Ethernet Servers The server has been hacked, please change the password

I received an email from Ethernet Servers saying that the server was hacked and they don’t know why. Now everyone is asked to change their passwords.

Change password: https://www.ethernetservers.com/clients/clientarea.php?action=changepw

Original email :

Hello guo,

It comes with much sadness and disappointment that I must announce that we've been the victim of a security breach.

As it stands, our website (ethernetservers.com) and customer portal (ethernetservers.com/clients) are hosted on a server which is completely separate from any other parts of our network. It's in a completely different physical location, with a provider that only hosts our website and no customer servers. This is something we've long believed in to maintain redundancy should a part of our network fail. Over the weekend, an unauthorized individual was able to access the control panel for the provider that hosts our website, from which point they asked for the root password to be reset. We did have various security protocols in-place on the server-level such as a non-standard SSH port, IP restrictions, etc. however, our provider, being the helpful people they are, were persistent in assisting who they thought was myself (George) re-gain access to the server, as they didn't have reason to believe otherwise.

From this point, the attacker logged into the server. It is not known exactly what they did or did not do, as they cleared the log files, however we are assuming the worst, being that they took a backup of our database. This was the only sensitive information on the server, and this backup will contain everything within our billing system, which includes:

• Full name
• Addresses
• Email Addresses
• Phone Numbers
• Support Tickets
• Service details (domains & IP addresses)

We use the latest version of the industry standard billing software, WHMCS, which contains passwords for services (Shared/Reseller Hosting Accounts and VPS Root Passwords) in plain-text within the administrator interface. Passwords used to login at our customer portal (ethernetservers.com/clients) are not stored in plain-text, and are not visible to us, however there is always the possibility that they can be converted to plain text. As such, we urge everyone to adjust any and all passwords. This can be done, here: https://www.ethernetservers.com/clients/clientarea.php?action=changepw

If you are a Shared or Reseller Hosting customer, you will be prompted to set a new password the next time you login to cPanel. The password you set will not be stored on file in our billing system.
If you are a VPS customer, we recommend changing your root password, along with your SolusVM password. Unfortunately it is not possible for us to force resets of these passwords.

No access has been gained to any server other than our main website, and the possibility of an attacker logging into customer services individually from the details on file seems extremely unlikely, and so we do not believe the content under your hosting accounts to be at risk, although a password reset is certainly recommended. If you do not wish to have your service password stored within our billing system, this is possible by making password resets directly, rather than through our customer portal. For example, if you have a shared hosting account, you can change your password via cPanel and then it will not be stored in our billing system. The same applies to VPS customers.

How did the attacker gain access?
The attacker used the account password for our supplier, which was complex, though very regrettably, was used in more than one location online. As such, we are of believe the password may have been compromised elsewhere. Despite our best efforts, we have been unable to determine exactly where this might have been.

What have we done to prevent a further breach?
As soon as we became aware of this issue, we immediately logged into the server, took a full backup of all important content, and made it unavailable to public internet connections. We then setup a new server and restored all of our static website content from a backup taken before the breach, and completely reinstalled our billing system from scratch, with our database, which has been thoroughly checked and declared as clean. Our site and server has been rebuilt from the ground upwards, and we are confident that it is safe to use.

Our previous server security measures have been put into place, as well as new layers of security. We must stress that our server software itself was not compromised, this attack was made possible by a password reset as explained above.

All staff PCs have been completely wiped, and their operating systems have been reinstalled. Whilst we are confident that the attack was not made possible via a compromised PC, every possible step is being taken to rebuild our security.

Passwords and API keys for every service we use have been reset to fully unique, complex values, which are not being stored on computers.

The attack method which was used is no longer possible, even under the very rare chance that the new password was obtained, as we have setup new security protocols.

Are my payment details at risk?
We accept PayPal payments, and Credit/Debit card payments via the Stripe gateway. We do not store credit card information ourselves, and payments are processed via Stripe's API. The old API details we were using have been removed and so even in the hands of an attacker, any attempts to make charges will fail. As such, we do not believe your payment details to be at risk, although if you use the same passwords elsewhere, changing them is advised.

I speak on behalf of all our staff when I say we're extremely sorry for the inconvenience caused. We're disappointed in ourselves that prevention of this attack vendor was so very simple, and have fully learnt from our mistake. I understand there is going to be concern as a result of this, and if you would like to discuss anything with us, please let us know by replying to this email, contacting us on Facebook or Twitter, submitting a support ticket, or reaching out to us on Skype (EthernetServers). To verify the legitimacy of this email, we have also placed a copy on our website: https://www.ethernetservers.com/email.html

Regards,
George,