Forced password update!

***GatorBrent*** · #1 05-23-2008, 11:43 PM

The email you have received from hostgator with information regarding the forced password update is in fact real. You can confirm this by hovering over the url and seeing that it links to us at https://secure.hostgator.com/password_reset/

I have included more information in this post about why we did this and why YOU SHOULD NOT change your password back to what we had on file.

We have over 150 employees currently and have had dozens and dozens more come and go over the years.

We had one employee that is no longer with us from a few years ago that we are in the process of suing. He will be served in the next few days. He was operations manager of hostgator for a brief time period and could have very easily taken a username / pw list home from the billing system. We don't have any evidence that he did this but at the same time we can't say 100% that he didn't. I don't believe it's worth the risk any longer especially knowing he's most likely going to be pretty upset about being served.

We had another employee that got another job and decided before telling us that he was going to do some damage. He logged into our ticket system and closed all the tickets in que. While we don't have any reason to believe he ever created a list of usernames / pw we can't rule out this possibility. I just got word that this ex employee is in the process of being prosecuted by the DA for this malicious attack. Again it's just not worth taking the risk knowing that there's a small chance he could have a pw list.

We recently had to let a very trustworthy / hard working remote employee go. She worked for us back in Florida for years and wasn't able to relocate with us to texas. We kept her on as remote employee since she was unable to relocate. Just recently we discovered that the computer she was using to login with had a trojan on it. We don't believe her hacked machine ever gave out any customer usernames / pws, but again we can't positively say it didn't. Due to this security breach of her machine we gave her the choice of either moving to houston to work in house or let go.

Not to long ago we allowed many employees to login to the ticket system / billing system from home using a vpn. It's very possible one of their computers could have been trojaned and someone was building a username / pw list. We have no evidence this ever happened but it's very possible as slim as it is.

I could go on and on about different incidents that could have resulted in an intrusion that we never became aware of. It's that unknown that keeps me up at night! The billing system we currently use just isn't safe with passwords displayed.

I repeat DO NOT change it back to what it was!!!!! If you do and you get hacked don't blame the gator!

The new billing system we are about to deploy will never display a customers full password to employees. This will help protect you from a hostgator computer ever getting hacked as well as any ex employees looking to get "even" with us.

Our systems have been locked down with only office ips being allowed access. We use to allow employees access from home back when we were smaller.

Modernbill had a major exploit years ago that would have allowed a hacker to view all usernames and passwords. We patched this the same day it came out so there's no need to worry about this particular incident, but what if there was another 0 day exploit that hasn't been discovered? It's just not secure having passwords in plain text without encryption as modernbill does now.

I'm sorry for the lack of notice on this update but if someone out there did happen to have a list the last thing you would want to do is give them a warning. I also apologize about some of the confusion that resulted from customers on the first few servers being updated.

Thanks for reading all!

gwyneth · #2 05-23-2008, 11:58 PM

Instead of the thread that was stickied, which has 50+ (and growing) posts and a wide variety of reports and opinions, how about a simple bulleted list with instructions to handle the situation as it now exists?

The references to "old" and "original" cpanel passwords are very confusing, as are the concurrent mentions of both billing systems and billing passwords. The whys are in the sticky, this announcement, and the other thread, and are interesting, as are the opinions, but they get in the way of determining a cogent course of action.

Thus, a simple HG-issued list of what to try first; what to do if that doesn't work; what to do then; and what this affects would be most useful (and perhaps more appropriate as the single sticky, with other threads reserved for opinions, background, etc.)

That might get everybody on the same page (HG and customers) about how to proceed.

***GatorBrent*** · #3 05-24-2008, 12:03 AM

Great point! Would it be possible to help me with this? Thanks!

galiel · #4 05-24-2008, 12:27 AM

With respect, you are asking your customers to help you figure out how to solve the mess you created for your customers?

How are we supposed to know the correct steps to take??

Would it be possible for HOSTGATOR to help me with this? Thanks!

gwyneth · #5 05-24-2008, 01:04 AM

Quote:

Originally Posted by galiel

With respect, you are asking your customers to help you figure out how to solve the mess you created for your customers?

How are we supposed to know the correct steps to take??

Would it be possible for HOSTGATOR to help me with this? Thanks!

galiel, sometimes HG is too close to a situation to say things in the way its easiest for customers to understand. I'd expect the step-by-step list will be issued shortly.

***GatorBrent*** · #6 05-24-2008, 01:43 AM

We hope this step-by-step list makes your part of the change as simple as possible.

1. Visit https://secure.hostgator.com/password_reset/

2. If this is successful the page will display your new password to login to your ftp / cpanel. Please make sure to enter the email address and password you originally signed up with. If you can't remember this password you can find it in your welcome email you received upon joining.

3. If this is not successful no password will be listed.

4. If the reset form still doesn't like the information you're trying, contact Live Chat. Once we verify it is in fact your account we will provide you with the correct information to put on the form and help you to obtain your new password.

