back to article Titsup WHMCS calls the Feds after credit-card megaleak

WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline. Hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company's database …


This topic is closed for new posts.
  1. irish donkey

    This means that there was no actual hacking of our server.

    Oh so that all right then.

    The weakest part of any network is the 'dumb fucks' in charge of it.

    Epic fail

    1. I think so I am?

      Re: This means that there was no actual hacking of our server.

      I fear for my money when numpties like this get 'hacked/social engineered like this.


      1. laird cummings

        Re: This means that there was no actual hacking of our server.

        So basically, the hosting company had monkeys at the helm. And WHMCS aren't much smarter.


    2. Anonymous Coward
      Anonymous Coward

      Re: This means that there was no actual hacking of our server.

      I wish they could invent a good anti-virus program that could be installed in people!

      1. raving angry loony

        Re: This means that there was no actual hacking of our server.

        They have. It's called concrete. Because the only truly secure human is one that's been encased in cement and dropped into the ocean. Oh, wait, that's a computer. Well, same idea really.

      2. Anonymous Coward 15

        Re: This means that there was no actual hacking of our server.

        A boot in the jacksie?

  2. Winkypop Silver badge

    Never leave Colin, the work-experience kid, in charge

    No matter how thirsty you are for the pub.

  3. Anonymous Coward
    Anonymous Coward

    The quotes were from the owner of WHMCS, so he has some lame security questions.

    1. Anonymous Coward
      Anonymous Coward

      @AC 13:15 -- Yup

      "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions"

      WHMCS Security Question: "When was the War of 1812 fought?"

      1. Vic

        Re: @AC 13:15 -- Yup

        > WHMCS Security Question: "When was the War of 1812 fought?"

        That's actually a very good security question - with the answer being something along the lines of "three squirrels and a lemon"


  4. KJB
    Thumb Down

    It's all very well encrypting the credit card into in the database, though when you leave the salt in plain text in your config files and the whole cPanel account backup gets offered up for download then that encryption pretty much means squat.

    Cancel your cards people.

    1. Destroy All Monsters Silver badge


      Don't you always leave the salt in plain text in the files?

  5. Anonymous Coward

    OK, so this may be a silly question, how would anyone know if their details are at risk?

    Is there a list of web hosts, sites & services that use WHMCS?

    1. Anonymous Coward
      Anonymous Coward

      Yes, the database was released on twitter which has a list of absolutely everything. This includes:

      - credit card numbers

      - full name and address

      - security questions/answers

      - email history (some even include root logins to other web hosts)

      - invoice history of each company

      - pricing tier of each company

      - affiliate history

      - password reset reminders

      - license keys and who is using those license keys

      - admin logs and admin activity logs

      And so much more.

      1. h4rm0ny

        Is there anyway to check if you're on there without downloading a tonne of other people's credit card details, however? That would be useful as I really don't need or desire the rest of the data.

  6. Stevie


    I love the "justification" for this attack.

    I hate what the Warwickshire police are doing. I complained but no one did anything so to force the issue I've had keys cut for every house in Leamington on Spa and sold them to burglars".

    1. Captain Scarlet Silver badge

      Re: Bah!

      Yes when normally the people running the scams crack the software so they don't have to pay for it.

      Dump and Run scams are far to wide spread and although annoying I'm not sure how they would know they would be running scams, its more than likely going to affect the smaller webhosts relieing on it to help run their business.

      Oh and Fail for leaving decryption key in the open!

  7. Jacqui

    So they are hosting on a PP IP range?

    Domain name:

    Administrative Contact:

    Whois Privacy Protection Service, Inc.

    Whois Agent (


    Fax: +1.4259744730

    PMB 368, 14150 NE 20th St - F1


    Bellevue, WA 98007


    I thought only scammers and hackers used PP?

  8. Sandtreader


    Something doesn't add up in the terminology here: "Card information was salted and hashed". What use is a hashed credit card number, either to Bad Guys or indeed to the service itself? More likely they were symmetrically encrypted and the passphrase stored in the filesystem somehow. That does at least mean that the DB replicating backups are not sensitive in themselves.

    The problem of how to protect information in the DB, private keys etc. from a root attacker is always a tricky one. You could demand entry of the passphrase at startup but that prevents unattended restart, and in theory a really determined attacker could get it out of memory if they can get access to the running daemon.

    Of course the trick is to avoid getting rooted in the first place... When your hosting provider demands your root password, refuse, quoting this story!

    1. asdf

      Re: Terminology

      >When your hosting provider demands your root password, refuse

      Wow no security expert that seems pretty obvious. Then again retards who use Office all day and think they contribute to anything probably gave it to them to reduce support costs.

  9. Anonymous Coward
    Anonymous Coward

    Let the fun begin

    It seems like hackers can't wait to get to the Iron Bar Hotel - they want express service.

This topic is closed for new posts.