Hope you sink Fasthosts… Is your data safe peeps?
19 Oct 2007
So, I got an email from a client today shitting themselves because Fasthosts have had a serious security breach, low and behold I just got one too…
We are writing to inform you that we have recently discovered evidence of a network intrusion involving a Fasthosts server. We have reason to believe that the intruder has gained access to our internal systems, and that this may have in turn given them access to your username and some service passwords.
We have since closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again.
We therefore recommend, as a precaution, that you now change the control panel login password on your account.
I have tried to avoid Fasthosts for hosting for about 4 years as they were really bad for hammering bandwidth costs on you etc, I used to run a dedicated server from them and to be honest I was never that happy with the way they dealt with me let alone the extra charges. Some might say it was my own fault for not picking a larger package but there you go, we live and learn but did I really?
Maybe I have been negligent in my activities but somehow they slipped back into my life in the form of UKreg and domain registration, today I too am having to deal with the fact that my details have been compromised on the servers of who claim to be the number 1 hosting company in the UK and what can I do? I am going to have to dig into the coffers and move my domains to someone else to deal with because apparently my data is not safe (I doubt it is truely safe anywhere) and now someone potentially has potentially had access to sensitive info.
I feel sorry for those of you out there that have Fasthost reseller accounts, make sure you bill Fasthosts for any time you spend cleaning up their mistake. They claim in their email to me that they have cleaned up and that it will never happen again… it shouldn’t have happened in the first place!
So how safe is your data? I hope this little wake up call for me can in some way help you avoid getting into a similar situation which brings me to another point… Beta trial accounts.
How many of you out there have been sucked into the Web 2.0 phenomena? How many of you have a beta account for 1 new wizz bang web application? How many of you have 2? I’m going to put my money on you all having more than 2 and that you only ever use a handful of passwords for them or heaven forbid even just one, and I would pose the question how many of those do you actually use?
Scary to think of your identity being sprinkled across the web in many shapes and forms for some nefarious character to tamper with or even worse steal, I know I am going to set aside some time and cull my inactive accounts and take a close look at what I use on a day to day basis and what I really need to be using.
Boom is over… time to get sensible… I kinda stopped reading Tech Crunch a while ago as buzzwords piss me off and thr wr too many app names ending in “r”.
Oh well, rant over, I hope Fasthosts really do lose a good market share and that some smaller better web hosting companies get a look in and I hope you guys get a fright from my fright and take an introspective look at what you do with your data and who holds onto it.
Take care and don’t sign up to anything I wouldn’t ;-)
Comments
Tx-RxFx - moving domain now..
October 19th, 2007
I’ll say this now, I wasn’t a big customer with them but jeez for all those who are, I feel for you. When I cancelled everything and stripped every last bit of critical data off of there you just knew that there was a tonne of people swearing whilst on hold at position 16 for over 1hour.
Damn, I mean, your data is never safe anywhere and lets face it, there’s always that risk. But with an ISP leaving un-encrypted and non pro-active behaviour to what seems to be constant door knocking on everyone’s FTP accounts (mine included) from China I’d rather leave than sit this one out.
I’m able to. Some I can understand are not.
As i said in the good ol’ register’s comments on the article
“Nothing is risk free but not everyone one is as stupid as fasthosts…”
http://www.theregister.co.uk/2007/10/18/fasthost_police_hack_investigation/
Alan White
October 19th, 2007
You mean to say they never even encrypted passwords?
I’ll say that again for those that didn’t hear me…
Fasthosts do not encrypt their passwords!!!!
I bet they just gave their security codes to someone…
Tx-RxFx - moving domain now..
October 19th, 2007
Oh, now they’re saying that the Credit card information has yet to be confirmed as being safe… the CC numbers were possibly stored in an un-encrypted manner as well since help desks could see and act on them.. (according to register comments).
This is baaaddd..
http://www.theregister.co.uk/2007/10/19/fasthosts_banking_hack/
Steve
October 19th, 2007
“…I hope Fasthosts really do lose a good market share and that some smaller better web hosting companies get a look in…”
Well, from someone who works for a MUCH smaller hosting company (&, I hasten to add, one who ENCRYPTS THEIR CUSTOMER’S PASSWORDS), we’ve been picking up disgruntled customers of fasthosts all year. Vive la fasthosts cockups!
