Cloudie Networks, LLC. Data Leakage

2

Comments

  • MannDudeMannDude Hosting Provider
    edited December 2023

    @jarland said:

    @tmntwitw said:
    I have not seen the dump file, but assuming that the passwords are hashed and salted, I think it won't be a trivial task for someone to derive the original password from the hash? (Not a security expert here, so I might be wrong)

    But yeah, one should still change the password.

    From what I’ve seen they’ll have the code from configuration.php which is all that is needed to at least turn service passwords into plain text. So it’s not just billing passwords you need to change.

    Also email history in WHMCS may contain passwords generated for new services in plain text. For hosts who never changed it in email templates (not sure if WHMCS changed it themselves later), email history at least used to contain plain text passwords written by the user on registration.

    User on OGF that is going through the DB dump says they had ID's and other KYC verification in the dump, as well. So, that's makes this even worse for some.

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    [ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]

  • @MannDude said: Personal details have been breached.

    And this was suspected and 99% confirmed by a lot of people already last week.

  • edited December 2023

    New email they allegedly sent out just now(from OGF)

    Immediate Action Required: Security Breach and Data Leak Update
    We are contacting you to address a critical security incident that has impacted our systems and potentially your data.
    Incident Timeline and Immediate Actions:
    
        December 16th, 2023 - Initial Breach Detected: Our team discovered unauthorized access in our WHMCS system and promptly notified all users.
        Proactive Security Measures: We initiated a fresh installation on a new server for enhanced security and to mitigate further risks.
    
    Data Leak Confirmation:
    
        December 28th, 2023 - Data Compromise Identified: Despite our actions, we have ascertained that certain data from the initial breach has been exposed online.
    
    Detailed Overview of the Leaked Data:
    
        Client Information: Names, addresses, phone numbers, and email addresses.
        Financial Data: Billing addresses, payment histories, and partial credit card details.
        Service and Purchase Records: Details of hosting plans, ASN registrations, and other services.
        Support and Communication Logs: Information from support tickets and email communications.
        Login Credentials and Security Data: Usernames, hashed passwords, security questions, and API keys.
        Custom Fields and Administrative Data: Additional client-specific information and administrative user data.
        Audit Logs and System Settings: Records of user actions and configurations within the system.
    
    Impact Beyond Cloudie Networks:
    
        Wider Industry Effect: The breach has repercussions for several providers, especially those using modules like WHMCSServices and WHMCSGlobalServices.
        Lack of Complete Provider List: Unfortunately, a comprehensive list of all affected providers is not available.
    
    Our Commitment to Enhanced Security:
    
        Selective Module Usage: To safeguard your information, we have discontinued the use of all third-party modules, with the exception of the Lagom theme.
        Infrastructure Security: We have migrated to a new server with upgraded security protocols to fortify our defenses against such incidents.
    
    Urgent Recommendations for Your Safety:
    
        Immediate Password Reset: Change your Cloudie Networks password using [Password Reset Link] and consider updating passwords on other platforms if they are similar.
        Account Monitoring: Stay vigilant for unusual activities in your accounts and report any anomalies.
        Beware of Phishing: Cloudie Networks will never ask for sensitive information via email. Use [Official Contact Link] for any verification.
    
    Additional Safety Measures Taken:
    
        Payment Information Security: We have cancelled all PayPal subscriptions and revoked/reissued Stripe card API tokens to prevent unauthorized charges.
        Resetting of Compromised Credentials: We've reset all leaked VM and Proxmox credentials as a preventive action.
    
    Staying Updated and Supported:
    
        Ongoing Updates: We will keep you informed about any new developments.
        Support Availability: We is ready to assist at Cloudie.sh Support. But please be aware that delays may occur due to the level of large volume of requests at the current time.
    
    Our Assurance:
    
    We are deeply committed to the security of your data and are taking all necessary steps to prevent such incidents in the future. We sincerely apologize for any inconvenience caused and appreciate your cooperation during this critical time.
    
    
    
    Best Regards,
    
    Cloudie Networks, LLC.
    
    Thanked by (2)bikegremlin FrankZ
  • @treesmokah said:
    New email they allegedly sent out just now(from OGF)

    I received this email, so can confirm that it is more than alleged to have been sent.

  • @tetech said:

    @treesmokah said:
    New email they allegedly sent out just now(from OGF)

    I received this email, so can confirm that it is more than alleged to have been sent.

