DreamHost, cambio password per tutti i Clienti!

DreamHost tra i più grandi fornitori di Servizi Hosting Americani la scorsa notte ha inviato un’email a tutti i suoi Clienti invitandoli a modificare tutte le password Ftp poiché c’è la possibilità che queste siano finite in mano ad un gruppo di hackers.

L’azienda ha provveduto ad effettuare un cambio password massivo che ha richiesto un po’ più del previsto dato che attualmente DreamHost gestisce oltre 1 milione di siti web. DreamHost ha anche pregato i propri Clienti di cambiare le password delle caselle email utilizzate come riferimento su DreamHost.

A questo link è possibile vedere gli aggiornamenti effettuati in tempo record da DreamHost:

http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/

dove si può riscontrare che l’intervento di cambio password è ormai terminato.

Questo il testo dell’email inviata ai Clienti:

 IMPORTANT INFORMATION: We are writing to let you know that there may have been illegal and unauthorized access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. There are three different types of passwords at DreamHost: a Web panel password (for logging in to the panel), e-mail passwords, and FTP/shell access passwords. Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, e-mail passwords, and billing information for DreamHost customers were not affected or accessed. Refer to the following DreamHost status post for details:http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/

IMPORTANT ACTION REQUIRED:

1. To create a new FTP/shell access password for your DreamHost account, please log in to your DreamHost Web panel (https://panel.dreamhost.com/), select “Manage Users” in the top left, then select “Edit” next to each user, and type in a new password. Make sure you click “Save Changes” at the bottom of the page.

2. We are also requesting that you change your e-mail password. We are not enforcing this change at this time as we do not believe that e-mail passwords were compromised. However we strongly recommend that you change your e-mail password as a precaution. To change the passwords for your e-mail users or yourself, log in to the DreamHost panel at (https://panel.dreamhost.com/), select “Manage Email” in the top left, select “Edit” next to each e-mail user address, and choose a new password for each. Make sure you click “Save Changes” at the bottom of the page.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please contact us through the support page in the panel.

Note that DreamHost will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any other e-mails that ask for personal information or direct you to a Web site where you are asked to provide personal information.

Sincerely,

The DreamHost Team

Come spiega Simon Anderson, CEO di DreamHost, in risposta ad un cliente:

our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though). Re your shell accounts, I’d suggest that you select a new password just to be sure.

l’hacker ha avuto accesso ad una Tabella di un Database che per errore conteneva alcuni account Ftp e Shell non criptati che han poi permesso l’accesso a tutti i dati dei Clienti.

Per ora non ci sono state azioni/attacchi massivi verso gli account hackerati  e con il cambio password e la patch della vulnerabilità il problema dovrebbe essere risolto!