Greenvaluehost hacked, customer details exposed to public including customer photo IDs

[drmike]

Doing this purely as a public service announcement so anyone who has bought from Greenvaluehost (GVH) prior is aware.

This is taken from Lowendtalk by @kcaj: http://lowendtalk.com/discussion/39469/let-pm-spam-from-gvh/p3

It seemed that whilst moving their WHMCS installation about a ~560MB .tar.gz file was left on it's own in the root index folder of the client area subdomain.

That file contained around ~2600 ticket attachments including scanned ID. I'll stress that this was only the web files and not the database.

The hack / exposure happened in the past few days.

I haven't seen the file dumped to say what is and isn't in there.

Beware if you are a Greenvaluehost customer.

 

[MannDude]

Yeah, this has been known (sort of) for a day or two I believe. Unsure if any vpsB members have any services with them, though. Still good to get it out there though regardless.

Isn't this the 3rd time? GVH said in the past he 'looks up' to Chris Fabozzi from ChicagoVPS, so I guess he's doing a good job following his footsteps. Service quality and security policies appear to be on par with each other and lack of notifying impacted customers is the same.

Anyhow, if you're a GVH customer... may god have mercy on your soul.

 

[Steven F]

may god have mercy on your soul.

Switch Billy Madison with "GVH customer" and answer with "purchasing any service from them".

 

[DomainBop]

Isn't this the 3rd time?

The 3rd time that customers have had their data publicly exposed to unknown individuals, but when you consider that this is a company that hires poorly vetted questionable characters from Skype/chat rooms/Romper Room, and gives them access to customer info, and that this is also a company who has admitted vzctl'ing into its customers VPS's and running ls commands, then in reality the customers have probably had both their data and their personal info fall into the wrong hands countless times.

edited to add: the same data breach notification rules I raked Fabozo over the coals for not following also apply to GVH.  Besides notifying payment processors, the crew at GVH also should probably familiarize themselves with the different data breach notification laws that states have enacted (FYI, it is usually the customer's state of residence, not the company's state of incorporation, that determines which state's laws the customer can seek relief under)

edited again, forgot the link: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 

[MannDude]

The 3rd time that customers have had their data publicly exposed to unknown individuals, but when you consider that this is a company that hires poorly vetted questionable characters from Skype/chat rooms/Romper Room, and gives them access to customer info, and that this is also a company who has admitted vzctl'ing into its customers VPS's and running ls commands, then in reality the customers have probably had both their data and their personal info fall into the wrong hands countless times.

True. But they'll continue to earn business from 3rd worlders who don't speak or read English well who only know how to convert USD to their local currency to see that the price is very cheap, and since that is all they can afford, they'll continue to give GVH business regardless if they're down for 50% of the time like BlueVM or or get hacked and breached every week.

It's actually very interesting, and it almost makes you want to start a social experiment where you start something up and purposely make it an awful experience for those using it to try to understand their mentality and reason for sticking with it. Is it a hope that it will get better? Is it literally all they can afford? What is it?

 

[MannDude]

Green Value Hosting, Inc.


Re: Recent Security Breach of WHMCS Attachments


December 24, 2014


On December 22, 2014, an error in one of our maintenance procedures caused our WHMCS attachments folder to be publicly accessible for download for users via the Internet.


While our technicians were performing critical maintenance on our client area's customized "cloud-based setup", a loophole in our procedure allowed a "whmcs.tar.gz" file to be publicly accessible in the "root" directory of one of our servers. Our understanding is that this file was downloaded by a person with malicious intent and then spread through online community forums in an attempt to compromise the security of our customers.


Although most content in "whmcs.tar.gz" is not sensitive, the archive contained data which includes our WHMCS attachments folder. This means that any attachments up to the date that this incident occurred is in the hands of persons with potentially malicious intent, which poses a security risk to our customers and is counted as a breach of security. We are making this announcement out of concern for our customers' security as well as in accordance with Illinois State Law.


Our compliance (abuse) team is investigating this incident further and will be emailing individually who are found to have personal information (such as government-issued identifications) uploaded to our WHMCS attachments folder prior to the breach of security. The affected customers will then be advised to take the appropriate steps to ensure their own security.


We understand that this is a very critical and fatal mistake that was made on our part, and can assure our clients that the appropriate measures have been taken to make sure that an incident like this will never be able to happen again. Maintaining the trust of our clients as well as our clients' personal data security are one of our top priorities, and we will continue to put forth our best efforts in securing such at all times.


Clients who are affected by this security breach can expect to receive an email regarding this in the next few days of this public announcement.


If anyone has any questions, comments, or concerns, they may be addressed to our management department via ticket submission: https://secure.greenvaluehost.com/submitticket.php


- GreenValueHost Management


PO Box 972, Normal, IL 61761


United States

https://secure.greenvaluehost.com/announcements.php?id=30

Quoting it here as it will surely disappear in the future as past announcements have.

