back to article Fasthosts customers blindsided by emergency password reset

Fasthosts has announced that "a number" of its customers'* FTP spaces were raided as a result of the major hack that triggered a police investigation last month. It has applied a system-wide reset of thousands of passwords as a result. The Gloucester-based webhosting firm yesterday performed the emergency reset of control …

COMMENTS

This topic is closed for new posts.

Page:

  1. John Rudolf
    Alert

    Legal remedy?

    Just a thought, but does this constitute "negligence" and can we bring what I believe the Americans call a "class action" against Fasthosts for loss of business?

    Given that it is Christmas, a major retail spending "peak", a lot of people will be losing a lot of money over the weekend.

    Anyone have a "qualified" legal opinion on this?

  2. Chris

    Time to move

    We have over 300 websites spread over 3 Fasthosts reseller accounts. Every one of them is now queued to be shifted to one of our other reseller accounts with a different provider.

    Should I wait for Fasthosts to give me another reason to shift the dedicated servers we have with them as well? Hell no, that's next in the job queue!

  3. Anonymous Coward
    Anonymous Coward

    Bemused

    I see several people saying how good their current hosts are. Any chance of naming the good hosts so that the poor sods with FH can actually switch???

  4. Colin Towns

    Other hosts

    For shared hosting and reseller accounts I can recommend Catalyst2.com - support is great with no problems.

  5. Amer
    Unhappy

    Phone line have been switched off!

    Just to let you all know, they've done and ISP classic, switched off the phonelines!!!

  6. Anonymous Coward
    Stop

    Come on people

    Firstly, at voshkin... if you have a DEDICATED server, if it gets hacked it's your fault... no good blaming the hosts. That's like blaming the electricity company - not their fault. If it was a MANAGED server, different story, but still possible that you put some vulnerability on there (phpmyadmin, awstats, etc).

    Now, at everyone who said "how about some warning" or "send out the new passwords before resetting them all"... this was an EMERGENCY procedure! Originally they weren't sure if the hacker had the passwords in a usable form, now they know because some bugger used them to put nasties on the servers... that means that they didn't have time for any warnings.

    And for whoever said "if they haven't changed their passwords, that's their problem if their account gets hacked"... it isn't - it's everyone elses problem... because there is then another site hosting malware/selling drugs/etc, which means they'll then want to promote said site, for which they'll use an email account (which they have the details for) to send out spam (using authenticated SMTP - the scum), which makes it EVERYONEs problem.

    I happen to think that they've done something sensible here. The only issue is for those who did change their passwords and now have to wait for new ones - maybe you changed your password too quickly? I expect they took a copy of the database as was and have now compared the current one to that one... maybe they didn't have a working backup from before the attack (oops), and realised afterwards so took a backup then??

    Just think about things before you start flinging blame.

    We (as a company) will be sticking with fasthosts. We have 3 dedicated servers with them and are very happy with the service, especially at the price (one customer moved their dedicated server and saved £150/month and got a better connection - they're particularly happy!).

  7. Christian Royle

    73% of accounts affected.

    I was told by FH SUpport that 73% of customers had not changed their control panel passwords, and if the CP password had not been changed, then everything in that account was included in last nights reset.

    I guess this means that if you were putting your customers passwords at a higher priority than your own, then you were punished by the blanket change.

  8. Anonymous Coward
    Happy

    Fasthosts deleted my account in error but told me my password was in the mail

    What a laugh this morning - Fasthosts automated support mail said my dedicated server was offline because I, like so many others, hadn't changed my password, when of course I had.

    Finally got through on the phone to discover they had actually DELETED MY ENTIRE ACCOUNT IN ERROR, instead of deleting just one of my dedicated servers which expired yesterday with impeccably bad timing. I should be thankful that they were able to rescue and reconnect my box before they formatted it, or even worse reallocated its IPs. So we were only offline for three hours.