    Although I didn't compare the quoted version word-for-word :p

    Thanked by (1)bikegremlin
  • @MannDude said: OGF says Cloudie's Discord mods are deleting mentions who bring it up in their chat, and nothing has been sent to their customers from Cloudie yet. :(

    Can confirm they do some crazy damage control, I was banned before I even managed to join, for some reason.

  • MannDudeMannDude Hosting Provider
    edited December 2023

    Wider Industry Effect: The breach has repercussions for several providers, especially those using modules like WHMCSServices and WHMCSGlobalServices.

    Email suggests that the original breach may have occurred from module(s) provided by https://www.whmcsservices.com/ or https://whmcsglobalservices.com/ ?

    WHMCSServices was mentioned previously, since it appeared to be a supply chain attack where they were hacked, and the hackers then sent an email with a file link to 'update' a module used which was what allowed access to other user's WHMCS. Is that correct?

    This is the first I'm hearing of WHMCSGlobalServices being in the mix of blame, can anyone confirm?

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    [ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]

  • @treesmokah are you still giving the download link to people

    youtube.com/watch?v=k1BneeJTDcU

  • FrankZFrankZ Moderator

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    I would hope that was just a one time deal and he is not handing out the link to everyone who asks.

    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • edited December 2023

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    Yes.

    @FrankZ said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    I would hope that was just a one time deal and he is not handing out the link to everyone who asks.

    I do, everyone who reached out was a long time member that was most likely affected and wanted to check for himself. Everyone with malicious intents already have it, its public, I'm not doing anyone any harm by providing it to affected people.

  • @treesmokah said:

    @treesmokah are you still giving the download link to people

    Yes.

    I do, everyone who reached out was a long time member that was most likely affected and wanted to check for himself. Everyone with malicious intents already have it, its public, I'm not doing anyone any harm by providing it to affected people.

    I just sent a dm. Thnx

    Thanked by (1)treesmokah
  • FrankZFrankZ Moderator
    edited December 2023

    @treesmokah said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    Yes.

    @FrankZ said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    I would hope that was just a one time deal and he is not handing out the link to everyone who asks.

    I do, everyone who reached out was a long time member that was most likely affected and wanted to check for himself.

    I would consider passing around links to a hacked data base of customer information a black hat activity.
    I would like to hear other members thoughts on this.

    Thanked by (2)ahnlak RapToN

    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • edited December 2023

    @FrankZ said:

    @treesmokah said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    Yes.

    @FrankZ said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    I would hope that was just a one time deal and he is not handing out the link to everyone who asks.

    I do, everyone who reached out was a long time member that was most likely affected and wanted to check for himself.

    I would consider passing around links to a hacked data base of customer information a black hat activity.
    I would like to hear other members thoughts on this.

    I can stop If you want, but I find gatekeeping already public leak to be pointless. Nobody with malicious intents will come here and request it from me.
    I personally do not find anything what I did wrong, I did due diligence on people requesting it and decided to pass it to them.

    Cloudie presented misleading information stating no personal information was leaked, so I'd rather want affected people to not take his words on the leak and check for themselves.
    It can also be used for research and documenting his incompetence and negligence.

  • FrankZFrankZ Moderator
    edited December 2023

    In my mind it is not that the information is known to be out in the wild, it's a question of if passing that data around is the right thing to do for a white hat forum. In my mind you should stop as people already know if they are affected because the hackers have probably already notified them directly.

    Thanked by (2)webcraft bikegremlin

    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • webmashwebmash Retired
    edited December 2023

    It's out in the wild, with more leaks being dumped of other providers. Don't see an issue with treesmokah, they haven't posted any links publicly or looking to gain from it. Sad for anyone that's been breached... quite awful

    Thanked by (1)treesmokah
  • mikhomikho AdministratorOG

    @treesmokah said:

    @FrankZ said:

    @treesmokah said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    Yes.

    @FrankZ said:

    @Otus9051 said:
    @treesmokah are you still giving the download link to people

    I would hope that was just a one time deal and he is not handing out the link to everyone who asks.

    I do, everyone who reached out was a long time member that was most likely affected and wanted to check for himself.

    I would consider passing around links to a hacked data base of customer information a black hat activity.
    I would like to hear other members thoughts on this.

    I can stop If you want, but I find gatekeeping already public leak to be pointless. Nobody with malicious intents will come here and request it from me.
    I personally do not find anything what I did wrong, I did due diligence on people requesting it and decided to pass it to them.