 

[DomainBop]

Posting the data breach notice is a positive and if he follows through with notifying the people whose data was compromised it will be another positive.  It's certainly better than the providers we've seen whose entire customer database was posted online and never notified customers.

While our technicians were performing critical maintenance on our client area's customized "cloud-based setup", a loophole in our procedure allowed a "whmcs.tar.gz" file to be publicly accessible in the "root" directory of one of our servers.

Please do not call the person who was responsible for creating a .tar.gz containing customer info in a public directory a "technician".

 

[aggressivenetworks]

I would call them a DUMBASS or FIRED!

 

[drmike]

I've seen the data dump.

In there are what I suspect are all customer attachments to tickets.  Graphics.

There are many identification document scans in the files.  There are several credit cards also.

Lots of screencaps of management system fails. Same problems over and over.

No database.

 

[Munzy]

Does it include a configuration file?

 

[Aldryic C'boas]

You're on the wrong forum to be looking to try and reuse a leaked SQL password.

Their excuses are absolutely hilarious. "Loophole", "cloud".. had a good laughing fit over that line of BS.

 

[KuJoe]

On the bright side, this serves as a good lesson for other hosts who don't even think twice about the attachments directory in WHMCS. We have ours locked down and inaccessible to the outside world but I realized after reading this thread there's no need for me to keep files on the server after the ticket is closed.

 

[Aldryic C'boas]

I don't allow attachments, period.  Let's just say there's a hefty chance of it being less than safe.

 

[DomainBop]

On the bright side, this serves as a good lesson for other hosts who don't even think twice about the attachments directory in WHMCS. We have ours locked down and inaccessible to the outside world but I realized after reading this thread there's no need for me to keep files on the server after the ticket is closed.

It should also serve as a good lesson for other hosts on how not to store personal identification documents that customers submit during the verification process.

Repost of what I just posted on WHT:  Copies of passport/photo ID/utility bills and other documents that customers submit should be destroyed soon after verification is performed, and while the documents are awaiting verification they should never under any circumstances be stored unencrypted online as attachments in something like WHMCS.

 

[drmike]

Does it include a configuration file?

What is the filename of such and directory if you know it?

... destroyed soon after verification is performed, and while the documents are awaiting verification they should never under any circumstances be stored unencrypted online as attachments in something like WHMCS.

WHMCS should know better and be dealing with this better.  Prudent to crypt things like that.  It's general purpose dumping use.

I won't harp, but no way WHMCS can be certified in any way I'd think...

 

[aggressivenetworks]

Well they have to contact the people affected by that tar.gz floating around in accordance with their own state laws. The law is called the Personal Information Protection Act
815 ILCS 530/ which explains it all.  

 

[MannDude]

Well they have to contact the people affected by that tar.gz floating around in accordance with their own state laws. The law is called the Personal Information Protection Act


815 ILCS 530/ which explains it all.  

Because of just how difficult it would be to go through and cross reference IDs to accounts, wouldn't it be better just to inform everyone? Jonny says he'll inform those impacted. He seems like the type that won't follow through.

Since the data was made public through GVH's wrong doings, perhaps someone will ethically use the data contained to contact each individual it impacted individually. I'm almost willing to bet most will not / have not been contacted by GVH and would be surprised to learn that their identities have been made very easy to be stolen. Someone should do the right thing, and as a 3rd party attempt contact to those who have been impacted using their leaked personal details to contact them.

Just my $0.02.

 

[KuJoe]

@MannDude similar to how people take DB dumps and create a website for people to search if their information was stolen?

On that note, does anybody remember the name of that password keeping software company that e-mailed everybody who used their software and had an entry associated with a website that was hacked and the DB was dumped? There was a thread on LET and people were PISSED that a 3rd party contacted them about their username and passwords being posted online by the hackers. They weren't pissed at the hackers or the company that got hacked, they were pissed at the 3rd party for contacting them.

 

[MannDude]

@MannDude similar to how people take DB dumps and create a website for people to search if their information was stolen?


On that note, does anybody remember the name of that password keeping software company that e-mailed everybody who used their software and had an entry associated with a website that was hacked and the DB was dumped? There was a thread on LET and people were PISSED that a 3rd party contacted them about their username and passwords being posted online by the hackers. They weren't pissed at the hackers or the company that got hacked, they were pissed at the 3rd party for contacting them.

I think you're thinking of LastPass and one of the several ChicagoVPS hacks.

 

[KuJoe]

I think you're thinking of LastPass and one of the several ChicagoVPS hacks.

I did find that thread but I thought there was another one when one of the big companies like Adobe got hacked. Basically it was a bunch of people complaining that the 3rd party was violating their privacy and I remember replying that they were all morons for attacking the wrong people.