Slashdot Mirror
Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?
zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"
That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.
It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.
Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.
Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.
And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.
My work here is dung.
If it was my provider, I'm leaving.
Go green: turn off your refrigerator.
Step 2 is find a different Hosting provider. There's only, what, several thousand out there!
I'm curious to know which hosting provider this was.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:
* Provision a new virtual host for you.
* You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?
* For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.
* When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.
Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.
Seriously?
Take your business elsewhere, if they value your privacy and security that little.
File under 'M' for 'Manic ranting'
1) Check your agreement with them to make sure you didn't already agree to waive their liability for any mistakes they make.
2) Sue them for loss and punitive damages.
As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.
There was life before the "cloud". Back up your own shit.
Your second mistake may have been to accept the free hosting. It is quite possible that by accepting you have just cut yourself out of any future ability to seek redress.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting.
Looks like this is the only recourse in many of these cases. Expect this to be made illegal soon.
Make sure everyone's vote counts: Verified Voting
In the future, either host in-house or co-locate. I use cloud servers for thing like my kitten&gumdrops website (it's a private site sorry /. ers)
Is there an SOX requirement here - is this a breach by the hosting company?
Was it an isolated incident (did it happen to other customers)?
You did the "right" thing by writing a letter - email is not legal (in this sense).
I would continue the discussion with the paper documentation you've already started.
Document what you believe is a fair estimate of your loss - time x hourly rate.
See if you can negotiate an agreeable resolution - you did good by not releasing their name
showing good faith on your part.
I'd avoid an attorney for now...
The whole Cloud Computing thing is an industry fad, like many others that have come and gone. Given the advent of cost-efffective mega-comms like dark fibre and WAN optimisation, remoting all of your infrastructure or services seems like a logical thing to try.
The problem is......pretty much everything that could go wrong when you trust strangers to handle all of your sensitive IT stuff and protect yourself with a simple piece of paper (hark, I think I can hear the ghost of Neville Chamberlain checking his email...), like as not written by the provider, will go wrong for someone out there at some point. And the implications for the victims are very serious.
When you outsource fully, this sort of stuff can and will happen. And you just have to accept it. Cloud providers are just people, and they are going to screw up in spectacular ways, and their customers are just going to have to cop it. End of story.
Or you could keep stuff in house and take some actual responsibility for your own destiny.
Truth is it's probably not worth it to file a suit, but if you can afford the fees and such and dont much care about the financial side of it, it's a good way to get peace of mind. If you dont want to be out of pocked, all you can do is take it as a life lesson and next time you get password reset emails, act on them. Personally I would take the "Half a month of hosting as a good faith gesture" as a slap in the face and give em hell for it.
Publicly crusify them and setup a website - then complain to the regulatory body and start spinning 100 articles ... bet they will then suddenly start listening.
This is not only a legal issue, you need leverage and the Internet gives it to you (which is why they so badly want to shut this down) ... use it !
I don't mean that as a flippant smart-alec remark, I mean it as real advice. You probably do have legal recourse about which you should consult a lawyer, but after its all said and done your servers are still going to be in the hands of someone else, who can do this again.
I very much agree with others that said the gift as well as the act is not enough to justify staying with that service provider. I'm guessing that if it happened once, it can easily happen again. Sounds like they need to change some policies in order to protect people, and policies generally take a long time to fix.
Now that we have that out of the way, I have to ask the more meaty questions. Do you really put high risk data on servers that you don't own? Do you really trust anyone but your company with your companies secrets? Do you have things in the Cloud that you can not replace?
Lets face facts: Cloud services have no vested interest in your business. They are their to make money from you, so of course they don't want to piss people off. At the same time, the lack of the vested interest means that things can, and often do, fall through the cracks. Their TOS, just like most EULAs from Software vendors protects them from pretty much anything you can think of.
This means that they gave you a gift to keep your revenue coming in, not because you have a chance in hell of taking them to court and winning anything no matter how bad you were harmed.
Cloud is good for some things, but remember that it's not yours. If you don't care about some sales person leaving it at Starbucks, then it's Cloud safe. If you care, then it's not.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Lawyer up.
I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.
Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.
The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.
You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.
You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.
The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.
I wish you luck.
Last week, requested a KVM on a new dedicated server so I could install a custom OS. Datacenter monkeys plugged KVM into another client's server, giving me terminal access. Almost formated the drives, only noticed when there were non standard services booting up like Asterisk, etc. Close call for the other customer, and I can guarantee that my provider won't even bother contacting him to warn him about the potential breach.
We've been combating similar schemes in other externally originating services (ex: stealing domains) for years. Is anyone shocked that people are phishing access to cloud computing accounts?