    Cloudie presented misleading information stating no personal information was leaked, so I'd rather want affected people to not take his words on the leak and check for themselves.
    It can also be used for research and documenting his incompetence and negligence.

    I would prefer if you stopped doing it, at least on LES.

    the DB is stolen from Cloudie and handing out stolen property/goods is a felony in my book.

    If people are interested in the DB for ”research” or to ”check ” if their data is in it.
    Since its in the public, let them search for it.

    And they should already know if they are, or have been, a customer. In that case they should assume that their data has been sold/given away to other people and change their password (if they haven’t already).

    I’m not saying that I’m an expert in GDPR, but spreading other peoples personal information (as you do by gicing out links to the DB), even you could face charges in the EU.

    In short, let interested people search for it.

    “Technology is best when it brings people together.” – Matt Mullenweg

  • In general I don't see a problem with passing around the link because it's widely available. However, I doubt this forum is the right place for it and thus it shouldn't be distributed here. Making aware that there's a public link is ok but we shouldn't be a place where things like this are exchanged, it's a different scope.

    Thanked by (2)mikho FrankZ
  • @mikho said: I would prefer if you stopped doing it, at least on LES.

    All right, I will.
    Thanks for presenting your points, I'm sure I wouldn't be prosecuted for it, but I respect you.

    Thanked by (2)mikho FrankZ
  • mikhomikho AdministratorOG

    To clarify, we can still discuss the breach but do not spread the material.

    Thanked by (2)FrankZ whmcssec

    “Technology is best when it brings people together.” – Matt Mullenweg

  • Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • FatGrizzlyFatGrizzly Hosting Provider

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

  • edited December 2023

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Another one https://managedway.com/
    https://bgp.tools/as/53292

    They seem fairly large.

    Thanked by (1)whmcssec
  • @treesmokah said:

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Another one https://managedway.com/
    https://bgp.tools/as/53292

    They seem fairly large.

    oh they're big, rip

  • MannDudeMannDude Hosting Provider

    @treesmokah said:

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Another one https://managedway.com/
    https://bgp.tools/as/53292

    They seem fairly large.

    Oof.

    What's the word on the cause of these? Third party WHMCS module? Something else? I've seen some conflicting info.

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    [ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]

  • edited December 2023

    @MannDude said:

    @treesmokah said:

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Another one https://managedway.com/
    https://bgp.tools/as/53292

    They seem fairly large.

    Oof.

    What's the word on the cause of these? Third party WHMCS module? Something else? I've seen some conflicting info.

    Everything points to WHMCSServices, attacker 100% has access to their DB and probably pushed infected versions of addons.

    More info on ManagedWay

    Thanked by (1)MannDude
  • MannDudeMannDude Hosting Provider
    edited December 2023

    @treesmokah said:

    @MannDude said:

    @treesmokah said:

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Another one https://managedway.com/
    https://bgp.tools/as/53292

    They seem fairly large.

    Oof.

    What's the word on the cause of these? Third party WHMCS module? Something else? I've seen some conflicting info.

    Everything points to WHMCSServices, attacker 100% has access to their DB and probably pushed infected versions of addons.

    That's what I thought as well, but I thought there was some screenshots shared here or on the OGF that indicated that may not be the case. 🤷‍♂️

    [ IncogNET LLC ] - Privacy By Design
    We believe that privacy and freedom of expression are two very important things, so we offer solutions to accessing and publishing content safely.
    [ USA: Liberty Lake, WA | Kansas City, MO | Allentown, PA ] [EU: Naaldwijk, NL ] [ CL Shared | KVM VPS | VPN | Dedicated Servers | Domain Names ]

  • edited December 2023

    @FatGrizzly said:

    @Jab said:
    Yeah - name who else got hacked and why the fuck I did spam on my phonenumber (-:

    thai provider: https://secure.jvh.co.th/

    https://cloudfitters.com

    Attackers sent out emails using their systems.

    Its "supposed" to be leaked soon.

    Thanked by (1)whmcssec
  • FrankZFrankZ Moderator

    whmcssec just joined LES

    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • edited December 2023

    More providers hit, https://hostersale.com/, https://serverwala.com/(name I recognize for some reason) and https://the23.digital/. I have not verified the data.

    Maybe @whmcssec is willing to discuss specifics?

Sign In or Register to comment.