    Now I can use all the time I have saved in not having to rebuild this server for resetting all the email and ftp passwords on my other reseller account.... or was I supposed to be doing someting else? A single mailbox password change just took about two minutes while the control panel server groaned under pressure - I guess I won't be going out tonight then after all!

    Oh Joy - and to think I actually recommend this supplier to my clients!

  9. Anonymous Coward
    Thumb Down

    very annoyed clients

    We too walked into work this morning to find nothing online working!!

    No additional staffing at customer services!!

    Will be closing my account asap

  10. Anonymous Coward
    Thumb Down

    Life or Death

    One of my websites co-ordinates charities that rescue dogs from being destroyed in Ireland and finds them homes in England, since last night the SQL Database password has been changed and no one can access the site - this is literally Life or Death for countless dogs due to be put to sleep in Ireland.

    I like many others did not have any warning abouth this nor did I recieve an email about the original security breach.

    Along with the rescue work, small charities sell christmas cards through the site, so it iwill be hitting everyone hard.

    I cant get through on the phone and they are not answering emails, they even kindly shut down the password reminder on the support site, if this was working, I could fix the problem myself.

    I think we will be investigating the possibility of legal action against fasthosts for this situation

  11. Anonymous Coward
    Stop

    Would you prefer.......

    ...they do nothing?

    Granted this is closing the stable door after the horse has bolted - but seeing as most people will have ignored the email and they will have monitored activity on password changing would you rather they took no action?

    Clearly this is a reaction to a situation and we as outsiders don't have the full details - perhaps you should count your lucky stars that your card details haven't been stolen (or have they). And if you don't like it move YOU pay YOUR money and YOU take YOUR choice.

    If you're on shared hosting it's probably because you don't the the skills to host your own dedicated server or you're looking to blame someone else when it screws up - glass houses and stones.

    Give the engineers a break they'll be as p****** off as you are about the breach, after all it's their professionalism that suffering here.

  12. Reggy's Tar.

    Plain text passwords are 'sensible'??

    As I understand it, the hacked passwords were not in a database, but in plain text. They were used to support the 'Forgotten Password' tool that is currently switched off on the Fasthosts site.

    So, this "Emergency Procedure" was triggered one month after Fasthosts realised that plain text is not a good security policy. During that month, they had plenty of time to notify customers that the password would be changed by force.

    Which part of what happened last night do you consider 'sensible'?

  13. Anonymous Coward
    Anonymous Coward

    Best Practice?

    Here's an example of a Fasthosts 'Best Practice' approach to passwords - here is a quote from their site (on the forgotten login details page)

    "Quick tip: Once you have logged in, why not update your password to a more memorable word?"

    Great idea Fasthosts!! You should publish that as an industry wide standard.

  14. David Ryans
    Thumb Down

    Smug gits go away!

    Some people have posted comments to the effect of 'well you should have changed your passwords and read your emails', well please, up yours. We changed all our passwords immediately which was an immense hassle and still all our passwords were reset last night. Not only this but we didn't even get an email informing us of this or have heard anything back from customer support.

    I won't have access to the snail mail address for weeks so looking at a long time down for the website, at the most lucrative time of year.

    This is criminally negligent, I urge, nay beg all of you with fasthosts to leave at the earliest possible opportunity. We are in the process of moving right this second.

    I only wish there was a representative nearby that I could punch repeatedly in the face.

  15. Anonymous Coward
    Anonymous Coward

    Recommends?

    What other ASP.NET2 hosts are out there? Any recommendations?

  16. Matthew
    Go

    Other hosts

    I've been using Goscomb Technology for a few years. I think I've had about 15 mins downtime over the last 4 years.

  17. Ben Smith

    I looked into using FastHosts years ago

    and thankfully came to the conclusion that they were cr*p.

    I use Titan Internet to host my sites. No, I'm not related, friends with them or anything - they are just very very good indeed.

