Ask Slashdot: My Host Gave a Stranger Access To My Cloud Server, What Can I Do?
zzzreyes writes "I got an email from my cloud server to reset the admin password, first dismissed it as phishing, but a few emails later I found one from an admin telling me that they had given a person full access to my server and revoked it, but not before 2 domains were moved from my account. I logged into my account to review the activity and found the form the perpetrator had submitted for appointment of new primary contact and it infuriated me, given the grave omissions. I wrote a letter to the company hoping for them to rectify the harm and they offered me half month of hosting, in a sign of good faith. For weeks I've been struggling with this and figure that the best thing to do is to ask my community for advice and help, so my dear slashdotters please share with me if you have any experience with this or know of anyone that has gone through this. What can I do?"
That's it. That's the truth and that's how 99% of ask Slashdot answers start and end. It's good advice. Everything that follows hereafter is my own, uneducated, horseshit assumptions on how things (should) be.
It wouldn't hurt for you first to read up all that legalese you agreed to when you first entered into a "business contract" with these guys. I'll bet that they say somewhere in there that they are not liable for any illegal or unauthorized access/control/etc of your domains and property. And by clicking a checkbox at the end of this fifteen million word tome, you agree not to hold them liable.
Go ahead, I bet it's in there and I've never even read one of these things myself. Which, don't lose heart if it is, a lawyer can probably sacrifice a few kittens, babysit the judge's nephew for free and come out with some sort of "unreasonable burden" to parse that whole thing upon completion of the transaction. I don't know, I know that people are slowly starting to become more reasonable about massive ToS documents.
Lawyers cost money, I have no idea how much money this lost you but sometimes it's not worth fronting $5,000 for a lawyer when $500 is at stake. What I would do is send them another message saying you find their consolation gift unacceptable and you're moving all your business away from them. Then I would do that. Then, I would simply write up a detailed account of these events with a tl;dr of "got F'ed in the A by XYZ Inc" and just go out and drop that on every single forum and review site you can find for domain names and hosting. Why not hit the Better Business Bureau while you're at it? Then I'd let those ferment and field questions in my free time because, hey, revenge releases a special kind of endorphin, right? Then you could be done with it or you could just send them endless requests for reimbursement with the fallout being more zero star reviews and a possible visit from your non-existent lawyer. And why not? They deserve the reputation they have exhibited to you.
And whenever I go off and do something like this and I get sick of the effort, I justify everything by imagining that if I don't do this they'll just screw over god knows how many other customers. So you're doing a public service.
My work here is dung.
If it was my provider, I'm leaving.
Go green: turn off your refrigerator.
Your provider has de-facto admitted that they messed up. These things happen. The only question is whether they would truly respond in a professional manner. If they do, and they agree to the following, do the following, and move on. Contact them, and request them to:
* Provision a new virtual host for you.
* You will copy all your existing data into your new virtual host, using your own copies of whatever you use the host for. You do have your own copies of everything, and you don't trust the host with the entirety of your data, right?
* For convenience, I think it's ok to copy some data directly from your compromised host, provided that you're comfortable with whatever verification steps you deem are necessary to certify that it hasn't been tampered with. Data, no code.
* When your migration is complete, your provider will swap in your replacement virtual host in place of the compromised one, which they'll decomission.
Of course, for the duration of your migration, your host will not charge you for the second virtual host. You might consider negotiation with your host for an additional discount, as compensation for the work you have to do as a result of their security breach. I think that free hosting for however long it takes you to migrate, that is, no charge for the new virtual host, and billing suspended for your compromised host, would be fair. If that's the two weeks they're already willing to give you, then that's that.
As long as your data is out of your hands it is extremely vulnerable. The hosting company only cares about the money you pay them and little else. If they're hacked, too bad. If they're servers are down, too bad. if the justice department comes with a request, all your data belong to them. Host your own systems on your own property and make your own "in-house" backups. The cloud by definition is vaporware.
I used to work at a major domain name registrar before I went into business for myself. I have heard of dozens of cases like yours, and in short you are toast.
Scammers look for valuable domain names that are in vulnerable accounts that have public emails addresses on free email servers (hotmail, gmail, yahoo, sbcglobal, comcast...) and that can be registered. Or it can be an old phone number that can be used, or some simple paperwork that can be faxed in that the scammer has access to.
The registrars try to protect the domain name and send out warning emails that major account changes are occurring. If those emails are ignored and the domain names get transferred out, it is too late. It is unbelievably difficult (ICANN dispute) to reverse a transfer and force a domain name back once that transfer has finished.
You ignored the email, so unfortunately it is your own fault. Just as it would be your fault if you ignored an official notice that you are required to show up for jury duty thinking it was spam, and afterwards get fined or arrested. Just as if you ignore the car alarm going off in the parking lot as a false alarm and in fact your car was jacked does not mean the alarm company is at fault. The fact that you ignored it means that you did not take needed and necessary steps to protect your property.
You need to read the registrars terms of service and legal agreement that you agreed to. I am familiar with most of the major registrars and they all specifically cover this situation (basically that the onus is on you to protect your services). The registrars do this to protect themselves from lawyers.
The only realistic course of action is for you to register a new domain name, sad as that may be. Or pay the hostage fee to whoever took the domain name which will probably be in the thousands of dollars.
I wish you luck.
The tag was applied by the submitter. See the Original submission and notice the link to the original source, which is a letter the submitter wrote to Rackspace about this incident.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524