WHMCS Hacked, 1.7GB of data posted online

Home / News / WHMCS Hacked, 1.7GB of data posted online

Ok, so I didn’t had enough time and information to blog this but most of you already know it that WHMCS got hacked yesterday. We have a long LET thread here.

I was expecting this to get fixed soon hence I created a Video and uploaded on Youtube (later it was clear that my initial idea was wrong, it took much longer for WHMCS to come back online on its feet before getting hacked for the second time)

Hackers released about 1.7GB of data on pasteBin note (unsure whats with pastebin but every hacker seem to be doing that)

UGNazi Tweet mentioning WHMCS hacked files
UGNazi Tweet mentioning WHMCS hacked files

It seems that Matt was using HostGator services (what? why? why not a better company) to store and serve the web application. Someone got access to his HostGator account using “social engineering attack” tactics that did not involve gaining access to any email account, as per the official statement.

LicensePal.com was quick in posting a critical announcement to their customers (reseller of cheap WHMCS licenses) and posting tweets

Warning – WHMCS.com website hack, security precautions inside

21/05/2012 20:55

We are writing to advise you about an incident that occurred earlier today (May 21st, 2012) at WHMCS. It appears that their servers have been compromised, including the licensing servers and ticket system. The hackers are claiming that they will shortly be publishing a dump of WHMCS’s database to the public.

At this time, we are strongly advising all users to change passwords, that were used at WHMCS.com, on all other sites, as well as any server-related (FTP, SSH, etc.) credentials that you may have sent to WHMCS in a support ticket in the past. We also strongly advise that you monitor any billing methods that may currently be on file with WHMCS, this includes credit cards that we would suggest are cancelled as soon as possible.

WHMCS is currently claiming that the hack has nothing to do with WHMCS itself. We are unable to confirm the extent of the attack and what information may be at risk at the current time. We strongly advise that you take extreme precautions immediately to prevent any possible consequences.

I want to personally reassure you that LicensePal and the information that we hold is unaffected by this hack. If you have purchased your license directly through us, then you should not have to worry about your billing information. However, please be aware that your personal information would also be stored in their database.

If your license is presently reporting as invalid, please allow some time for WHMCS to get all of their licensing servers back online and functional. They are reporting updates at the following site. http://forum.whmcs.com/showthread.php?p=223398#post223398

If you have any questions or concerns, please open a ticket and we will address it for you to the best of our ability.

Thank you for choosing LicensePal.

LicensePal tweet
LicensePal tweet

WHMCS later (after many many hours) sent this email to their customers with the subject “Urgent Security Alert – Please Do Not Ignore“.

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server.  It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

—-
WHMCS Limited
www.whmcs.com

Its a pitty that a company making $1.6m USD has hired cheap throw away servers from a company (HostGator) that’s known to be prune to Social Engineering attacks (get on live chat, provide some details and they will give you access to account and later the server)

WHMCS’s twitter also got hacked, there are malicious tweets from the account

WHMCS Tweet
WHMCS Tweet

later WHMCS posted

Just another quick update as I know there’s a lot of rumours and speculation going around. Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that. We know we’ve let you down. Although the attack yesterday was not directly due to any lapses in the security in place on either our server or WHMCS itself, we realise that we could, and should, have had a more robust hosting infrastructure in place. Plans have already been put in motion for a new multi-server hosting infrastructure to be setup and migrated to. As soon as we get things sorted, we’ll be back online and give you another update. In the meantime, thank you for bearing with…

A scanner is being passed on which has catalog of all the server IPs running WHMCS installs (they must have taken it from the database that the hackers posted online). One user says

A new WHMCS exploit scanner is being passed around IRC now. It checks for exploits on every single IP listed as active in the database. It’s not that bad now (unless you never update WHMCS), but this is going to make future exploits a bad thing. It’s not like most people are going to change their server IP just to protect themselves.

On top of all this, WHMCS was hacked again!! (see screenshot below), probably a dropped shell from the first hack?

WHMCS Hacked Again
WHMCS Hacked Again

Being a WHMCS member myself, I am just very angry and unconfortable that the information that I trusted to give to WHMCS is now available in the wild for anyone to download and misuse. This is just not right. I am either looking at other options or coding my own system to replace this dreaded WHMCS app

Update: Another group GearSec cracked open the identify of the initial hacker and posted information on pastebin.com.

Update 2: Someone also put together a blog with all the info of the initial hacker who hacked WHMCS.

Update 3: Someone just put together a LOL website for WHMCS http://www.haswhmcsbeenhackedtoday.com/

Update 4: People have mass-downloaded the databases and now trying to decrypt the WHMCS’s customers Credit Cards. One such failed attempt here http://pastebin.com/FrHk9391

Further reading

  1. WHMCS Hacked – LowEndTalk.com
  2. UGNazi Leaks 1.7 GB of Data from WHMCS Servers – Softpedia

8 Comments

Leave a Reply