GreenValueHost forced password reset - Security breach?

[MannDude]

Hello,

You might have received an email about the client area password reset. We are currently investigating the issue and will update you on what is happening later. Please do not open a support ticket about this issue.

Thank You

GreenValueHost Team

Unsure if anyone here is actually a customer, I know they have an active following on LowEndTalk however. The past few hours people over there have been mentioning their passwords being reset without their doing, looks GreenValueHost has officially released a statement via email.

If you're a customer I'd say it's probably advisable to make sure anything else in your name that uses the same password you were using is updated and changed. Never ever wise to use the same password in two places.

They've not said what the issue is but if they have forced a password reset then you can only assume it was in response to something. Considering they're "investigating"  it and not stating it was a routine security procedure it's probably safe to assume something bad has happened.

 

[HH-Josh]

I've also received this email this morning at 0957 AM (GMT). I'm not even a customer with them and never have been so I'm not entirely sure where they're got my email from and why I've received the email.


Be interesting to hear why and how when they finally get round to admitting if "something went wrong".

 

[rds100]

@HL-Josh check the headers? Where did the email come from?

 

[drmike]

They use Mandrill to send emails BTW.

Curious about never being a customer.  Perhaps some other reason to be in their database?  Ticketing?  Sale lead?

Appears 6 emails were sent to each customer/email address.

 

[MannDude]

Appears 6 emails were sent to each customer/email address.

At six different times or all at once?

 

[drmike]

At six different times or all at once?

Hard to say since these would get queued by Mandrill and may blow time gaps away or elongate artificially.

Know I heard someone say they just received one of those PW reset emails in past hour... About 6 hours into this by my estimate.

 

[HH-Josh]

They use Mandrill to send emails BTW.


Curious about never being a customer. Perhaps some other reason to be in their database? Ticketing? Sale lead?


Appears 6 emails were sent to each customer/email address.

I've had absolutely no communication with this company. I never have even been as close to a potential client of GVH.


Going to drop them an email and find out why I'm listed in their database.

 

[mtwiscool]

Hard to say since these would get queued by Mandrill and may blow time gaps away or elongate artificially.

Know I heard someone say they just received one of those PW reset emails in past hour... About 6 hours into this by my estimate.

i only received one email.

 

[drmike]

i only received one email.

Lucky you There may be more emails..  Again, no one is sure and gets goofier (like person above with no relationship to GVH).

 

[WebSearchingPro]

It appears that it was accidental, I had my password reset then a second email shortly after saying its being looked into. I believe the investigation is into the person who reset the passwords.

To be fair though with all the trolling everyone is doing to GVH i.e. people spamming GVH threads and bumping everything thats ever existed on that other forum, it wouldn't surprise me if someone on the inside did it to make things look worse.

 

[MartinD]

You can't accidentally send an email to all customers telling them to reset their password.

You can't accidentally trip up and end up in the arms of a prostitute and claim you were only getting a hug.

 

[drmike]

Hard to say what happened, cause they don't know

I know from talking with GVH folks overnight, that no one with credentials did anything to generate said emails about passwords.  Obviously, someone over there ought to be preserving all logs and manually going over things looking for the event(s).  Imagine later this morning that will happen.

I won't comment on that other website, beyond saying some other well known folks were tired of incessant GVH threads and went on a GVH thread creation of their own.   Like 80% of LET homepage was GVH threads.

Kossen exercised his powers and ban hammered Oktay and Spencer.   He also gave GVH a soft ban with no offers/coupons/shilling until June 1.

... and probably around that time... this email problem materialized...

 

[rds100]

You can't accidentally send an email to all customers telling them to reset their password.

You can't accidentally trip up and end up in the arms of a prostitute and claim you were only getting a hug.

There is a setting in WHMCS which says how to store the passwords in the database. I imagine if someone accidently changes this setting, this should result in a mass password reset. I haven't tried this myself though, so not sure. Just a thought.

 

[DomainBop]

I know from talking with GVH folks overnight, that no one with credentials did anything to generate said emails about passwords.

The GVH children are completely lacking in experience and wouldn't know a security breach if it bit them in the ass and they wouldn't know how to  find the cause of the breach after they were hacked. Their latest  "VP" and top systems admin is a kid fresh out of high school last year with an unimpressive resume that screams "intern material" not "Vice President of Operations"   http://www.linkedin.com/pub/kaushal-subedi/40/554/9b6

I'm going to agree with what Alex LiquidHost said on LET:

Well, considering that 99% of the providers here are using WHMCS and this thing has not happened to them, I'd say that this is deffinetely not a bug in WHMCS. Either you initiated a mass password reset or you did something, which eventually caused a mass password reset. Or yeah, you've been hacked.

edit:

I won't comment on that other website, beyond saying some other well known folks were tired of incessant GVH threads

Little unethical kiddie host Jonny Nguyen also pissed off a lot of people on WHT this week (on multiple  threads) when he basically came out and told his shared/reseller clients to go f*ck themselves because they weren't profitable enough for him to care about any more.


 

I apologize for the inconvenience that you have experienced and I would like to offer an explanation for the issues at hand.