5. If you continue to have problems and can't log into the support system, notify support by email (mailto:support@hostgator.com).

* The first few servers we did customers received the wrong name in the email that was sent out. This had to do with a wrong variable in our script we quickly got corrected.

Keith W · #7 05-24-2008, 01:57 AM

Hi Brent,

Will this forced password change apply to all shared customers?

If so do we wait until we receive the notification email or can we go ahead and do it now via the link you posted?

Thanks for your help.

Take care, Keith

***GatorBrent*** · #8 05-24-2008, 02:36 AM

It only applies to customers who have never changed their password since joining. We estimate the script will be done running in about 14 hours time. If you are concerned about waiting you can login to your cpanel and change it on your own to a password you feel is secure.

joanne · #9 05-24-2008, 03:48 AM

Thanks for the update, I'm sure most customers will understand.
Just one question (possibly a dumb one!)
I have been given a new password via the link. How do I change this?
I want to put a strong one but one I will remember.

Thanks

Keith W · #10 05-24-2008, 04:16 AM

Thanks for the clarification Brent, much appreciated.

Take care, Keith

Tom-KH · #11 05-24-2008, 04:25 AM

Hi Brent,

This is also then applies for the resellers, ornot.
And when we change the cpanel password. Wil this also change the billing and whm password?
And where do the customers have to change their password?

Manny thanks allready.

Gr,

Tom KH

OneManShow · #12 05-24-2008, 04:49 AM

Quote:

Originally Posted by Tom-KH

Hi Brent,

This is also then applies for the resellers, ornot.
And when we change the cpanel password. Wil this also change the billing and whm password?
And where do the customers have to change their password?

Manny thanks allready.

Gr,

Tom KH

Same questions here, We need to know the answers for these questions?

Quote:

Originally Posted by GatorBrent

The email you have received from hostgator with information regarding the forced password update is in fact real.

Also, I didn't receive anything about the warning via my e-mail ?

***GatorBrent*** · #13 05-24-2008, 05:31 AM

This is also for resellers main account only if their password was the same that was in our modernbill billing system.

No matter if we changed your password yet or not you are welcome any time to login to your whm or cpanel to change your password. Even after we change your password you're welcome to login and change it to something different you'll remember yet is safe.

The only thing we don't want you to do is change it to the password that has been in our billing system. We will not be updating the passwords in billing until we are migrated to the new billing system we've been working on. Modernbill is just to insecure as I posted earlier.

Any other questions?

bodypainter · #14 05-24-2008, 05:52 AM

Quote:

Originally Posted by GatorBrent

Any other questions?

What is the criteria for an acceptable password as defined by CPanel? All of the ones I want to use (and which are acceptable where I work, for my online banks, etc) are being rejected.

I (and others) have asked this question more than once with no answer.

rmcewan · #15 05-24-2008, 07:10 AM

Reassure me that the email I received this morning and the posting on this forum... which sounds reactionary and less professional than I would have expected...

Brent - typically, a company would inform it's customers of a potential security breach by snail-mail and would enact an auto password change only after some period of notification. I can appreciate that you feel this notice would alert your potential hacker to action but this *could* be mitigated though various inline intrusion detection platforms on the market that you might have put in place before the alert.

dickiethon.com · #16 05-24-2008, 07:17 AM

Live Chat blew me off on this. Told me to send an email to sales.

If the process worked, fine, but when it doesn't I don't appreciate having to jump through all these hoops.

gone2alpine · #17 05-24-2008, 09:10 AM

Hmmm. Insecure billing and a potential that a disgruntled former employee may have a list of passwords....

Rosie M. Banks · #18 05-24-2008, 09:54 AM

It's a bother, sure, but I'd like to thank HostGator for the transparency. I can handle unexpected changes as long as I know why. I also like the fact they're taking a strong stance on the issue by forcing password updates.

They're in good company: last year three firms wrote us to explain they'd lost executive laptops with our personal information or had some other type of security breaches. This is our world now.

Also, I've been trying to convince my friends to update their passwords to something more complicated -- now they have to. And I can explain why in real world terms that they understand.

"A stronger password helps prevent your site from getting hacked" is too nebulous for them. "A former employee may have your old password," is something that really hits home.

Questions I have:

1. Originally, Hostgator wouldn't let you start a password with a number. Has this changed?

2. The new passwords are all alpha-numeric, but what about special characters? Does the Hostgator system allow special characters like ^ or % or $?

3. When I need help, I have to email a username and password to tech support. Will this procedure be changed?

supernix · #19 05-24-2008, 10:06 AM

Telling me and everyone that we should think about changing our password in a polite email is one thing. But taking it upon yourself that your just up and going to change my pass just because you want to is not acceptable at all. That is not proper at all in the least.