Alan White
October 19th, 2007
Right on ;-) Glad to see you doing well out of them… Like I said in my post, their incompetancy isn’t a new thing, I am amazed they got this far without something big happening.
I can imagine that is exactly why this has happened, just a shame I was in the boat when it sprung a leak.
Eliot Jones
October 19th, 2007
Against the trend, we’ve been largely happy with Fasthosts over the years. But their customer support in response to this issue is appalling. It’s very basic – if you don’t have the staff to handle 10,000 support calls in a crisis, then at least publish regular statements on your website, sharing what information you have. It’s what we would do for any of our customers who paid us thousands of pounds a year, as we pay Fasthosts.
Thinking ahead: where could a Windows/ASP/MS SQL host move all their sites to? What are the best non-Fasthosts options for resellers, who don’t want to look after their own server? Thanks for any tips.
Nils
October 20th, 2007
I know nothing of this Fasthost, but I’m sure it’s no different here. Only a few days ago, news leaked that a few smaller banks had been attacked and accounts been compromised. Even worse.
As for data of mine being around, sure, but I don’t see much danger in that. So what if I signed up for some dead-in-the-water service a year ago? It’s like someone knocking you over the head on the street and stealing an old supermarket receipt from your pocket.
I suppose it’s an inevitable consequence of ‘engaging in an environmen’ – be it your local pub or the web. Of course, that never means others should just mess around with stuff you trust them to safeguard.
Adrian
October 20th, 2007
I am also trying to move hosting providers; I just have a managed, normal LAMP setup, nothing fancy.
I have been calling the “top” hosts just to see what do they offer. And guess what?
None will check your site regularly to see if it has been hacked; none will do forensics and report it to the Police/high-tech crime unit. None will attempt penetration tests against your site.
What they will do is restore your site from a backup, apply patches. Is it just me thinking this is not “managed” enough?
Does anyone know a hosting provider who will pro-actively *manage* a site?
Alan White
October 20th, 2007
@Nils: I fully understand what you are sayign about engaging in an environment, I guess it also dependson how much of your life goes online also. Take google for example, that is one scary company, they hold a lot of sensitive data about a lot of people, problem being that they just keep bringing useful tools to the tabel and integrate them all together. One account to rule them all only implies a downfall at some point.
@Eliot: I’m sure there have been many people happy with what they have had from Fasthosts, I think the problem with them arises when you want a little more from them. They kinda strike me as mass production, low quality, no customer service and when it comes to something like this… total incompetancy.
@Adrian: I am no expert in managing servers, but I would imagine that there must be astronomical costs associated with that level of proactive management. Having said that, a good sys admin should have these things in place when setting up. Things like intrusion detection, rootkit detection etc are the basics but I am guessing if folk can hack into the pentagon if they want to it is hardly surprising that a hosting company can get hacked. The least they could have done though was encrypt our passwords, makes me wonder about what other contingency plans they had??
I think any hosting company can take security to a certaibn level and most of them wil have pro active top level security but to implement that on a personal level for every client would be a mammoth task.
I’m afriad I cannot offer any concrete advice on the specific hosting requirements for anyone but perhaps a few simple considerations for you.
These are just some thoughts that have come to mind whilst writing and by no means comprehensive but if anything, Fasthosts have certainly posed some interesting questions to potential hosting customers for any hosting company.
Lets see if there is any reaction from their competition and maybe we will all benefit.
Thanks for you input folks :)
Simon
December 3rd, 2007
Looks like its going to get worse before it gets better.
Seems they are resetting more passwords on the 10th.
http://fasthostshell.blogspot.com/
Jef
April 2nd, 2008
Fasthosts’ customers frack up then look to blame anyone but themselves. It’s disgusting
Mark Victor
June 25th, 2008
Never be tempted to use Fasthosts.
They are rubbish in everything they do.
Whether it is just for one basic site, or like us a reseller with many, do not go near them.
They will be more trouble than they are worth, with slow servers, bad idiotic support and terrible attitude to customer retention. Don’t do it
Have your say...
Back to top