Thousands affected in billing cloud breach

Thousands of passwords and credit card details have been exposed online after social engineers breached popular hosting billing platform WHMCS.

Attackers obtained the data after masquerading as the platform's lead developer, Matt Pugh. During contact with the company, they managed to con the company's hosting provider to release administrator credentials.

Pugh's details were then used to access WHMCS' database and steal hashed customer credit card numbers and passwords, usernames and support tickets.

That data along with the WHMCS control panel and web site information was dumped online in a 1.7 gigabyte cache. Links to the cache and other, smaller files were tweeted under the WHMCS Twitter account, which the attackers also hijacked.

Almost a day's worth of data was erased from the compromised servers, including "any tickets or replies submitted within the previous 17 hours".

Pugh wrote on the company's blog that the attackers, from the group UGNazi, had provided correct answers to identity verification questions.

"The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions, and thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details," he said.

"This means that there was no actual hacking of our server. They were ultimately given the access details.

"We are immediately reviewing all of our hosting arrangements, and will be migrating to a new setup at the earliest opportunity."

The successful social engineering attack could mean Pugh may have reused passwords or had sensitive information accessible online.

UGNazi did not reply at the time of writing to confirm where the information was gathered.

The fallout of the attack would have implications for many Australian businesses, particularly SMBs who were attracted by the British billing provider's cut rate offering.

Troves of information from Australian hosting companies were displayed during a cursory scan of the breach databases by iTnews' sister publication SC.

The stolen tickets are also likely to contain sensitive information like credit card numbers, a mistake RackCentral managing director Shaun McGuane says customers often commit.

"We get people sending us sensitive stuff through tickets all the time and we have to keep telling them to stop," he told SC.

McGuane took a swipe at WHMCS' response to the breach because he said it had not yet emailed affected customers to warn them to change passwords and cancel credit cards.

"I only found out about it last night after a friend happened to check their blog," McGuane said.

"It is really dissappointing".

McGuane recommended affected customers change passwords both for the WHMCS and on their systems.

He said customers should also check to see if their credit card numbers were held by the company, and if so, cancel them.

"Sure they say they're encrypted, but that doesn't mean that they won't be cracked."

Copyright © SC Magazine, Australia