When your resources are internal and set up properly, a bad guy has to first defeat your physical security before they can even start trying to defeat your software security. Requests for access coming from the outside are immediately suspect. But in "the cloud", *every* request is an outside request, and the service provider has to manage multiple realms with completely different access while maintaining the lowest possible cost *and* a healthy profit margin. Fails like this are inevitable.
As someone else said, stop trusting other people to manage your servers. To which I add: The value of your data probably exceeds any damages you could possibly get out of the service provider. It's a sucker bet.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
It's helpful to register trademarks on your important domains, if they're unique enough. This means a quick win in a UDRP proceeding, and gives you the option of suing anyone who ended up with your domain. It's about $400 per domain.
More importantly, own your domains. If WHOIS doesn't have your name and address in "Registrant", you do not own the domain. You're just renting it from somebody. Your hosting provider should never have their name in there. This really matters when there's a dispute. Deal directly with your domain registrar. Do not deal with them through a hosting service.
"Private registration" works the same way. The "private registration" service owns the domain, and you have a contractual relationship with them, at best. See what happened when RegisterFly went bust.
This doesn't seem difficult to me. You have a month's free hosting. That's the time window you need in order to find new hosting and make sure the transition goes smoothly.
You should also post descriptions of your experiences in relevant forums like webhostingtalk.com and hostingdiscussion.com.
Find free books.
Failure to identify the business that failed you is as selfish and cowardly a thing as can be done. And to have the nerve to ask for help from us while exposing us to such a loss is insulting beyond belief.
I used to work for your host's primary competition, and while they have been bought up and chopped to pieces, their terrible approach to customer service is the stuff of legends.
The Random Reboot Lottery was an hourly occurrence, as one poorly trained data center monkey after another went swinging from rack to rack pressing all of the shiny buttons. The Random Restore Lottery was a daily thing, as the same reboot monkeys removed the hard drives from the wrong machines and replaced them with default images. Of course the removed drives were never checked for data or media issues, simply reformatted with the default image and put in the queue to fail again and cause some other customer hours of frustration.
I wouldn't make any decision based on that, as any user can add tags to a story.
... if you don't give enough details like the name of the hoster, dates of events, what domains were transferred, yada, yada, yada. You know if you took this to a lawyer (the best thing to do, really) they need all this info and more. If you want us to help, we need it, too.
now we need to go OSS in diesel cars
Let me preface this by saying I work at a company (http://www.edgewebhosting.net) that directly competes with rackspace.
Check your Service Level Agreement (SLA). They are usually not too hard to read, as they are often used as a selling point to people (that said, get a lawyer if you want to get hot and heavy with them). Usually the SLA will say something like this (which is from our SLA):
Our Guarantee: If your ability to send and receive traffic is impacted for more than 30 minutes, we will credit your account 1/30th of the monthly fees for each 30 minutes of downtime - up to one full month fees in a given billing period for the affected server(s) or service.
A month and a half of hosting under those terms is pretty comparable. That said, I would recommend switching hosts. Someone gamed their support to get access to your account. Their support mindlessly (or fanatically if you prefer) went and turned off your domain with out verifying what was going on.
Simple. If someone transferred a domain from you, that's theft or at the very least fraud. Go call the local wallopers and get them onto it. Once that's all done and dusted, I'd be looking for a bigger cloud provider. You get what you pay for. If you want penny dreadful providers, you get crap insecure service. :( Sucks
...but maybe it's time to get off the fucking cloud.
Really, slashdot, you're going to ask slashdot? Here is what you should do:
1. Grow a pair.
2. Call a lawyer, and file a lawsuit for negligence.
First of all, assess the damage. How much time has it cost you to rectify the situation? Have you got your 2 domains back? If you can come up with a reasonable figure for the time and any commercial damage that has been done, set that against the cost of "lawyering up".
If you asked for this amount. I would expect your service provider would interpret it as the opening round in a negotiation and eventually you'll probably end up with about 50% of what you ask for. So make sure you've included everything in whatever you think you're due. Add on to that the time it will cost you to negotiate a fair settlement.
The only time it's worth the time, trouble and potential cost of involving a third party (who will probably take as much of your time as you'd spend reaching a solution on your own and will almost certainly earn much, much more from this than you'll ever receive: possibly from yourself - and double that for the other guy's lawyer, if you lose) is if you get stonewalled, or counter-sued. If you can possibly reach an agreement without involving others, you stand to get the fastest and most satisfactory outcome. Remember, this is not a money-making opportunity.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
1. If you actually had this experience, I expect you will let us know the outcome.
2. At some point after legal consultation, I expect you will reveal the name of ypur host unless they provide a significant settlement based on keeping your lip zipped.
