WHMCS Website Hacked and Database Leaked
The WHMCS website and twitter accounts got compromised yesterday, and their full database (and files) were posted online.
Yes, it means that if you have an account there, or if you use any of the WHMCS products, you have to change all your passwords asap, and wait from a confirmation from them before downloading anything from their web site again (since it might still be compromised or with backdoors).
They posted the following on their blog:
A little over 4 hours ago our main server was compromised. This server hosts our main website and WHMCS installation.
What we know for sure
1. Our server was compromised by a malicious user that proceeded to delete all files
2. We have lost new orders placed within the previous 17 hours
3. We have lost any tickets or replies submitted within the previous 17 hours
What may be at risk
1. The database appears to have been accessed
2. WHMCS.com client area passwords are stored in a hash format (as with all WHMCS installations by default) and so are safe
3. Credit card information although encrypted in the database may be at risk
4. Any support ticket content may be at risk – so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, we recommend changing them now.
At this time there is still no evidence to suggest that this compromise actually originated through the WHMCS software itself. This was not merely a WHMCS system access, and since we do not provide hosting ourselves, our WHMCS is not hooked up in any way to our server.
We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.
Here are a couple updates from their blog after their initial post:
We don’t have more details of what happened, but according to their Latest Status Update on the blog this was all started with a splash of social engineering.
As of the time we were writing this post, the WHMCS website is still under active DDOS attack. If we get more information, we will post.