Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dreamhost FTP/Shell Password Database Breached

Posted by Soulskill on from the another-day-another-intrusion dept.

New submitter Ccmods writes "Below is a snippet from an email Dreamhost sent to subscribers early Saturday morning, describing an intrusion into the database storing FTP and SSH usernames and passwords: 'We are writing to let you know that there may have been illegal and unauthorized access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. ... Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, email passwords and billing information for DreamHost customers were not affected or accessed.'"

14 of 123 comments (clear)

  1. Not a big deal by slimjim8094 · · Score: 5, Informative

    As a Dreamhost customer, I watched this unfold in real time. Apparently the passwords were hashed, and there's no indication that they were compromised, other than the fact that it was technically possible. So they changed the passwords because it's cheaper, PR-wise, than being wrong.

    There's a big warning up on the panel, which has a password stored in a different, non-compromised DB. Between the panel and the email, I doubt anybody's confused as to what's going on.

    In other words, it's really not that big of a deal. The database shouldn't have been compromised, and I'll expect a full postmortem of how they screwed that up, but in terms of damage (or even inconvenience), there really isn't any to speak of.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    1. Re:Not a big deal by ZackZero · · Score: 3, Insightful

      After spending time reading the misplaced anger and blatant misunderstanding of the method of password storage over on DreamHostStatus, it's good to see some rationality being injected somewhere.

    2. Re:Not a big deal by sortius_nod · · Score: 4, Insightful

      I actually think it's a big deal, but not for the reason most people are crying about.

      It's a bit deal that they have been open, honest, & cautious about the intrusion. Having seen so many high profile companies take the opposite stance lately, the DH intrusion should be made a big deal of, if anything, to show other companies how you react to being hacked without losing face with customers.

      For me, there is only one chance when it comes to security to get it right. If you try to hide intrusions, lie to customers, or stonewall tech sites trying to get more information, you aren't a company to be trusted with my data.

    3. Re:Not a big deal by Anonymous Coward · · Score: 3, Interesting

      >Where? I've been a DH customer for 5 years...

      The "forgot my password" link on the webpanel login page (discovered today by virtue of needing to log in to set user passwords again).

      You are right that for users within your webpanel account there is no email reset option - you log into the webpannel to set these passwords.
      But the webpanel account itself - passwords are emailed in plaintext.

    4. Re:Not a big deal by Anonymous Coward · · Score: 5, Funny

      it's good to see some rationality being injected somewhere.

      You mean as opposed to SQL being injected somewhere, of course.

    5. Re:Not a big deal by LordLimecat · · Score: 3, Informative

      Just because you can get it emailed to you does not mean that it is stored plaintext.

    6. Re:Not a big deal by ZackZero · · Score: 4, Funny

      Of course, since rationality hasn't historically been deliverable by SQL injection :P

    7. Re:Not a big deal by etresoft · · Score: 3, Informative

      Alas, Dreamhost markets to the public at large, who often have no idea anything other than FTP exists. Dreamhost also provides sftp, ssh, WebDAV, and secure e-mail.

    8. Re:Not a big deal by etresoft · · Score: 3, Insightful

      Like many Dreamhost customers, I have used many other hosts over the years. None has even come close to Dreamhost. Many companies try to project an aura of professionalism but are really mickey mouse operations on the inside. Dreamhost is the opposite. I think they make a point to act like clowns only to scare off the clueless, high-maintenance market.

  2. FTP? by MichaelSmith · · Score: 5, Insightful

    If the passwords are used for FTP they should be considered comprimised anyway.

    --
    http://michaelsmith.id.au
  3. I'll see your SFTP and raise you... by sakdoctor · · Score: 4, Insightful

    I'll see your SFTP and raise you disabling password authentication entirely, and using SSH public key authentication only.

    If your SSH server is visible over the Internet, you should use public key authentication instead of passwords if at all possible. If you don't think it's important, try logging all of the malicious login attempts you get for the next week.

    -- https://help.ubuntu.com/community/SSH/OpenSSH/Keys

    1. Re:I'll see your SFTP and raise you... by MichaelSmith · · Score: 3, Informative

      I'll see your SFTP and raise you disabling password authentication entirely, and using SSH public key authentication only.

      I do this on my own servers but I don't use plain file transfer at all. Instead I use a distributed version control system (mercurial) and I push to the server. Mercurial lets me define a hook to update the remote copy to the repository tip when new changesets are pushed to it. Working this way I have a full version history at the local and remote end. Additionally I only have to manage the directory tree locally. The remote end is taken care of.

      Another advantage is that mercurial hashes the whole repository so if anybody does fiddle with any files, I hear about it as soon as I touch the repository.

      --
      http://michaelsmith.id.au
  4. Re:Only since last June.. by Maestro4k · · Score: 3, Informative

    This has been going on since last June [dynamoo.com]. Dreamhost were completely unresponsive to reports that their services were being abused. Hey, it only took 'em half a year to figure out there was a breach..

    Probably because that has all the hallmarks of a software PHP vulnerability web-hack of a site, NOT an FTP compromise. I've seen plenty of those, they use some vulnerability to gain access, then upload a file (through the web software) that gives them what's basically a PHP web-based shell. There's no need for the FTP account password to be compromised (and it usually isn't).

    All web hosting companies get a lot of that type of attack because their customers don't all update and/or secure their sites properly. WordPress is a particularly popular target.

  5. Meanwhile under the radar by dbIII · · Score: 3

    Here's an example of somebody getting it badly wrong but little press about it.
    A few weeks ago Telstra Bigpond, one of Australia's largest ISPs, was caught out with the utterly stupid situation of having their customer list of username, plain text password, email address and mailing address out there naked on the internet. Outsourced workers in call centres needed the information but some idiot decided instead of them having to log in somewhere to get access that they should simply be able to use a URL with the customers username on the end of it. The site with the passwords was still up ten hours after it hit the mainstream news.
    Now that's the sort of thing I expect when I see something like the article summary above, but instead it's the opposite - full disclosure early instead of being caught out by the press and not plain text passwords.