Hetzner South Africa hacked - Sensitive information exposed

moklet

Expert Member
Joined
Aug 20, 2005
Messages
3,827
Causing me a lot of work now. having to change passwords and customers password etc. Not very happy
 

rpm

Admin
Staff member
Joined
Jul 22, 2003
Messages
66,547
Details here: https://hetzner.co.za/news/konsoleh-database-compromise/

On 1 Nov 2017 we became aware of unauthorized access to our konsoleH Control Panel database. We can confirm that a SQL injection vulnerability was identified within konsoleH, which has been corrected.

We shut down access to konsoleH during the course of the day while investigations proceeded .

While konsoleH Admin passwords have not been compromised, we have proactively updated all FTP passwords, which were exposed.

It is imperative that customers update all passwords associated with your Hetzner account immediately, including konsoleH admin passwords.

WHAT INFORMATION WAS EXPOSED?

The following details have been exposed:

  • Customer details (name, address, telephone numbers and email addresses)
  • Domain names
  • FTP passwords
  • Bank account details (cheque/savings). No credit card details are stored.

WHAT DO YOU NEED TO DO?

Customers should update the following passwords immediately:

  • While we have updated all FTP passwords, customers will need to reset this password to gain access
  • If you have made use of an additional FTP user, please manually update these passwords via konsoleH
  • All email passwords that have not been updated within the last 6 months)
  • All database access passwords. Note, you will need to update your web application database connection strings.
  • While this password was not compromised, we recommend that konsoleH Control Panel login password

Should you have provided konsoleH access details to any other parties, please advise them to update their login details as soon as possible. Mailbox users are able to update their passwords via our Webmail interface (webmail.konsoleh.co.za).

We have external forensic investigators on site working round the clock with our team. We understand that this event has shaken your confidence in us. It is our earnest commitment to provide you with a hosting service you can trust.
 

moklet

Expert Member
Joined
Aug 20, 2005
Messages
3,827
Changed SQl password, then went to file manager to update it in config script got the following message



Could not connect to server www###.jnb1.host-h.net:21 with user userxxxcfnatf

So can't even update or access config files, have to go through unsecured ftp

Not very impressed hetzner
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
6,711
Based on the info in this thread it seems Hetzner SA's konsoleH database is rife with cleartext passwords instead of storing hashed and salted data.

And the SQL injection just makes Hetzner SA look like a bunch of clueless idiots.
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,469
A SQL Injection Vulnerability?! Seriously?!! They also still don't have 2-step authentication on Konsole. Really doesn't bode well that they're so lax on security.
 

moklet

Expert Member
Joined
Aug 20, 2005
Messages
3,827
Based on the info in this thread it seems Hetzner SA's konsoleH database is rife with cleartext passwords instead of storing hashed and salted data.

And the SQL injection just makes Hetzner SA look like a bunch of clueless idiots.

They are, still waiting for my email from Hetzner, At least I already send emails to my customers. Just waiting to hear from them officially. What pisses me off I can't even access their file manager currently as I never really use FTP. the small mods I make I do through the file manager. Want to change database passwords, but have to use FTP now (which has been compromised)
_
 

moklet

Expert Member
Joined
Aug 20, 2005
Messages
3,827
Still waiting for my email. If i did not visit mybb I would still have been none the wiser.
 

moklet

Expert Member
Joined
Aug 20, 2005
Messages
3,827
Hier kom ***

Specially seeing Hetzner WAS seen as a respected hosting company. Leaking, passwords, ID's and Banking Details WTF ??? certain databases should be kept seperate.
 
Top