    But you get what you pay for. People who used FastHosts because they were "cheap" are now finding out why. If your server is mission-critical - spend money on hosting - otherwise you only have yourselves to blame.

  18. This post has been deleted by its author

  19. Anonymous Coward
    Stop

    Why is anyone using Fasthosts in the first place?

    Why would you want to use a provider that charges extra for things that come free elsewhere, like £50 a year for one MySQL database?

    They won't even let you run Cron jobs!

    If you want proper hosting, go to a proper hosting provider.

  20. Anonymous Coward
    Thumb Down

    Farcehosts

    Yet again, Farcehosts live up to their name.

    That's what you get for hosting with a bunch of amateurs on Windows boxes.

    Try www.pair.com, competent and been around since the dawn of time.

  21. John Rudolf
    Alert

    How can this be "sensible"?

    Referring to the Anonymous comments that what Fasthosts have done is sensible...

    Are you serious? Do you really think that changing EVERYONE's password without warning makes sense? With no efficient plan for getting users back online or beefing up customer support to handle the increase in workload?

    Come on, this beggars belief.

    The most absurd part of the whole thing is posting passwords. Surely it is not beyond their engineers to email new passwords to everyone? Less effort, quicker and cheaper.

    But no. They're all up there stuffing envelopes and sticking stamps. Unlike those Fasthost customers who sell through their websites...

  22. Anonymous Coward
    Joke

    damn you lamers

    I too have had this issue and to be honest its pretty much made me decide to look for another provider , they have not been a great host of late,well in my experience.. bye bye fasthosts my blog is down- cant log in to change password,,you really know how to treat customers ,where was the notice for the instant reset of all passwords?? ....Just a simple email with a reset password link should suffice since no one will have my access to my email..at least to reset and prove who I am for other passwords etc but royal mail me my password?!! this whole weekend ill have no access for my ftp or sql db!!! this is unacceptable..I wonder what the real story was ?...

  23. Gavin
    Thumb Down

    Sinking Ship

    I jumped ship in the summer after 3 years of pain and frustration and closed down my reseller account. You can't run any sort of web hosting business as a reseller with Fasthosts as you will always be letting your customers down due to things like this. I don't know how they are still in business running such a poor level of customer service. They need an IT Gordon Ramsey in to kick some backsides starting with the Fasthosts management.

  24. Brian

    Fasthosts had better be well insured

    The arrogance of these people is astounding - to arbitrarily change all passwords THEN inform people retrospectively is a disgrace and borders on the criminal.

    That they have done this to those of us who had ALREADY changed our passwords is not only negligence, but extreme incompetence.

    Class action anyone? if so, I have already discussed with lawyers and they suggested keeping in touch - email me at brianinfrance2-fasthosts (at) yahoo.co.uk

  25. Anonymous Coward
    Unhappy

    Emergency procedures

    Regardless of what has happened, it is very frustrating to be so helpless in the situation

    Our SQL sites don't work after the password change, but we cannot even get in for a temporary fix, at the very least a holding page informing people of what is happening or a redirection to another server where we can offer some functionality.

    We have experienced outages before, and all cases have managed to maintain some form of service whilst the problem is fixed, but in this case we can only observe and hope FH come up with a solution

  26. Anonymous Coward
    Happy

    Alternative host

    Haven't used them for a while, but for about 3-4 years, I used Giacom (I started with Fantastic Internet). I found their staff very helpful (especially for the set-up phase).

    I had one minor issue when our main email address was being spoofed into a load of spam, and we were getting tons of "bounced" mail that they helped sort out in a matter of minutes. Other that, very reliable - very easy to do business with.

  27. Anonymous Coward
    Anonymous Coward

    So why didn't you change your passwords last month?

    Yes, this is a screw up of majestic proportions at Fasthosts but I get the distinct impression that these people who are saying they are completely locked out did not change their passwords back in October. Why not? If I was one of their customers, I'd be asking why they ignored such a security warning from their ISP.