3. Do you really think any cloud service is more secure?
"I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had"
Hmmm. I'd say you were duly notified and chose to ignore the built in security mechanisms. This will make any legal case pretty tough.
Hard to give great advice knowing nothing really... so either get an attorney's advice or take your lumps and move on. They did catch their mistake, so this might have just been an isolated event and not a matter of routine sloppiness.
Hopefully you'll learn a lesson from this as well. Treat those types of emails very seriously, and contact the host asap.
Clearly you didn't, since it's in the title of one of the submenus on that front page.
Or you have a retarded definition of "every" or "link".
1 DID YOU GET YOUR DOMAINS BACK??
2 did you lose any data??
the absolute lowest you should accept is
1 their offer
2 your domains back
3 an actual physical letter detailing how they will be preventing this from ever happening again (ie you setup some sort of secondary password and or you get a phone call before any change of that type gets processed).
4 any data lost gets restored from the last backup FOR FREE (assumes they have backups) or you add X more days to your freebie time)
other than that they have lost your account
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Talk to a lawyer, you fucking idiot. Who else can tell you best what to do?
I don't thing you need a lawyer - yet.
You are in a negotiation. The company has made you an initial offer - the half-month free hosting - and that initial offer has a dollar value associated with it.
You have been inconvenienced, and it took time to rectify the problem. Your inconvenience and time also has a dollar value associated with it. So what is it?
I would work out the value of what you lost, add 20% for general hassle costs, and present that as a counter-offer to the company.
I would also work out the minimum value for which I would settle. It's less than getting everything I want (which you might get) but enough to counter-balance the additional hassle of hiring a lawyer and all those extra expenses.
Then negotiate. If they present an offer that is above your settle value, take it. If they don't, THEN you call the lawyer. Not only is this likely to arrive at a mutually agreeable solution without lawyers taking a cut, if you do wind up hiring a lawyer, you give him more to work with "my client made a perfectly acceptable counter offer and you refused it" etc.
Lawyers can be a useful tool, and sometimes they are necessary, but a reasonable negotiation can also work. You just need to understand your position first.
DG
Want to learn about race cars? Read my Book
Hey here's the keys to my Porsche because I know you won't drive it when I'm gone *WINK WINK*
"If any question why we died, Tell them because our fathers lied."
Depends on the size of the company and if you can convince the lawyer to do it on his own dime. He could then subpoena customer records and inquire if anyone else has had security issues. How did the security problem happen and how could it have been prevented? No matter what the shrink wrap service licence says their are implied minimum standards and expectations. If people aren't getting what they think they are paying for then it should merit a class action.
Just this act might make it worth it to you to pay the lawyer yourself. Maybe $500 or $1000. It would get the companies attention. You would have their complete customer list and be emailing all their customer pasts and current asking for people to come forward with security issues. Just that act would bring awareness of the issue to other customers and have them asking the provider about security and guarantees.
The company will talk to you before they hand over customer records. You can likely negotiate to pay your minimal legal costs and to work with you and actually fix their security procedures. You might even be able to get a couple grand compensation in exchange for working with you to fix THEIR security issues.
Another thing you can do is write senators and congressmen and bring attention to the issue. Suggest a minimum penalty that companies are liable for, like $500 or $1000. Something that would make companies pay attention and not sacrifice security for convenience.
What the hell is a "cloud" server anyway?
The amount of clients I've worked with that have this "timeline" for their internet presence is disturbingly high:
1. Discover the internet is important to sales
2. Spend 400 man hours discussing what the domain name should be
3. Spend 5 minutes on Google finding a website designer
4. Allow designer to sell you a hosting package and do all that technical stuff, like registering domain names and setting up DNS servers.
5. Wait 12 months
6. Decide they want to move hosting of "their" domain
7. Spend 400 man hours trying to work out how to "regain" ownership of "their" domain.
In my mind this is the same process:
1. Discover cars are important to sales
2. Spend 400 man hours deciding what colour the car should be (yellow)
3. Spend 5 minutes at a car lot and buy a yellow coupe for your family of 6.
4. Allow the car salesman to sell you the upgraded everything and do all that technical stuff, like registering the car (in the yard's name)
5. Wait 12 months
6. Decide you want to sell "your" car
7. Spend 400 man hours trying to work out how to regain ownership of your car.
Why is the second example ludicrous and the first commonplace?
And yes, I'm blaming the victim here.
