Fasthosts has announced that "a number" of its customers'* FTP spaces were raided as a result of the major hack that triggered a police investigation last month. It has applied a system-wide reset of thousands of passwords as a result. The Gloucester-based webhosting firm yesterday performed the emergency reset of control panel …
I only run a small local forum and fasthosts have caused nothing but problems over the last year or so. First of all I lost all my content (luckily it was backed up to my home PC). A few months went by and then my SQL server just upped and left, it appears it had enough of fasthosts. Then I went to login this morning and it appears that my SQL database has shat itself as my site is showing nothing but SQL errors :(
This is bad enough for someone like myself running a simple forum, imagine the hassle people must have trying to make a living on the back of all this!
Enough is enough....
I have just been charged a late payment fee!!! They are ignoring all the recent fuss over credit cards and bank charges and if you don't pay within 7 days of your hosting expiring they charge you £20 +VAT!! P.S. They don't tell you about the charge until your renew, in a kind of thank you for your repeat business charge!!
Not sure what is more amusing
Not sure what is more amusing... people not changing passwords when they've been given notice fasthosts has been ransacked or people using fasthosts for mission critical websites......
I have two Fasthosts accounts and as I have my websites generated by WordPress, then the major MySQL database password reset brought both sites down and I was also banned from accessing both FTP accounts.
I changed all my control panel, FTP, MySQL and email passwords on the 18th October when the security breach came to light. Yet, I was still barred from access last night.
Fasthosts is hiding something here, as why would they disable/change my already changed passwords. A second security breach maybe?
Honesty is the best policy here. Own up Fasthosts if there is a second breach.
Also, if user's FTP accounts were breached, the hackers could easily upload sniffer programs to users FTP directories. Fasthosts have never warned the users to look out for suspicious files.
I have used FastHosts dedicated Linux server in the past, until it was hacked, through a (as it later turned out) a well known vulnerability that was not patched, and all the websites on it were defaced.
That was enough for me to buy my own Dell server, and host it in a professional data centre for £100 per month. Now that I, and only I have complete control over my own server, knock on wood, I have not been hacked in 5 years! All you need is to close all ports except the ports that you need, apply all the patches, and disable all, but critical services.
P.S. and having your own server means that you can do whatever you want with DNS, email servers, etc – something hosters will not (or be unable to) do.
Oh, am I the only one that can't do any work because our websites down?
My thanks to Fasthosts
I offer my thanks to Fasthosts for this - I have been debating for a while (since the last debacle) whether or not to move to a different hosting company for me & my clients.
Fasthosts by again showing their excellent customer service have made up my mind for me.
Just packing my bags now.
Fasthosts Password Blunder
What a total farce. The person that instigated this change and the timing of it should be sacked along with the person that thought they were competent enough to be given the job. I have 4 fasthosts accounts and so am affected in many areas - web sites down, passwords for email not working, unable to manage domain registrations.
The email says that a SMALL number of clients' FTP areas were compromised so fasthosts have shutdown a large number of their clients sites. This is worse than being hacked because I now just have to wait for the post. I can't call them because their phone lines must be overwhelmed.
I have already wasted time dealing with support calls as a result of these changes and now I need to invest time in finding a replacement provider and transferring over 100 domains since I cannot trust Fasthosts - not the fact that they had a breach but their poor judgement on how best to resolve it.
Not the best business practive
This is not the 1st time that fast host has pulled this trick. I had my clients screaming at me for not being able to access their emails or their bookings( on hosted database), in one case is a private car operator who rely on the database hosted on Fasthosts to manage their bookings - I do not believe he will be staying with Fasthosts for much longer along with many of my other clients.
I'm a Fasthosts customer, for my sins, and had previously been through my account and changed all the passwords following their cock-up. Despite this, I come to check on my site this morning and lo and behold, it's dead in the water courtesy of the database passwords having been changed.
Curiously, this and the FTP account seem to be the only logins affected as the details for logging onto the control panel haven't been reset. Which seems a bit daft.I wouldn't mind but, as I'm sure others will attest, there was no warning, it just happened.
Great - fantastic, they've reset my Control Panel, FTP and SQL passwords (which also takes down my website) with the mail set to go in 10 days... no need to panic though as they're sending a new password via Post...
... which is nice as I'm working in Hungary for a year and post forwarding takes 4 weeks... if you're lucky.
Tried calling them, but that's not happening. Maybe I should have paid attention to the first email... what a shitter.
re: Not sure what is more amusing
The key point here is that they did NOT give notice of this emergency password reset. They just did it. And now you cannot use the new details to access the FTP, because the FTP servers do not allow connections.
I only have a couple of clients site's on Fasthosts, I keep my eggs in different baskets, resold to me by a third party, so I was completely unaware that a password change was required, and it turns out that this wouldn't have helped anyway, as even those who DID change their passwords got them changed AGAIN last night.
