Thousands affected in billing cloud breach

Powered by SC Magazine
 

Usernames, passwords and credit cards stolen.

Thousands of passwords and credit card details have been exposed online after social engineers breached popular hosting billing platform WHMCS.

Attackers obtained the data after masquerading as the platform's lead developer, Matt Pugh. Attackers managed to con the company's hosting provider to release administrator credentials.

Pugh's details were then used to access WHMCS' database and steal hashed customer credit card numbers and passwords, usernames and support tickets.

That data along with the WHMCS control panel and web site information was dumped online in a 1.7 gigabyte cache. Links to the cache and other, smaller files were tweeted under the WHMCS Twitter account, which the attackers also hijacked.

Almost a day's worth of data was erased from the compromised servers, including "any tickets or replies submitted within the previous 17 hours".

Pugh wrote on the company's blog that the attackers, from the group UGNazi, had provided correct answers to identity verification questions.

"The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions, and thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details," he said.

"This means that there was no actual hacking of our server. They were ultimately given the access details.

"We are immediately reviewing all of our hosting arrangements, and will be migrating to a new setup at the earliest opportunity."

The website was offline shortly after the time of writing.

The successful social engineering attack could mean Pugh may have reused passwords or had sensitive information accessible online.

UGNazi did not reply at the time of writing to confirm where the information was gathered.

The fallout of the attack would have implications for many Australian businesses, particularly SMBs who were attracted by the British billing provider's cut rate offering.

Troves of information from Australian hosting companies were displayed during a cursory scan of the breach databases by SC.

The stolen tickets may also contain sensitive information like credit card numbers, a mistake RackCentral managing director Shaun McGuane says customers often commit.

"We get people sending us sensitive stuff through tickets all the time and we have to keep telling them to stop," he told SC.

McGuane took a swipe at WHMCS' response to the breach because he said it had not yet emailed affected customers to warn them to change passwords and cancel credit cards.

"I only found out about it last night after a friend happened to check their blog," McGuane said.

"It is really dissappointing".

McGuane recommended affected customers change passwords both for the WHMCS and on their systems.

He said customers should also check to see if their credit card numbers were held by the company, and if so, cancel them.

"Sure they say they're encrypted, but that doesn't mean that they won't be cracked."

Copyright © SC Magazine, Australia


Thousands affected in billing cloud breach
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1135

Vote