Forced password update!

[thetazzbot]

Quote:

Originally Posted by digitaltoast

May I suggest this starter guide to the internet? Let me know when you get stuck.Worth even less than that.

you sir [deserve a hug]

[slapshotw]

Quote:

Originally Posted by thetazzbot

if you go into cpanel and change your password
it changes the main user password for mysql.

An important point here--it may be better, in the future, to create a specific MySQL user for each specific application/use on your site, and not the main cPanel login information.

[gwyneth]

Can we at least all agree on this: that it is better to overreact on security than to underreact? That it is better to take action and risk a false alarm, than to take no action and get burned?

Particularly when it is other people's, or customers', security. (If asked, in the abstract, two weeks ago: "would you prefer a host firm that overreacted to security, or underreacted" how many people here would have chosen the latter?)

If we accept that, it's pointless to speculate about whether the HG move was necessary, or even whether it was overreacting.

The next set of choices are either, essentially, all off immediately, or any variation of advance request/notification.

If this were your ATM pin, which would you honestly prefer? And what about customers, who might go days, weeks or months without checking the email account which HG has on file for them? (Sure, it's their responsibility to change their email address if it's no longer operative...but I bet at least 20 percent of HG customers have an inaccurate one on file.)

Or imagine going away for a week or two and coming back to find a message from your bank...honestly, wouldn't most people prefer "we locked it immediately" than "there may be a problem until you take action"?

Last, the less you think HG knows about security, the better you should feel about this. If you had a building and the late night security guard noticed the alarm system was indicating an electric fire, wouldn't you rather s/he just turned off power than tried to troubleshoot it? Or worse, ignored it?

If you lent your car to someone, and the engine warning light went on, wouldn't you be upset if s/he said later, "I kept driving" instead of turning it off, just to be safe? Even if the motivation was to spare you inconvenience ("I didn't know what to do, but I did know you wanted it back by five.")

It's the big picture here that's important, and by comparison everything else is minor--no matter how valid.

[bodypainter]

And now my posts are being deleted from the thread.

Why? I bashed no one. I asked a question that's 100% relevant to the topic (that remains unanswered to this day). I did conjecture the answer, but all evidence points to my being correct.

What's up with that?

[pHRESh]

My two posts were either deleted or edited to remove completely unoffensive and wholly pertinent content. I have observed that, despite the best efforts of HostGator, our data remains insecure. I posted this observation in detail, along with a question -- not an insincere conjecture -- regarding the residual potential for a breach of security, and it was edited to delete the observation and question I wrote. I posted the response I received from Support, which blatantly ignored my reference to this situation and attempted to shift to me the culpability for vulnerability, and it was deleted.

I realize that, given the propensity for censorship in this forum, this post will likely be deleted too. I am utterly disgusted by this course of events.

[MadCatter]

Quote:

GatorJamyn, HostGator Staff:
some people on this thread are getting out of hand. I can accept posts stating we should have done things differently, and I can accept people expressing that dissatisfaction.

Hi G-Jamyn,

Indeed - there are correct ways for folks who just need to "vent". The password change is not a big issue for me. I am having a few probs loggjng in CPanel & FTP with the new login, but that's something I can run by support.

My only question would be more about customer billing info. Has there been any evidence that information/database has been compromised or illegally accessed?

Thank you for your time & attention to that question!

MadCatter

[MadCatter]

Quote:

Originally Posted by Kazper

I probably stated my opposition to KeePass (or similar) a bit too strongly because I'm tired of some people thinking that any convenient tool will absolve them of their own responsibility

Hi Kazper -

One simple and pretty effective method for storing a list passwords locally; put them in a plain text file, use a good freeware file encryption program on the txt file and then name it anything other "mysecretpasswordlist.txt"

I'd go with something like "coffeecake" and put it in a folder with a hundred real recipes just culled from recipe/cooking sites. Or, after encrypting the txt file, rename the extension to "whatever".dll, "whatever".sys and stick it in some program folder. Then change it back to txt & decrypt as needed (and vice versa).

Unless someone would have a problem remembering the password s/he used to encrypt the text file, it's just my 2 cents it works out well.

MadCatter

Quote:

Originally Posted by bodypainter

And now my posts are being deleted from the thread.

Why? I bashed no one. I asked a question that's 100% relevant to the topic (that remains unanswered to this day). I did conjecture the answer, but all evidence points to my being correct.

What's up with that?

Because your question was (and has been) answered at least 4 times, and you ignored every single response. If you clearly are not interested in the answer to a question, and just want to complain, I'm going to remove the post.

Open a ticket, or make a phone call if you still don't understand, despite the numerous peer responses to your question. And if you still don't understand after that, ask cPanel directly, the authors of the software. But stop asking the same question over and over.

[tryme1]

OK, completely different complaint, I think.

I have a number of accounts with HostGator. I can't get my passwords updated, however, as it keeps telling me my IP has already been used to request a password.

I only have two computers (home and at the office), but three more sets of passwords to update. Please help

Quote:

Originally Posted by tryme1

OK, completely different complaint, I think.

