Slashdot Mirror


Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?

zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"

11 of 176 comments (clear)

  1. Talk to a Lawyer by eldavojohn · · Score: 5, Interesting

    That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.

    It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.

    Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.

    Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.

    And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.

    --
    My work here is dung.
    1. Re:Talk to a Lawyer by Anonymous Coward · · Score: 5, Informative

      I agree that you need to talk to a lawyer, and I am coming from experience since I am a lawyer. My gut reaction is that unless you actually sustained tangible damages (such as loss of business revenue, harm to your business reputation, or having to pay out of pocket expenses to clean up the mess created by the host) you probably don't have much legal recourse against the host. However, depending on the state where you live and the state where the host is located, there may be consumer protection or privacy laws that provide for statutory penalties of some amount for acts such as this.

      I practice law in Florida, and I get similar inquiries quite often and my first question is generally "what have you lost?". If all you suffered is your own disappointment and frustration with the company, it is not going to be worth the time or effort for you to keep dealing with it. Don't use the company anymore, and feel free to report them to whatever consumer protection agency you feel. But be warned that you should never exaggerate the facts, as I've also seen consumers sued by companies alleging defamation when the customer sprinkles some fantasy in with the truth. Don't put yourself on the wrong side of a lawsuit, because chances are the company will have the resources to sue you and you would be left paying out of pocket to hire an attorney to defend you.

      My advice? Talk to a lawyer just to see what your options are. But don't let your emotional response govern over good sense.

    2. Re:Talk to a Lawyer by Anonymous Coward · · Score: 5, Interesting

      The threat of a suit has considerably more weight when it arrives on letterhead from a law office.

      But all that aside... TELL US WHO THE PROVIDER WAS!

    3. Re:Talk to a Lawyer by PCM2 · · Score: 5, Informative

      When you visit a lawyer for the first time, you shouldn't be doing it with a mind to threaten a lawsuit. You're going for advice. You probably have some kind of contract that governs your relationship with the hosting provider. You might not have had a lawyer read it before you signed it; do that now. Then you can ask exactly what the hosting provider may be liable for, and where they may have effectively covered their own asses. If you do think you might want to threaten a lawsuit, it's important first to know whether you have a leg to stand on.

      Empty threats to sue may sound like hot air. A letter on an attorney's letterhead that specifies the ways in which the hosting provider is in breach of contract will probably be taken seriously. And 90 percent of the time, the issue will be resolved before it ever gets to court. Nobody wants court.

      Also, don't assume this process will lead to you getting absolutely everything you think you deserve. Have some sort of minimum compensation in mind that would allow you to walk away feeling like you've had some justice. Your lawyer will help you figure out this number, too. Negotiations can proceed from there.

      But if you won't be happy until the hosting provider is well and thoroughly punished for what they did, you will probably walk away disappointed. Especially if they're a public company, you're not going to be able to shame them into giving you what you want. The civil legal process is there to determine what you may be owed, legally. It's not there to exact vengeance for you. In fact, you'll sleep better at night if you just let that go.

      Really, I think the most important thing here is to begin the process of moving to a hosting provider that will give you better service. Everything else is secondary. In fact, I would skip the "negative publicity" part, except in private. Particularly if you're investigating legal options, trash-talking the hosting provider publicly before proceedings begin could work against you. It could even become the source of a counter-suit.

      --
      Breakfast served all day!
  2. Tell us who it was. by characterZer0 · · Score: 5, Informative

    If it was my provider, I'm leaving.

    --
    Go green: turn off your refrigerator.
    1. Re:Tell us who it was. by Anonymous Coward · · Score: 5, Informative

      I'd suggest checking the submission tags; there might be a clue there.

    2. Re:Tell us who it was. by dubl-u · · Score: 5, Interesting

      Sure, but it makes it an understandable mistake on the part of Rackspace. And if the company gave Rackspace some documentation that the poster was buying the name on behalf of Learning Together, then the transfer may have been proper.

      More importantly, though, it puts the poster in a different light. He concealed material facts in his summary, and on the face of it trying to hold on to a client's domain is shady. It makes me wonder what else he's hidden.

  3. If you value security and your data by mrsam · · Score: 5, Insightful

    Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:

    * Provision a new virtual host for you.

    * You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?

    * For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.

    * When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.

    Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.

  4. And people wonder why I'm against the cloud. by Paleolibertarian · · Score: 5, Informative

    As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.

  5. You have few options... by Tolvor · · Score: 5, Interesting

    I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.

    Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.

    The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.

    You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.

    You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.

    The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.

    I wish you luck.

  6. Re:Protecting the guilty to trap the innocent? by Tacvek · · Score: 5, Informative

    The tag was applied by the submitter. See the Original submission and notice the link to the original source, which is a letter the submitter wrote to Rackspace about this incident.

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524