It's naive to believe they will lift a finger to even acknowledge, much lest recover, your pilfered goods. Gone are the days of cruising over to the Cerfnet cave to mingle with clairvoyant IOSmiths & tweak the 4k to perfection. They will respond to your legal actions & your payments, otherwise you don't exist. I lost a couple of domains I had for 10 years in the same manner as you... just as soon as they had enough street value to be worth the effort to lift. And it was very little effort! Response from Verislime/Network pollutions? Guess. Internet insecurity is the rule, not the exception. You just gotta play the numbers & hope for the best.
There are supposedly straight dealing ISPs such as "no bullshit" Gandi, I've yet to find one. Gandi is the same or worse than any I've dealt with, just better at hiding it. Dig a little deeper, take a peak at the flimsiness of their back-end ops, biz/support process & policy... no bullshit leaves the property is more like it.
Most get away with it cuz things work ok most of the time--as it was all automated by that guy with the ponytail in the corner over there a long time ago, & most people don't know any better. It's tempting to wish to believe these orcs have your best interest in mind--after all you are the guy who sprinkles the road with power pills for them to gobble gobble gobble. However, think about the motivation for becoming a DNS dealer. You need perhaps 2U of rack space, an 80 hour/week sysadmin, and low paid folk to answer the phone--the rest is gravy. Or so they are told as they swindle their clients down the river with re-assurances and paper over their crumbling foundations.
These folk be not your friend. Think cloud... of locusts.
Good luck brother.
Don't store personal stuff on the "cloud server" (?) would be the obvious choice for me.
RackSpace in general is a great provider - I personally have never had any problems with their service. I'm not speaking to all their products (I setup and manage a managed cloud account for the company I work for), but this was in our ToS: 17. LIMITATION ON DAMAGES. Our obligations to you are defined by this Agreement. We are not liable to you for failing to provide the Services unless the failure results from a breach of this Agreement, or results from our gross negligence or willful misconduct. The dollar credits stated in the Service Level Agreement are your sole and exclusive remedy for unavailability of the Services. Neither of us (nor any of our employees, agents, affiliates or suppliers) is liable to the other for any lost profits or any other indirect, special, incidental or consequential loss or damages of any kind, or for any loss that could have been avoided by the damaged party's use of reasonable diligence, even if the party responsible for the damages has been advised or should be aware of the possibility of such damages. In no event shall either of us be liable to the other for any punitive damages. Notwithstanding anything in the Agreement to the contrary, except for liability based on willful misconduct or fraudulent misrepresentation, and liability for death or personal injury resulting from Rackspace's negligence, the maximum aggregate monetary liability of Rackspace and any of its employees, agents, suppliers, or affiliates in connection with the Services, the Agreement, and any act or omission related to the Services or Agreement, under any theory of law (including breach of contract, tort, strict liability, violation of law, and infringement) shall not exceed the greater of (i) the amount of fees you paid for the Services for the six months prior to the occurrence of the event giving rise to the claim, or (ii) Five Hundred Dollars ($500.00).
First, i'd treat this like any data breach. Regain control of your accounts, change all passwords, Restore from good "clean" data. Secondly, I'd find another cloud hosting platform and move off whoever you're with now. Once all that work is done, consult your lawyer for possible legal action. I'm sure if he waves around negligance, etc and how much you spent to do this work, plus costs for himself, and other damages you'll probally get something. No matter how they got into your server it's still a data breach. How does that affect your business?
I think this sort of slipshod reassignment of access credentials happens far more than we hear about it. I had GoDaddy do something similar to me once. I had registered the domain for a startup of which I was a co-founder, and held it in an account with about 20 other domain names I use for various other purposes, that had nothing to do with that business. When I left the firm, they asked GoDaddy to transfer the name to them, and instead, GoDaddy gave them control of my entire account, which had existed for years longer than that company had.
If I had been a consultant of some sort holding names for multiple customers, it probably would have been a breach of multiple contracts. Trying to get them to talk to you after they've handed your account to someone else is a Kafkaesque ordeal, because their presumption is that you're not the owner.
To add insult to injury, GoDaddy's terms of service (the last time I checked) included a clause that allows them to deny you service simply for posting critical commentary about them or their service, so I suspect you would never see blog posts about it until after people had transferred to another registrar.
Having to completely reinstall the server because of possible back doors left by the "thief". Business value of the domains stolen. These are most definitively damages that are a direct result of the fact that they let a stranger on his cloud server. Possible damages include lost revenue that can be proven by either actual cancellations and possibly statistics, monetary equivalent of lost reputation (reduced business income) and overhead costs like legal fees, time taken to sort out the incident and such. Even if you only take 8 hours to reinstall the server at a modest rate of $50/hour you are looking at $400 in damages. I doubt you'd be paying much more than that for an average cloud server for a whole year, so the settlement offer they give is nowhere near your costs and what your claim should be.
