Password compromise on shared hosting server

E-mail, client and FTP passwords on our shared hosting server have been reset due to a suspected compromise of some hosting customers’ account information.

There was another attack this week on our shared web hosting server (see also previous), injecting malicious code into a Spiral-hosted website. This week’s breach, however, was definitively traced to an unauthorized FTP connection using the account owner’s credentials.  Forensic re-review of several of the previous break-ins suggests that that method was employed for previous weeks’ website alterations, and the data available strongly suggests that multiple user passwords have been compromised.

Further review revealed that every single site affected by the recent breaches is one that had been transitioned from our secondary hosting server onto our primary server in mid-2016 when we closed the secondary server down.  The odds of that happening by chance if the breach had occurred on the current server are extremely low.  Additionally, the secondary server had far weaker security than the existing setup (a major reason for the migration).  Both of these facts point to this breach having occurred before the server transition, and old passwords from that breach being withheld for later use.

However, out of an abundance of caution we have reset ALL passwords on the current shared hosting server.

The hosting servers do NOT contain any customer financial or personal information — the only data exposed in a potential breach would be usernames, passwords, website contents and e-mail mailboxes.  However, any sensitive or personal information sent via email to accounts on that server may likewise have been compromised.

If passwords used on that server were reused elsewhere, we advise changing those as well.

Who is not affected

Customers using Spiral for internet access via DSL or dial-up are NOT affected.  Customers pre-registered for our fiber optic project are NOT affected.  Customers with NCCN.net e-mail addresses are NOT affected.

Who is affected

Spiral’s web hosting and custom-domain e-mail hosting customers have data on the server where we performed the password reset.  However, not all of those accounts are suspected to have been breached.

Approximately half of Spiral’s web hosting were formerly located on the secondary server where the data breach is suspected.  If you have a website hosted by Spiral, call our office at (530) 478-9822 and we can review our records and tell you whether you may have been affected.

Customers with spiralEmail.com e-mail addresses, and sierraEmail.com e-mail addresses, have mailboxes on the server where we performed the password reset.  However, those accounts were NOT ever located on the secondary hosting server believed to be compromised; at this time we have no evidence of a data breach on those accounts.

If you have concerns about your data security, or need to speak with us about your passwords, please call our office at (530) 478-9822, Ext. 1 for customer support.

About Bax

I'm the Technical Support Director for Spiral Internet. You can reach me during business hours at (530) 478-9822, Ext. 1. I'm happy to answer your questions!
This entry was posted in Unplanned Outages. Bookmark the permalink.