The reason for why you experienced slower support was because shared/reseller tickets and issues are marked as significantly lower priority to us than our VPS and dedicated hosting tickets as shared/reseller hosting services and plans are no longer something that we offer. We found that this was a better approach than to raise pricing on clients as we've figured that most of our clients would be upset with having to pay more than what they've paid. We actually do not make any money off of shared/reseller hosting at all (considering that we have priced our plans SIGNIFICANTLY LOWER than our competitors) and out of the thousands of services that we have, shared/reseller hosting make up less than 5% of our active products/services. The only logical approach that we could take in order to continue supporting a product in which we don't make any money on and that we no longer offer was to lower the support priority. I'm trying to be brutally honest without sugar coating the truth and although we do deeply apologize for the slower support, we had to do what was best for business. We cannot continue to provide priority support service to shared/reseller clients unless we raise our pricing, and unless enough clients contact us asking for prices to be raised in order to increase support priority, raising our shared/reseller prices is not something we are willing to do.


If you are looking for a mission-critical service, an upgrade to a VPS or dedicated server would be your best bet. We've had very minimal complaints regarding our VPS and dedicated hosting services and the vast majority of our VPS and dedicated clients are happy with the service that they are receiving.

and:

As I've said before, we're still motivated to provide a good shared/reseller hosting service, however we have to set shared/reseller tickets/issues as lower priority because it's no longer one of our main focuses and also because it makes up less than 5% of our active services. The other 95% is VPS & dedicated services.

There is only so much you can do and so far you can go for a service you're not making any money from or benefiting from. From a completely honest standpoint, our focus is on our currently active product lines, not shared/reseller hosting. We'll still aim to provide a good shared/reseller service, however there is only so much we can do.


We've restarting the restoration of accounts to the srv5 shared server and it's still in process of running.

http://www.webhostingtalk.com/showthread.php?t=1368594&highlight=greenvaluehost&page=2

http://www.webhostingtalk.com/showthread.php?t=1365900&highlight=greenvaluehost&page=3

http://www.webhostingtalk.com/showthread.php?t=1368923&highlight=greenvaluehost

 

[Patrick]

There is a setting in WHMCS which says how to store the passwords in the database. I imagine if someone accidently changes this setting, this should result in a mass password reset. I haven't tried this myself though, so not sure. Just a thought.

Entirely possible, if you disable md5 passwords or whatever that option is it will reset all users. 

Disable MD5 Clients Password  This is not recommended as passwords can be decrypted (Disabling this resets all clients passwords)

Maybe they wanted to see all their clients passwords but didn't work well? 

 

[Aldryic C'boas]

This stinks of a 'sysadmin' fucking around in a production environment instead of a proper dev area.  The clients should be thankful it wasn't a Solus fat-finger resulting in their VMs being nuked.

Anyone who has paid them with a credit/debit card should be nigh-terrified, though - any WHMCS-based 'provider' that allows automated payments from your card means that said card number is easily readable by anyone that gets access to the WHMCS install.

Curious about never being a customer.  Perhaps some other reason to be in their database?  Ticketing?  Sale lead?

Interestingly enough, I was bored last summer and did a controlled study on various providers.  Using virgin, aged domains for random (not common-guessable) email addresses, and signed up in various places with to see who might be sharing/selling client information.

Based on what I learned then, let's just say that it's entirely possible GVH received a bunch of client contacts from 'a business partner'.  Email accounts used for one company in particular in that group of bozos seemed to get a rather alarming number of solicitations from the others in the same pocket.

 

[qps]

any WHMCS-based 'provider' that allows automated payments from your card means that said card number is easily readable by anyone that gets access to the WHMCS install.

Many providers use a gateway with a vault system (for instance, we use Quantum Vault, but there are others) so the credit card number never touches WHMCS.  It uses a token to automatically charge the card in the future if the user chooses to leave it on file for automated charging.

 

[GelHost]

The GVH children are completely lacking in experience and wouldn't know a security breach if it bit them in the ass and they wouldn't know how to  find the cause of the breach after they were hacked. Their latest  "VP" and top systems admin is a kid fresh out of high school last year with an unimpressive resume that screams "intern material" not "Vice President of Operations"   http://www.linkedin.com/pub/kaushal-subedi/40/554/9b6

Reading his linkedin, it seems that he owns and operate another web hosting company.He been advertising in WHT a lot so I don't think he has sold that site yet.

https://neximweb.com/

 

[GVH-Jon]

No it was not a security breach. Client data is completely safe and has not been leaked. We will have a final statement sent out regarding this issue soon.

 

[texteditor]

No it was not a security breach. Client data is completely safe and has not been leaked. We will have a final statement sent out regarding this issue soon.

You aren't smart enough to know it isn't a breach, unless you/another GVH-er initiated this yourself, so I'm guessing Ald's assessment is probably spot-on.

This stinks of a 'sysadmin' fucking around in a production environment instead of a proper dev area.  The clients should be thankful it wasn't a Solus fat-finger resulting in their VMs being nuked.

Based on what I learned then, let's just say that it's entirely possible GVH received a bunch of client contacts from 'a business partner'.  Email accounts used for one company in particular in that group of bozos seemed to get a rather alarming number of solicitations from the others in the same pocket.