On a different matter, the article posted on the 30th of November talks of email passwords changing on the 9/10 November, was that a typo? Should it say 9/10 of December?
For the price, you can't beat them
I changed our passwords after the original intrusion. As a result they were not affected by this forced change. The only problem we've had in three years is a faulty drive controller.
What A Bunch Of Amateurs
We received an email at 22:27 yesterday evening (Thursday 29/11/2007) informing us that all of our Control Panel, FTP and SQL passwords had been changed, effectively disabling all of our database driven websites and locking us out of every single website that we have hosted with them (approximately 200).
A little bit of warning would have been appreciated. As it is we are now an internet company with absolutely no control over 50% of our business because someone at Fasthosts thought it would be acceptable to reset every single password without notice and then send the master password via Royal Mail on a Thursday/Friday. Needless to say that on Friday morning, this master password has not yet arrived!
I can safely say that we will be removing all services currently hosted with Fasthosts within the very near future (or at least as soon as we can log in).
I spent a goodly amount of time changing my passwords, as advised, after the original debacle, and like others above, I now find that they gone and reset them anyway.
Bunch of tossers. Time to move.
Morons, total morons
Fasthosts. The epitome of mismanagement and bad decisions. Thanks for shooting me in the face. Thanks a short term future filled with talking customers through changes to their outlook email passwords. Thanks for completely reprioritising my already hectic schedule. Any other random, sweeping, ill-advised changes i can look forward to for Christmas?
Any incentives to stay with FH?
@AC. I've been abroad for the last two months (returned last night) and was unable to change my passwords, thank you. I certainly wasn't expecting the country's biggest host to get hacked in the meantime.
Now I'm locked out of my sites until snail mail decides to send new passwords in a few weeks (that's assuming the postal workers don't go on strike again or they get lost in the Christmas deluge).
Some sort of financial apology from fasthost would be in order if they want to keep my custom -otherwise they can all burn in hell
If a small selection of accounts have been compromised, then just reset those account details. If you want to target people who haven't changed their passwords since the last hack then just reset theirs. To put a large selection of your client base through a major inconvenience because of the lax security of a few is ludicrous.
I agree with the earlier poster - it does seem like they've been hacked again and had all their passwords siphoned off. Unfortunately it's likely that we'll never know. I'm looking forward to the day when companies are legally forced in the UK to publicly report in a timely fashion any security breaches resulting in the exposure of customer data.
I forgave them after the previous incident. Now that it's happened again, I'm outta here. Any recommendations?
You have noone to blame but yourselves
Ok, none of you lot who replied have any excuse - you read The Register, I do to. All my passwords on our three Fasthosts boxes were changed within minutes of catching The Register story, and long before the weasels at Fasthosts actually bothered to tell us of the problem.
If you have a hosting account with anyone, you have to pay attention to security announcements - and you can't claim Fasthosts gave no warning, you've had AGES since the hack to get your passwords in order.
Not that Fasthosts are a shining light in the hosting world, by any means. I wouldn't host anything more with them now because of this.
Reset passwords that WERE changed
I changed my passwords - they reset them anyway.
I am totally locked out of my website and SQL is broken.
How can Fasthosts be so damn stupid.... it's incomprehensible.
Fasthosts Phone Number
Does anyone have a phone number other than 0870 888 3600 for Fasthosts, I need to give off, but haven't been able to get through all morning!
Like many others, I changed all my passwords back in October when the first balls up came to light, then moved my important bits to another host. When I tried to log in to UKReg this morning to complete the move and change my IPStags to my new DNS host, low and behold I was met with the 'Wrong Username & Password' message. I thought, 'right maybe its me and I've genuinly forgot my password' so I clicked on the Forgot Password link only to find "Unfortunately this service is unavailable at the moment. Please contact Customer Support for assistance.", so I try to call customer support and get "All lines are busy".
I'm now left sitting at my desk with UKReg/Fasthosts on redial contemplating driving up to Gloucester to speak to their 'Customer Support' face to face, if anyone wants to car pool drop me a line.
How amatureish can you get.
Our control panel passwords were changed following their previous recommendation, however they have still reset them
We discovered our site was down around 10pm, we didn't receive the email until 00:54, my colleague finally managed to get through to support around 03:30 who claim to be unable to do anything and we must wait for the new passwords by mail, however they couldn't even guarantee that it would be mailed today, therefore at the earliest it will be Monday before we can get back up and running, with the vagaries of royal mail it could be much longer.
Fortunately all my critical websites are hosted elsewhere, unfortunately we can't even access this particular one to shift the content to another server.
I guess they are right from a security point of view you can't get much better than locking everyone out, from a business point of view they couldn't have handled it worse. I certainly won't be giving them any more money.
