We're back online!
Well, here's a thing. Apparently nothing to do with this:
http://news.bbc.co.uk/1/hi/england/gloucestershire/7124755.stm
Was phoned at around 4pm by a helpful soul at Fasthosts. After a little trouble validating me - we finally agreed on the last 4 of my credit card - I was given the new password to the Admin CP of the site mentioned in the article.
So, no apology but let's let that pass for now. The helpful soul said that only 25% of people had changed their passwords in response to their October email. He admitted that their email had come across as advisory rather than mandatory.
When asked what triggered the password change, he said that a couple of customers' ftp sites had been compromised. I asked if email addresses/Admin passwords had been compromised and he said no, but what they wanted to avoid was password changes now, and then more changes later if something else had been compromised etc etc.
Well, I'm in. SQL and ftp changed. Database backed up, downloaded and stored. And everyone must be doing the same as the ftp download is like walking through treacle!
I must admit, now we're "back", the frustration/aggression has evaporated. Until the next time maybe?
My solution for next time is for their engineers to allow validation on specific data (like the last 4 of your credit card) and allow users to get a new password through it. Posting passwords? Well if that was safe, Gordon Brown wouldn't be squirming quite so much at the moment - and of course, if you have moved since registering and not updated your details then a stranger will now have your admin password!
Let's face it, the hackers won. Fasthosts have lost big time but then so have we, the customers, and indeed our own users. By over-reacting, and yes, it was an over-reaction, they have done more damage than the hackers ever could by a factor of a thousand. I would be laughing myself silly if I was the hacker concerned.
Lessons learned? I'm afraid the harshest lesson was that Fasthosts don't have a sensible policy for security, handling hacking nor password change. Would another webhost? Who knows. But I am fairly sure that at the very least there would be apologies and rapid resolution. The biggest lesson, which Fasthosts MUST learn if they are to remain in business is that the systems must REMAIN UP as the highest priority. Everything else is secondary to keeping sites online. Risk analysis would have shown that what the hackers could achieve paled into insignificance with what Fasthosts did to us.
We will be moving. In the absence of apology, good communication and compensation, it would be an afront to ourselves and our users to remain with Fasthosts.
I do hope all those still offline manage to regain control of their sites soon.