I have a number of accounts with HostGator. I can't get my passwords updated, however, as it keeps telling me my IP has already been used to request a password.

I only have two computers (home and at the office), but three more sets of passwords to update. Please help

PM me your IP, or send an email to support@ explaining the issue and we'll take care of it. Thanks!

[c-tech]

Quote:

Originally Posted by GatorJamyn

This is not the place to wildly speculate, nor is it the place to tell HostGator how to run it's business. This is a company forum, and not your or anyone else's personal trashcan.

If you have feedback, feel free to email feedback@hostgator.com. If you need help or support, email support@hostgator.com. Anything outside of "I am unhappy/happy about the password change" or "I have a question/issue with the password change" will be removed. This is not the place for conjecture, speculation, HostGator-bashing, grandstanding, or anything similar, and I'm going to remove anything that walks that line. This thread was left unmoderated for a few days, and degraded into childish, offensive, speculative trash. That is not going to continue to happen.

With all due respect, GatorJamyn, my two posts also were removed, and neither contained anything remotely close to what you consider the above. Some of the posts were gentle criticism over the way this was handled, if Hostgator cannot handle a little criticism, it makes your members take a step back and consider exactly whom is actually being "childish". There was also plenty of evidence that support tickets were not being handled properly, or in a timely manner. So, that probably had much to do with how this thread got "out of hand". Yes, there were several posts where users were arguing with each other, and perhaps it was THOSE posts that deserved to be removed.

With that said, please point out to me, where in MY posts I did not ask legitimate questions, (which were never answered directly be Hostgaor, but other members), please point out to me where in MY posts there were "conjecture, speculation, Hostgator-bashing, grandstanding, or anything similar". Here is how MY experience went:

1. Received an email on Friday from Hostgator that by all accounts resembled spam or pfishing. I immediately sent a support ticket to you to confirm this was or was not legitimate. I received no response to that ticket for 8 hours, in which finally you confirmed the email was legitimate.

2. On Monday I received the same pw update email from you to me regarding a second account I have with Hostgator. Upon attempting to reset my password on the form, it failed, so I sent a new support ticket to you asking for assistance since you do not allow the same IP for multiple accounts to utilize the form. I received a response from you 2.5 hours later, asking for the last 4 digits of my cc.

3. On Tuesday morning, I sent you the cc information (against my better judgement). 2.5 hours later, I finally received my new password for my second account.

JCF-2670505
AJF-2678146

During the weekend, I made two posts on this thread. In one post, (I cannot quote verbatim because you've deleted it), I asked what Hostgator determined to be an acceptable password since I felt mine already was, and that I had yet to recieve a response to my support ticket. In my other post, (I cannot quote verbatim because you've deleted it), I responded specifically to another user correcting a FACT that, despite staff posting to the contrary in this thread, forced pw's were not actually targeted to users with weak pw's or those that weren't changed more than once, since mine had been prior changed several times and I felt it was "strong", according to a staff's description of a strong password. I also said this doesn't feel right to me. (is that bashing, childish?). In all respect, staff first indicated passwords were weak and had not been changed often enough by clients, then some time later staff indicated the forced password change was due to prior staff possibly having clients' information. I hope you understand the confusion that caused.

During the weekend, I also observed the other various "problems" that other members were experiencing, and hoped to get enough information before I had to bother Hostgator with yet another support ticket. Most of my questions were answered by other members, not Hostgator, which I feel YOU should have answered questions in a timely manner. Granted, many people were/are upset, but you could have averted that had you admitted your "flub", answered posts directly, quickly, and revised this into a "sticky" so that possible forseen problems could be addressed properly.

By altering members posts, by deleting them and by selectively choosing what you erroneously claim (some) are bashing Hostgator, you are in effect alienating your customers. When you make a sudden move or change that affects the largest majority of your customers, you truly need to be prepared, contemplate the unexpected, think of the scenarios and realize how they affect different users in different ways. There is nothing wrong with a bit of constructive criticism and you can learn by that, but instead, you turn it back and put the blame on your customers because they were upset, not informed properly, and had to wait over a long holiday weekend to get the real facts. I noticed several staff members were online over the weekend but many of them didn't offer to answer posts. In my opinion, that only set the stage for the "bashing" you got. Was there no moderator online for the entire weekend?

I suppose I will know soon enough if this post will be allowed or edited. It is not my intention to be childish, grandstand, bash Hostgator, post conjecture or speculation. I stated the FACTS of my questions and experience in this matter, and above all, wish to bring to your attention that some of us indeed had problems, did not have legitimate questions answered, and do NOT appreciate being labeled as the above.

Quote:

Originally Posted by MadCatter

My only question would be more about customer billing info. Has there been any evidence that information/database has been compromised or illegally accessed?

No. If there had been, I (or DaveC, or someone in upper management) would notify you guys to let you know. It would not be a fun thing to do, but we'd do it so you'd at least be aware. Thanks for the question.

[thetazzbot]

If it were up to me, I would remove this whole thread.