***GatorFord*** · #20 05-24-2008, 10:10 AM

Quote:

Originally Posted by dickiethon.com

Live Chat blew me off on this. Told me to send an email to sales.

If the process worked, fine, but when it doesn't I don't appreciate having to jump through all these hoops.

Could you please PM the details of your chat if you still have the transcript handy so I can make sure this is addressed? Also if you have a current open ticket I'd be happy to address that as well if you'll just PM me the information. Thanks.

lxndr · #21 05-24-2008, 10:32 AM

Quote:

Originally Posted by supernix

Telling me and everyone that we should think about changing our password in a polite email is one thing. But taking it upon yourself that your just up and going to change my pass just because you want to is not acceptable at all.
That is not proper at all in the least.

[random theory removed]

I'd just like to say I agree 100% with the sentiments expressed in the above. As far as I'm concerned this was a problem caused by Hostgator and subsequently compounded by dealing with it in a totally unreasonable and arrogant manner. Not only that but I was able to be told my pass by Live Support without providing ANY proof of who I was or even that I was involved with the account at all.

On top of that the Password change facility in cPanel now rejects perfectly good and secure passes with some nonsense about the word being found in a dictionary when it was in fact a perfectly secure mix of letters and numbers.

In my opinion this couldn't have been handled much worse.

Not impressed.

ShelbyGuy · #22 05-24-2008, 10:35 AM

I am very pleased that HostGator was on top of this. As a business owner I would rather have a little inconvenience and be secure than get hacked and have to explain to my clients why all of their sites are gone - or worse. I was a little miffed, at first. But once I gave it some thought, I would have done the same thing. HostGator is becoming better and better.

Thumbs up!

lxndr · #23 05-24-2008, 10:39 AM

Quote:

Originally Posted by ShelbyGuy

I am very pleased that HostGator was on top of this. As a business owner I would rather have a little inconvenience and be secure than get hacked and have to explain to my clients why all of their sites are gone - or worse. I was a little miffed, at first. But once I gave it some thought, I would have done the same thing. HostGator is becoming better and better.

Thumbs up!

And how "secure" is it when Live Support give out your new pass without even checking who you are ... clearly some people are easily pleased.

regentronique · #24 05-24-2008, 10:49 AM

Quote:

Originally Posted by Rosie M. Banks

It's a bother, sure, but I'd like to thank HostGator for the transparency. I can handle unexpected changes as long as I know why. I also like the fact they're taking a strong stance on the issue by forcing password updates.

Transparency! What are you thinking, read the old thread in full here http://forums.hostgator.com/showthread.php?t=33155&page=1 and all the responses...

You will notice that HostGator tried to COVER UP about the passwords POSSIBLE snatching, until enough customers were able to proove them wrong.

They're in good company: last year three firms wrote us to explain they'd lost executive laptops with our personal information or had some other type of security breaches. This is our world now.

Also, I've been trying to convince my friends to update their passwords to something more complicated -- now they have to. And I can explain why in real world terms that they understand.

"A stronger password helps prevent your site from getting hacked" is too nebulous for them. "A former employee may have your old password," is something that really hits home.
...

And what if ALL the customers private account username were made public? Would it be great for getting at least half the private infos easily for bad people to login to your cPanel or even worst to your WHM? What if i tell you that since the last vBulletin upgrade, HostGator is giving up half your private infos to anyone! And they are aware of it, they have been advised of it... Do they really care about security? For myself i dought of it, strongly...

Mostly because they were also advised last year regarding "unsecure images" posted in this forum that had the potential to harvest informations about us. Their response was that they can't disable the image posting in the forum, this is really a lame excuse to compromise our security. Logical solution was to simply upload images before being able to post them, like for the attachments.

Whatever you tell them regarding security, they do not seem to really care or, at the least, their staff are not technicaly competent enough to inforce the security.

This whole situation is very UNPROFESSIONNAL from the start, and it is quite annoying that HostGator, because of their lack of jugment for giving access to our private informations so easily to it's staff, penalize us because of it and with NO warnings before their actions.

All they try to do now, is trying to keep the damages to the minimum and calm down their frustrated customers even by CLOSING a thread, for whatever reason, so without any updates it wont keep the customers attention to the infuriated customers who wrote their concerns. This is like the multiple posts deletion of the 2 last weeks in the suggestion section, regarding the fact that HostGator should improve the supervision of its administrators and give better training to its staff ...

All this is quite innacceptable...

P.S. Just remember, few months ago, when many customers were able to see tickets belonging to other customers in the new ticket system...

***GatorFord*** · #25 05-24-2008, 10:50 AM

Quote:

Originally Posted by lxndr

And how "secure" is it when Live Support give out your new pass without even checking who you are ... clearly some people are easily pleased.

All of our technicians are verifying customer information prior to releasing any of this information. Can you please provide a chat transcript where this wasn't done via PM so I can review and address this if someone is not? Thank you.