The Joy of Being Hacked

Jun 12, 2007

Nearly a week ago, a malicious person or group of persons hacked into DreamHost, the company I use as a web host. The passwords for over 3,500 FTP accounts were compromised, and some customers found unauthorized changes to files or directories. My account was among those that got hacked, and the experience has made me a better computer user.

Having a password stolen is frightening enough, but my situation was nearly a worst case scenario. When I originally set up my user account with DreamHost, I naturally provided the password to be used with that account. This user account granted me access to the DreamHost web panel, FTP uploads, and access to the web server's shell (via either telnet or ssh). When I later set up an email account, I chose to use this same account out of sheer convenience. I made a likewise decision for access to my web server logs. So, in short, one username and password provided me access to five areas:

  1. The DreamHost Web Panel
  2. My web storage (via FTP)
  3. My web server home directory (via telnet or ssh)
  4. My primary email address
  5. My server logs

Do you see the problem here?

As soon as I got the email that my FTP password had been compromised, I realized how slack I had been about security and panicked. Thankfully, none of my files or databases were corrupted (though I'm still taking a look through everything). I have since changed all of my passwords, and they now all differ from one another, something I should have done from day one.

I try to be as security conscious as possible, but I really dropped the ball in this area, mostly for convenience's sake. This is the first time I have been 'hacked' like this, and I'm actually glad it happened. The experience has motivated me to be more secure in my password handling.

Lots of people are jumping ship as a result of this, but doing so seems premature to me. The folks at DreamHost are being open and honest about the problem, and I really appreciate that. Any company that steps up and says "we made a mistake and we're trying to prevent it from happening again" is worth sticking with. At the very least, I've learned a much needed lesson.

Update: I forgot to mention that other web hosts were also hit by this attack (according to this post), so it wasn't solely a DreamHost issue.

web
Newer Post Previous Post

9 Comments

enc

8:44 PM on Jun 12, 2007
I thought that you're a better geek than using one username and password for few accounts at once. I'm really disappointed with you. Paranoia takes priority against any conveniences!

Jonah

11:11 PM on Jun 12, 2007
They aren't technically multiple accounts; it was multiple "services" used by one account. Was I stupid? Yes. I don't deny that. In my defense (as weak as it may be), DreamHost automatically used the default user account for access to the Web Panel and my site's web logs. You had to go out of your way to change the password on those services, and I was apparently too lazy to do it. These are also the only cases where I was using the same password for a service. All my other passwords (WordPress, AWStats, database passwords, etc) have always been different. The aforementioned instances were the cases that I screwed up. I'm doing things right now, though. That counts for something, right? :oops:

enc

6:10 AM on Jun 13, 2007
to err is human ,)

kip

11:36 AM on Jun 13, 2007
Well here's a question for you- why were FTP passwords stored in such a way that anyone could retrieve them in the first place? Typically you store a hash of the password, not the password itself, to prevent this kind of thing from happening...

Jonah

1:31 PM on Jun 13, 2007
Well here’s a question for you- why were FTP passwords stored in such a way that anyone could retrieve them in the first place? Typically you store a hash of the password, not the password itself, to prevent this kind of thing from happening…
That's a good point, and I'm not sure that DreamHost has explicitly said how the attackers got to the passwords. The Web Panel at least used to show a user's password for convenience (a questionable practice, I'll agree), but they no longer do so. It does make one wonder how they store sensitive data like this. Apparently, the attacker also tried to access billing information, but was unable to, so they are apparently encrypting that kind of thing. One other point I failed to mention (and I'll update the post with this info): DreamHost wasn't the only web host to get hit with this attack. According to their follow-up post, other web hosting companies were hit too (though they don't name names).

kip

1:58 PM on Jun 13, 2007
It's good that they are being open about this. That earns them lots of points in my opinion. Sometimes when a company's customer data is stolen, the company doesn't even inform customers. They are afraid of being sued or something, so they don't say anything--they hope the customers, when they see charges they didn't make on their card, will just assume they are victims of "identity theft", without realizing how their credit card number was obtained. The sad thing is that this probably happens a lot more than we realize, with the retailers getting away with it while the customers have to deal with fraudulent charges. :?

Jonah

2:01 PM on Jun 13, 2007

Here's a snippet from a comment on their emergency status blog:

Regarding passwords, rest assured that we are taking more steps to update our back-end systems for better security and the steps taken so far are not the end of it. It is not practical for us to store passwords in an undecryptable form due to the requirements of our support team to provide support to you, but there are steps we can take to greatly limit access.

That's one scenario I hadn't thought of (providing support), so I can see the need to have two way encryption (rather than a one-way, unrecoverable hash). Hopefully the guys at DreamHost will provide a little more information on how things happened. If nothing else, it would be interesting to read.

I also just noticed that DreamHost has a new Disallow FTP option for shell accounts. I've just enabled this on my user account (since I only use SSH and SFTP), so maybe that will help thwart future malicious access attempts.

kip

4:22 PM on Jun 13, 2007
For support they could still create a new password for you if you were locked out.

Jonah

7:21 PM on Jun 13, 2007
That's true. I'm not exactly sure why they would choose two way encryption, though I know that two-way encryption can be done in safe, secure ways (KeePass, the password manager that I use, does it).

Leave a Comment

Ignore this field:
Never displayed
Leave this blank:
Optional; will not be indexed
Ignore this field:
Both Markdown and a limited set of HTML tags are supported
Leave this empty: