Yet another Hetzner data breach

[MrGray]

Just got this email:

Good day,
Security incident - here’s what you need to know

Online platforms around the world have been under severe attack this year. Even with our best efforts to stay one step ahead, we would like to inform you of a security incident involving your Hetzner account information. You do not need to take any action - we have the situation under control.
What you need to know:
Over the past year, we have significantly increased our measures to harden our systems against possible attack. This includes regular penetration testing and a comprehensive audit by independent cyber security specialists, with a dedicated team always working to strengthen our systems and the security of your data.

On Friday, 5 October, our technical team uncovered suspicious activity on our database. We acted swiftly, working around the clock, to patch the vulnerability from further coordinated attacks.
Data that may have been exposed:

• Name and email address
• Phone number(s)
• Address details
• Debit Order bank account details such as your bank account number. This information is readily available and often provided for invoice purposes.
• Identity number
• VAT number

Data that was NOT exposed:

• Credit card details - this information is not stored on any of our systems
• Passwords and login credentials
• Website and email content

What you should do:
There is no action to be taken on your side. However as always, we do recommend that you remain extremely vigilant to phishing scams.

A comprehensive audit involving our security team and cyber security specialists is underway to ensure that our systems are secure.

We can reassure you that your data security remains our top priority and that we take swift and decisive action to address threats whenever they are identified.

 

[Thor]

3rd or 4th time this year?

 

[MrGray]

So, basically, nothing to worry about, they just got my name, email, address, bank account details, ID and VAT number in a "coordinated attack", but there's no need to do anything because they didn't get passwords.... smh.

 

[Praemon]

Not surprised. Hetzner still hasn't implemented basic security like 2FA on Konsole, or SFTP, so I'd imagine their view on security is incredibly lax. Probably sensitive data like ID Numbers weren't encrypted either. This will keep happening until such time as they decide to take security more seriously - which probably won't happen until they get some kind of monetary fine.

 

[MrGray]

Not surprised. Hetzner still hasn't implemented basic security like 2FA on Konsole, or SFTP, so I'd imagine their view on security is incredibly lax. Probably sensitive data like ID Numbers weren't encrypted either. This will keep happening until such time as they decide to take security more seriously - which probably won't happen until they get some kind of monetary fine.

AFAIK they're about to roll out a completely new version of KonsoleH.

 

[Praemon]

AFAIK they're about to roll out a completely new version of KonsoleH.

Heard that too, however, it doesn't excuse them from making sure their current solution is secured. Adding 2FA or encryption on one or two fields is not a major project. It's been nearly a year since the last hack, and they're still running the same flawed system exposing all their client data.

 

[MrGray]

Heard that too, however, it doesn't excuse them from making sure their current solution is secured. Adding 2FA or encryption on one or two fields is not a major project. It's been nearly a year since the last hack, and they're still running the same flawed system exposing all their client data.

I'm assuming that they have at least hashed their passes, etc since then as they seem quite keen on highlighting that these were not breached this time. They did require most of the passwords changed after the last hack and no longer just give them to you if you ask nicely, which hopefully means that they're no longer in the clear.