    I had changed my main password but got caught out on a MYSQL password so had an hour's downtime last night until I changed that. A bit embarrassing but my customers have been quite understanding.

    I've used Fasthosts since 2000 and this is only their second major cock-up. I'll be leaving now but mainly to save money. There's no guarantee the people I go to will be significantly better.

  28. This post has been deleted by its author

  29. John Warlow
    Thumb Down

    Passwords reset, databases broken and they think the post is secure

    It's all going pete tong!

  30. John Rudolf
    Alert

    Read the comments - this is affecting people who HAVE changed their passwords...

    As it says, can Mr Anonymous etc al PLEASE READ THE COMMENTS ABOVE! This is affecting those who HAD changed all their passwords too.

    Have the phones gone back on yet?

  31. Anonymous Coward
    Alert

    When I used to work for them...

    You could access the internal accounts information - with your network username and password - via a web interface, from anywhere.

    No VPN; simple SSL encryption with an employee's username and password.

    What was on these internal accounts pages? Full customer details; including passwords and credit card details.

    Security? They don't know the first thing.

  32. Paul Naylor
    Thumb Down

    Similar story

    Mine is a similar story to many already commented upon here. We have price list data on a Fasthosts MySQL server that is used by a number of our sites and this morning those sites were throwing up permission denied errors. So I reset the passwords before I ended up getting the email.

    Funny thing was, we reset the passwords of the same databases straight after the initial scare a few weeks ago, to something far more obscure and yet Fasthosts still reset them, claiming we hadn't changed them...

    We're now looking to host our data internally...

  33. Haku

    feh

    Well I hope they're quick at posting out the new passwords and that Royal Mail don't take their usual several-days-to-deliver-1st-class-mail farce, not too bothered about not accessing my main Fasthost website as Pipex have still kept my old webspace open despite being kicked off back in March, but I have a 2nd account with Fasthosts I need to cancel before the end of Dec or they're gonna charge me.

    So bloody hurry up Fasthosts & Royal Mail

  34. Simon

    Doh.

    Fasthosts actions are totally wrong.

    I am currently moving 427 sites to another host.

    Where is my letter !!!!

    Lost in the post probably.

  35. Anonymous Coward
    Thumb Up

    Oh, and did I mention something about Pair?

    If you are a web refugee (use the coupon code REFUGEE), you get free setup for the first account/domain. And they have a nice triple discount special on too for December (pay up front for a year, get 24% off).

  36. William Jenkyns
    Thumb Down

    Fasthosts -Never again

    This latest debacle is so irresponsible, plus their helpline doesn't answer (I've tried all day).

    I am working away from home at the moment need my PIN to log in, and I can't get my PIN because a) they won't answer the phone and b)the automatic reminder service isn't working. This has had a severe effect of our business operation.

    Any suggestions for other web hosts?

  37. Anonymous Coward
    Anonymous Coward

    Same problem for streamline.net

    I look after a website hosted with streamline.net and have just noticed that their FTP access has suddenly stopped working. After checking their Service Status I find that they are going through the same process of asking customers to change their passwords for their Domain Control Panel and FTP... are they linked to Fasthosts in some way?

  38. Neil Rigby
    Alert

    Panic Button

    To be fair, I think FastHosts simply pressed the 'Panic Button' when they realised the extent of the security breach, the extent of which we'll probably never know about.

    FastHosts: The UK's Number 11 Web Host (down 10 places!).

  39. Justin Millner

    Gone from 54 to 38 in the queue in 17 mins

    All on an 10p per min per call, perhaps it's a revenue opportunity for them?

  40. Anonymous Coward
    Thumb Down

    Fasthosts

    Fasthosts are sending the passwords by normal (not recorded or special delivery) mail. YAY it's going to be two weeks before I get my password (yeah I am in the UK, first class here means it will take up to two weeks around here!) and then I'll have to wait for my UKReg password.

    Even if they really really had to do this - couldn't they have generated the passwords a few days before, printed and posted the letters - then after a few days THEN change the passwords?