I was promised a flying car. Where is my flying car?
Sue them?
the signer of the document made a false statement. Located in Canada, she (Natale Waboose) can be charged with uttering a forged document, fraud, and interfering with a computer.(I am not looking up the sections of the Criminal Code or their correct name)
Regardless of who owns the site (learning-together.ca), one can't gain access to an account and transfer on their own.
Rackspace really blew it this time.
Domain names are *always* going to be in the hands of someone else...
I've just waited for a submission like this since the cloud craze started. Look at the real life examples: You lend out a book/toy/power tool/whatever and despite all those promises you've got you get it back in a bad shape or not at all, sometimes because it has been passed on to yet another person you don't know.
Do people actually believe it would be different with their data/processing power? Common sense says no, but usually common sense doesn't seem to be that common as the phrase implies.
So, as a rule of thumb: Don't give something out of your hand if you can't afford to lose it. That's the same with privacy (facebook), your data/processing power (cloud hosting/software as a service) and maybe many other things.
So you did so and got burned because of a FUBAR in the cloud hosting's administration/business processes (note that it wasn't a computing failure/security leak but a human failure)? Terminate your contract, call a lawyer, see it as a valuable lesson.
First I want to say that too often when I hear these stories the writer hasn't really told the entire truth, or provided only those facts which support their claim of injury. In this case, I must wonder why a hosting company would provide some random person with access to your account. Who was it they gave access to? If it was a contract developer, former employee, or ex-partner with whom you are now having a dispute, but who you provided access to previously, then maybe their decision wasn't quite so audacious. How clearly "yours" were those domains and why wasn't anything else stolen? Most importantly, what do you want? If a half month of domain service isn't sufficient, what would be? Have you asked them for that?
I've had several issues with my hosting provider over the past 8 years. I don't think I've ever accepted their first offer. I always think of the first offer as "the least they can do" to make me happy. It costs you nothing to tell them what you think is "the most they can do" to make you happy, and then negotiate something satisfactory that everyone will consider a win-win.
That said, if you really really do have a legitimate claim and the hosting company won't give you fair compensation, the idea of going to a lawyer about this is just plain stupid. It'll cost you a lot more in time and trouble than it's worth. Secondly, posting a bunch of barely believable crap about a company that has thousands of other happy clients won't accomplish much. There are much simpler ways to deal with it. I hesitate to share this with someone who probably is just pissed off because someone he has a dispute with outsmarted him. None the less, here's what you do. Sue them for some trivial amount of money in small claims court where you don't need a lawyer or great legal expertise. Chances are, the hosting provider is out of town and will need to hire some local gun to show up, and he'll charge them a ton of money for that. If you're really really pissed and want to drive them insane, do what lawyers call "paper the case"... obtain a subpoena for relevant information that will probably take forever for them to compile, like a copy of every domain transfer for the past 5 years to establish whether this instance is unique. No matter what they send you, subpoena something else. Drive them nuts with it until they agree to give you what you want. But, remember this, you'd better have a legitimate case or you could end up paying their legal fees.
What host did this?
Move to GoDaddy. Nice adevertise!
Change Providers Call a Lawyer Call the Police (after talking to the Lawyer and with his advice).
Did you get your domain back?
Just tell them when word of their antics gets out, their business reputation will be ruined. Who would be able to trust a business with their data who blindly resets your password without a valid confirmation? A bad reputation has killed more businesses...
This was Amazon, they have done this to me as well.
Rackspace has a TOC or whatever that you agreed to when you signed up for their service.
/. for advice on something like this, as the geek bias level here is not based on the legal reality, as is evidenced by the majority of posts which place the blame on everybody but you.
I doubt they haven't covered their ass on this one, and I doubt that you are even aware of the content of the contract which you freely and willingly entered into and agreed to. If I am incorrect on these assumptions, I apologize for them, and the following remarks based on these assumptions.
Live and learn, real professionals, real business people, they actually bother to read and comprehend the contracts and contents of them which they have entered into.
And don't trust
Not that I don't sympathize with you, I really do. Chalk this one up to a very valuable lesson as to how to properly conduct business, and count yourself *extremely* fortunate that you did not learn this lesson with serious consequences. You've got off easy, be grateful and sleep sound knowing you won't make the same mistake again.
Go. In the words of Yolanda (?) in Pulp Fiction, execute their muttha-fucking asses. Frag 'em. Got the general idea?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"