Probably should have been locked in the first place to avoid the constant ranting.

I agree. If you have an issue with this process, please email support, contact live support, or call. You may also PM me if I'm online, or email me directly:

jshanley@hostgator.com

Thank you. I'm going to close this thread.
Any outstanding issues can be addressed directly.

[GatorBrent]

I'd like to apologize to everyone this thread should not have been closed. I haven't even looked at this recently until a customer notified me the mass edits / post deletions. I'm in the process of getting everything restored as I do not believe in censoring.


I'm extremely sorry for this. If anyone has any remaining questions please feel free to email me at brent @ hostgator.com

[esl]

Hello,
Was this password change request email sent to the ORIGINAL email address used at sign up? I have changed mine in ModernBill since then, and I have not recieved the password change request email. Also, is changing my password via WHM the same as filling out that form? Thank you.

[GatorDaveC]

Evan,
We used the current billing E-Mail address that we have on file. If you didn't receive the e-mail, and your current password works then your password should be fine.

Filling out the form just gives you a password that we generate. If you reset your password in WHM yourself, you can generate it with the tool in CPanel or change it however you'd like.

Have a good day sir.

Quote:

Originally Posted by esl

Hello,
Was this password change request email sent to the ORIGINAL email address used at sign up? I have changed mine in ModernBill since then, and I have not recieved the password change request email. Also, is changing my password via WHM the same as filling out that form? Thank you.

[esl]

Thanks Dave! As always, you're a great help!

[mp3]

I received the email, suspected it of fishing, but went to the actual hostgator site to check, decided it wasn't, used the form, and logged in with no problems.

The inconvenience was minor, and anyone that follows corporate web security should be happy that a company was actually willing to take such precautions. I think many companies would just deny there was any risk and never change anything.

Quote:

Originally Posted by GatorBrent

I'd like to apologize to everyone this thread should not have been closed. I haven't even looked at this recently until a customer notified me the mass edits / post deletions. I'm in the process of getting everything restored as I do not believe in censoring.


I'm extremely sorry for this. If anyone has any remaining questions please feel free to email me at brent @ hostgator.com

I didn't read anything but this last page, but I wanted to say I agree with you. Thanks for re-opening the thread.

[calum]

I never got this email, I made a post saying that a while ago but can't see it anymore.

[regentronique]

I was not restored properly as before, either.

But we could say that at least 90% was restored. This is quite an improvment from before...

Brent wrote :
"I'm in the process of getting everything restored as I do not believe in censoring."

So there is few possibilities :

1- The restoring was not done properly or completely.
2- There is still some censorship left willingly.
3- Some data could be lost and not recoverable.

Few people could clear up which is the proper answer and it would be either Brent, GatorJamyn or the ones in charge of restoring this thread.

[michaelyork29]

Being the customer that Brent referred to as the one that told him about the thread, I just wanted to share an excerpt of our conversation, so that you know he didn't agree with the actions that took place in the thread...

"This truly is horrible and you have no idea how pissed off I am."

"As the owner I want all of my employees to always be 100% honest with our customers."

Give him a break, he's doing all that he can...

[IronWarrior]

I never got a email too, tonight is the first time I heard about it. :s

[prevail]

Well we called, IM and emailed ... asking... begging for them to send the updated password to the EMAIL ACCOUNT THAT IS ON FILE....

We advised them that presumably we shouldn't be able to access that email account if it isn't us... We were told without further identification such as credit card info they will not give me the password to my account.

1) It is Saturday... our accounting people are not here.
2) major customer needs a website uploaded and by tomorrow or we lose ALL their business which is 10 websites.
3) If I had access to the credit card today... I certainly would not give it out over the phone or by IM to a person I never meet... Whose security are they trying to protect?

they changed the password,,, told them to change it back,,, allow me to log in and change it... nope they really do not care.

[GatorChrisN]

Quote:

Originally Posted by prevail

3) If I had access to the credit card today... I certainly would not give it out over the phone or by IM to a person I never meet... Whose security are they trying to protect?

We only ask that you provide the last 4 digits of the billing credit card. Our employees do not have access to your full credit card number, just the last 4 digits and the expiration date. This is the best method to verify an account before providing a password to someone, or before making major changes (deleting data, editing DNS records, etc), because usually the owner of the account is the one paying for it. It's not impossible for someone to 'spoof' your e-mail address, or to hack it and then request passwords to various accounts within e-mails they see. I have seen a few incidents over my 10 years in the IT industry where somewhat clever but malicious people had acquired passwords through 'Social Engineering' (via telephone or e-mail pretending to be someone they are not, etc). Once you do manage to verify your billing information with one of our representatives, you can request that there be a SECRET PASSCODE put on your account, whereby only those who know this passcode can make changes/request sensitive information/etc. Identity/Intellectual Property theft is unfortunately very real these days. I do apologize for the inconveniences this has caused you and your clients, we are definitely taking in all feedback regarding this password audit, good and bad, to make sure that any similar events in the future go as smoothly and amicable as possible. We appreciate your business,