    A frustrated fasthosts customer

    soon to be ex-customer - once i've transfered my domains out of UKReg!

  41. Anonymous Coward
    Anonymous Coward

    I've survived with few problems but...

    ... I'm still moving. What irritated me was having to hang on the phone for an hour to find out what was going on when NOTHING had been posted to the system status page. According to that page, all was well and nothing was even being investigated. Customer service used to be great but it looks like they've grown too big.

    I'm off to Heart. Anyone have experience of them?

  42. Julian

    Not very Vorsprung durch Technik....

    In the old days you could blame babyfaced Andrew Michael for Fasthost's woes (he set up the company from his bedroom aged 17). But now, shock horror, we can blame the Germans for not running the show properly!!

    http://www.timesonline.co.uk/richlist/person/0,,48328,00.html

    I'll just go and grab me beachtowel....

  43. Anonymous Coward
    IT Angle

    Why NOT using e-mail to post passwords

    What is the logic of posting the paswords?

    I never got any written communication by FH.

    I even do not know which address they consider as mailing address,

    but it is NOT the one of credit card, and I have moved from one country to another.

    ALL THIS IS INTERNET BUSINESS, and it make no sense NOT to use e-mail to send new passwords.

    So what is the security breach scenario acording to FH?

    The hacker has my e-mail address and the password.

    At the moment FH is sending the new password (which he doesn't know, n.b.) he is loging in and stealing it.

    Oh, he knows, he hears about FH e-mail being sent, so he is on outlook on thousands of e-mail addresses.

    All that is childish and mediocre.

    Besides, it was enough to inform me that they were hacked.

    It is MY business and security policy when and how and whether I will change passwords.

    BTW for the record, I can confirm that my CP password was not reset neither one of FTP passwords,

    which I did change after the 1st alarm.

    I did change the rest (FTP, e-mail) after the 2nd alarm, but FH e-mail support

    has no brains to tell me if I will have to do it again (!?) after the famous Royal-Mail envelope arrives,

    if it arrives (as someone is bitterly pointing to Xmas deluge and postal strikes).

  44. Anonymous Coward
    IT Angle

    Spreading the risk

    Following Fasthosts recent "act before thinking" tactics we're going to spread the risk move our databases and probably our email from fasthosts and for the time being continue using their reseller package, at least this way the only system data of ours and our clients that they can loose / reset is the control panal and FTP - if our new SQL server Host goes down we can use a backup. Personally though I'm more concerned about the personal financial information they appear to have lost - I'd recommend speaking to your banks before this disaster goes from BAD to well.....

    I also think that as clients we should demand that someone's head roles for this - loss of business (existing & future) and loss of reputation....

    Do yourselves a favor, change your bank details, and spread the risk by hosting servers/emails elsewhere

  45. Alex Wood

    the start of a busy week

    We've got over 420 individual accounts with Fasthosts, all with FTP and all with mailboxes.. We've now got 9 days to change what could be as many as 5-600 POP3 mailboxes manually, then configur those clients who dont know how to, change server POP3 settings, respond to phone calls and support emails from clients... it's gonna be a busy few weeks :)

    The Fasthosts Control Panel has been up and down all day, and my email first thing this morning asking whether we were going to be compensated has yet to be answered..

    For my company this is going to be a MASSIVE job to put right....

  46. Anonymous Coward
    Anonymous Coward

    The cost of calling fasthosts tech support last night

    My calls to Fasthosts Tech Support last night. WIth a critical problem that had nothing to do with the passwords...

    Date, Time, Tel Number, Seconds, Cost.

    29-11-2007 23:21 00448708883600 4518 7.08

    30-11-2007 00:36 00448708883600 6614 10.36

    30-11-2007 02:27 00448708883600 4721 7.40

    The first call started at queue position 44, then was picked up and dropped without speaking on the cusp of midnight.

