days considering moving off WHMCS but so far we're inclined to stay. However I did cancel a credit card to get it reissued, and change passwords used on their servers and on my servers.

Jeff
 
I also needed to cancel one of my credit cards, the one that belongs to my business. Now I have to wait for a week for a new one. I just hope my credit in my eNom account will not get empty until I have my new credit card back. I also consider moving, however I don't see any better alternatives at the moment. I have also spent large amount of money to external php developers to develop custom WHMCS modules for me, and all that money/investment is lost if I move. I don't like the situation. I will wait and see what happens, and think more about it.
 
You make some interesting points. I'm suggesting changing IP#s for whmcs if possible, and also switch to QuantumVault if possible. I write if possible because some of us may be under contract to our current merchant account provider, who may not have an agreement with QuantumVault.

I'm surprised a bit that there are so few posters on this thread; perhaps most of us who post here either don't use WHMCS; I sure hope it's not a case where we just don't worry about the implications.

Jeff
 
Not a user myself, but I've followed the matter with interest. Many people indeed use WHMCS.

Fascinating might not be the correct term, but I think its quite something that they managed to use social engineering at HG to gain access. It's a very old trick. I haven't seen any details on how it exactly happened, but HG might need to tighten up their security. If they for example use security questions to give access to a lost account, they should abandon that system. Or perhaps they did a check on general info like address and birth dates.. info like that is often public. They should use phone or even old fashioned paper mail if access is being given through a new channel.

WHMCS on their part took little responsibility in many ways. Apparently complete access to their setup can be gained through a password reset. And then there's of course the CC info. From a company with that many customers and cash flow you could've expected more. Too bad it takes a complete dump of the customer db to make them.
 
QuantumNet said:
Sad thing is WHMCS themselves already uses CDGcommerce as their merchant provider, so why they were not using it is beyond me... if you dont have the time, the money, the specialized staff to perform full PCI audits monthly then do yourself a favor and get a service like QUantum Vault
Click to expand...

Do I really miss something? But if I click on "Signup Now »" on page with link http://www.whmcs.com/partners/quantum-gateway/
I go to www.cdgcommerce.com ... I do not know much about the QUantum Vault and CDGcommerce either... but isn't the button misleading?
 
Thanks for clarification, but as it seems to me I can not use it while it is "MERCHANT APPLICATION FOR U.S.-BASED BUSINESS ONLY".
 
They do, cdgcommerce is their merchant provider... Changing their customers data over to using the vault is as simple as running the conversion script that is built into WHMCS billing system already... Since they already use them as their provider...

I believe by my quote above, that they do work with non us businesses, but you have to contact them to ask about it. Not just an instant online application
 
Unfortunately I'm tied into a multi-year contract with someone else; I can do the same thing with Authorize.Net CIM (and in fact I'll get it done as I implement using WHMCS), but it'll cost me an extra $20/month for the balance of my contract. Or I'll check to see if it'll be less expensive to just pay the cancellation fee to the provider I'm with now.

Jeff
 
Yeah we were in your shoes, we switched from authnet about a year ago, have saved a ton of money on fees and chargebacks... Our fraud came to a halt except through paypal... Once we got everything setup with them... Authorize.net didnt provide verified by visa and mastercard secure code... Which quantum does for free, no monthly fee no per transaction...

Its a little harder to get it configured than authnet was not all the avs, zip code etc filters make sense. But once you do, it is worth it, we have not had a single chargeback for fraud since doing so.
 
Another thing, I do not know if you noticed, but even while there is quite a few people raising the PCI compliance issue in their forums... they do not respond and when they make official announcements they have other questions and answers but they avoid the PCI compliance questions like the plague always redirecting back to the "It was a social engineering attack"

http://forum.whmcs.com/showthread.php?47739-Compromise-Q-amp-A


I understand the need for crowd control / public relations in an event like this, but to avoid the topic all together and redirect concerns only makes me more concerned. They should address the issue and let people know what their intentions of solving the problem to downplay the problem not continue to avoid it and redirect.
 
Last edited:
QuantumNet said:
@Arieh
[...]
Secondly, a lot of people keep trying to blame shift onto Host Gator... but in all reality host gator did what they were supposed to do... ask the security questions, ask the last four of credit card on file... this is a practice in place in even financial institutions such as banks.

THe problem was not them, the problem was that WHMCS did not follow the Visa and Mastercard PCI requirements for a system that was storing card holder data... if they had followed the requirements then Host Gaotr would have never had the password to give out in the first place.
Click to expand...

I can't really agree on this, I'm not a big CC user myself (it isn't that popular in my country), but I don't think I can get access or get a pin number or anything just by supplying the last four digits. I might be able to answer some questions to block my card. To get something new, I first get a notice trough mail, then I need to show up at a local office with that notice + I.D.

Now a hosting company isn't a bank, so you don't have to show up somewhere, but I still think only confirmed channels should be used; registered phone/sms/physical or e-mail.

I do agree that WHMCS has been trying to lay off responsibility and that they're playing to be only a victim, but I do think HG could also do something.

I'm not sure if I follow you on the PCI requirements, couldn't they also just have used an outsourced provider, so they don't keep the numbers themselves? Then they would've been hacked anyway. The goal of this hack wasn't the CC info I think.
 
You must log in or register to reply here.
Back
Top