Another heads up for any VPS / hosting company or those selling products to such. When you are hacked, some States in the United States require that you document and record the event with offices like the State Attorney Generals Office. You are likely subject to regulations in many States since you sell to their citizens. California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))In the case of California: Not to be outdone, the State of New York (a state where a certain company is based who was hacked TWICE) has a similar law: http://www.dhses.ny.gov/ocs/breach-notification/ Did someone actually do their paperwork and file with the authorities like good little boys? Shall I inquire?