Afrihost has stated that it did not suffer a data breach and none of its clients are at risk.
The statement follows an article on News24 about a “massive Afrihost security flaw”.
The article stated that Taylor Gibb, who is a software developer and had been banned from the Afrihost network two years ago, discovered the alleged flaw.
Gibb said Afrihost staff had been able to provide ADSL account credentials to users over the phone – which he said put users at risk.
Gibb said “allowing support staff to decrypt credentials at will was not safe”, as they could “write them down, go home, and share them with a friend”.
Our clients are safe
Afrihost told News24 that this issue was on its agenda to be addressed, and that customers would no longer be able to receive ADSL account credentials over the phone.
It has now stated that it was dismayed when contacted by concerned clients who had read the article and its “sensational” headline.
“Here at Afrihost, we are very serious about keeping our clients’ information safe, and we’d like to set the record straight,” said Afrihost.
“The premise of the article is… a client was able to request his password from a support agent for his ADSL user account.”
“This led the client in question to assume that all client details are stored in plain text and can easily be compromised.”
Afrihost said there was no breach of data and no account details have been breached or hacked in any way.
“The article is based on hypothetical scenarios conceived by the author of the article, who was never, at any time, in possession of the data mentioned.”
It stated that its clients are not at risk, as no data was obtained.
“We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever – based on the scenario in this article.”
Its clients’ ADSL passwords were never stored in plain text and all passwords were encrypted. The information also only related to ADSL usernames and passwords.
“No payment information, personal information, or ClientZone user login information was ever at risk,” said Afrihost.
“At absolute worst, the information in question could only be used to login to an ADSL account. Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account.”
Our team is trustworthy
Afrihost stated that the hypothetical situation also refers to a scenario were a staff member would access account details for their own gain.
“Our staff have no motivation to steal data from our clients, as they receive free Internet for both fixed-line (DSL or fibre) and mobile data,” said Afrihost.
“In many cases, our staff give out their personal accounts to help our clients test their connectivity.”
“While we did trust our staff with access to passwords, this ability has since been removed. This was always subject to identity verification.”
“However, we have removed this feature for our clients’ peace of mind.”
Afrihost said it has always had to balance a need for increased security and safeguards with its clients’ convenience.
Afrihost added that it welcomes feedback on its security measures, but in this case, the “security expert mentioned in the article” was “not willing to work with us and was determined to go to the press”.
“He originally said he would give us 30 days to respond – and these 30 days have not yet passed yet. In fact, we responded to his suggestions within 48 hours.”
“Our general manager also called him personally to request that he work with us so that we did things in the right way, but to no avail.”
“We were shocked and surprised at the article’s headline – Massive Afrihost security flaw exposed – which we feel is both irresponsible and sensational.”
“Since the change to our systems was already planned, we were able to implement it within 48 hours.” said Afrihost.