    The second call started at queue position 35, then when I got through to someone, they just said there was nothing they could do about it and essentially hung up.

    The third call started at Queue position 23, I got through eventually, but the call resulted in ....nothing.

    That is £25 for two people to be rude to me (do these people realise that I pay for the service?), and one to tell me that there is nothing they can do because they are too busy dealing with calls about passwords. Are you kidding me?

    Truth is, there was 2 people on support last night, more than 1000 backed up support tickets that were not being answered , and still haven't been answered.

    What support told me is that there is never more than two people on support overnight, and they rarely get chance to address the incoming tickets.

    ...and the two things that really get my back up:

    1) they have one unix/windows engineer on site who could have solved my problem in a few seconds, two commands at a unix command line, and the job would be done. But oh no, my problems are far too much trouble for an engineer to look at, after all, he's busy deleting passwords.

    2) Somehow, I have got used to this level of service! I expect it from FH, and they never disappoint me. I have never had a service request dealt with in under 2 hours, I have never spoken to technical support and been pleased.

    Time to move on... I think we may be seeing Fasthosts making a Fast Exit over this issue. I would be stupid to have email or sites on a FH server the day the company has to close it's data center. It's Northern Rock time...

  47. AJ
    Stop

    DONT PAY TO RING FAST HOSTS

    This is FREE

    01452 541499

    But I have been in the queue for half an hour and its 23:47 and have heard the automated announcement that they will NOT reset your password over the phone it HAS to be sent in the post...

    ... Knobs have changed all mine and I ALREADY changed them when they asked me to the first time they fooked up! Incompetant wankers!!

  48. Anonymous Coward
    Thumb Down

    Sat here....

    ....twiddling my thumbs until the postman arrives with the elusive new cp password.

    After working for over 17 years in the IT industry I've never come across such an incompetant way of dealing with a security issue. I would love to hear the Security Managers reasoning on why an immediate lock down was ordered without sending any notification to their customers. He needs sacking.

    I am sure, even with Fasthosts indemnity clause in their T&C's, there will be a number of claims for loss of earnings, especially if our customers say that they are going to put a claim in to us as a reseller! I know for one that I ain't taking the flack or cost for loss of earnings to my clients seeing as I had followed their instruction in October. We are paying for a service, perhaps Fasthosts will remember that when they lose thousands of customers over the next couple of weeks.

  49. Anonymous Coward
    Happy

    Not so cheap now though...

    A quick Google last night showed half a dozen sites doing what we need - unlimited/high bandwidth, SQL, PHP - for around the same price and in most cases less - around £80. Fasthosts were £49+the database charge and actually cost more.

    You know, even a small change on the website explaining what's going on and apologising would have been nice.

    I wonder if they have the foresight to offer discounts for those affected? Where cost is the issue it might make a difference.

  50. Gareth Evans-McClave

    Fashosts password change not working

    Our site was taken off air by the unilateral password change. As the site is used by our clients to monitor services, without FTP it is useless.

    I spoke to fasthosts yesterday (after queuing for 1.5hrs) and they finally agreed to fax the new control panel password through.

    I received this, and changed my FTP password at approx 12:00 yesterday. Its now 11:00 the next day and I still cannot get FTP access to my site.

    Fasthost phones are now continually engaged and we have been off the air for over 24 hours.

    THIS IS NOT EXCEPTABLE!

    This action will cost us hundreds of pounds as we need to send a technician round to many of our clients sites to update the on-site systems with updated FTP details. But more importantly, this outage makes us look amateur and our clients are losing confidence in our ability to provide a service.

    Has anyone managed to talk to someone in power at fasthosts? The poor call centre guys must be getting pretty used to people shouting at them now, but they wont let you talk to whatever muppet instigated this farce.

    For all those effected by this, we probably need to get together and present our compaints en mass, as the loss of one or two accounts wont phase them, but together we might get their attention!

Page:

This topic is closed for new posts.

Other stories you might like