We have 100 domains with an average of about 4 emails per domain with them. Since they have no export function I'm going to spend a good hour putting together a list of all our emails.
Then generating random passwords for them all and writing a script to mail the new passwords to them all.
THEN wait for the shit to hit the fan in 10 days when most people's emails stop working.
And I can't even start on this until my master CP password arrives through the post :(
I changed my passwords...
... after the first hack. They have now been changed again by Fasthosts.
So yes, I do pay attention to security announcements. And no, I have no idea why they decided to reset my details and others who took the same precautions.
Their fubar, not mine. Their responsibility, not mine. Still my problem though.
i did change my passwords
I changed all my passwords as soon as I read on the register of the problem on the 18th of October, the second passwords to be changed were the database ones, howerver this didn't prevent FH from resetting them and 4 ftp passwords that I had also changed. FH had previously warned me of 2 ftp accounts that I had overlooked, which I deleted as they were no longer used (and didn't have access to anything).
the timing was dreadful, the lack of notice is appaling, and yes I will be changing hosts.
I moved away from Fasthosts many years ago when they shut my account down for abuse of their T&C's
Apparantly, because my site was popular and a lot of people downloaded files (I was part of a group who modded games) they said I was breaking their T&C's by allowing non Web traffic.
I argued that a zip file is web traffic as it was being downloaded via the web site and not FTP but they said nope, it was non web traffic as it was not html and my account was suspended. FFS!
They only did this becuase my site was popular and had a lot of traffic. So, I can only say how sorry I am to all those caught up in this as I know how frustrating it is dealing with these muppets and I hope that Fasthosts finally lose a large section of their customer base and people realise what a bunch of idiots they are.
re: Fasthosts Phone Number
Fax: 01452 538485
what a farce...
Whether someone changes their password or not, what has it got to do with fasthosts? If people are stupid enough to not change their passwords and allow their accounts to be compromised, more fool them - as long as fasthosts have warned them to change it, the customer would have no comeback. I can't help thinking something here is being covered up.
This latest change is a complete farce. I changed my passwords and now find myself thrown out of my acccount. Cheers fasthosts. Couldn't organise a piss up in a brewery.
Mass legal action for loss of profit anyone and associated costs, anyone?
Get rid of the geek at the top...
The way Fasthosts works is like the IT department of yester-year. An arrogance - "WE know best, you're just a dumb user!". Remember those days?
Well, the retard who should have stuck to sitting in a darkened room programming has somehow got to a position of authority and is still acting like those long-gone arrogant IT dinosaurs.
This is not customer-service. This is not good management. This is not professional. It's a sweeping "we will do this because it's easier for us and we know best what is safest".
Well, patently they don't. They forget that they are dealing with IT professionals of equal if not better abilities.
Anyone with a modicum of sense would have thought the problem through and done the important thing which is KEEP THE SYSTEMS UP! A moment's thought would have revealed that sites in this century cannot be offline for several days while the postman does his thing. But then, why should this bother Fasthosts?
I'll tell you why. Because the money saved in cheap hosting is money lost from disgruntled on-line customers. I cannot, and will not, keep my sites in a place where they are exposed to such unimaginative and unintelligent handling of security issues. Can you blame me?
Would it have been so hard to send an email telling all customers of the problem, urging them to have all passwords changed within 24 hours and then putting in place measures to support those who for one reason or another did not change their passwords? Is it really necessary to "validate" authentic owners by posting passwords to the stored postal address? Could not the same validation be done on-line or on the phone using this and the plethora of other data held by Fasthosts? Could not "The Team" call the phone numbers which are also held by Fasthosts to explain and support? A quicker, cheaper solution and as secure as using postal information? If I can sit here coming up with better customer solutions over a cup of coffee, could not those paid professionals at Fasthosts come up with something even more elegant and efficient?
Shoot the dinosaur. Heads must roll at Fasthosts.
Fax: (0870 8883555) 01452 538485
0870 8883500, 0870 8883530, 0870 8883700 & 0870 8883800
don't let fasthosts profit from their own misdemeanors, call tech support on the local number:
at 3am i was number 25 in the queue. good luck getting through!
just wanted to add +1 voice for "i changed my passwords when told to, they still locked me out".
fasthosts = incompetence by another name
Ask for a new password over the phone, they will do it after 3 hours on hold, and 6 security questions. 3 hours on an 0870 thats £15 on which fasthosts must getting a revenue share ...we've changed the passwords on 2 out of our 178 domains we manage - think 500-800+ passwords to change including emails! But even after the change we still can't FTP
I can't believe they actually did this....
Unbelievable!?!?!? How about a warning that failure to reset your password would result in an automatic reset? Or how about posting the new passwords prior to the reset so we can log in again imediately after the reset? I have, as i'm sure many do, an important launch on monday which NEEDS the website updating. Will they give me a temporary password if i call? Given that it will take days to get through, maybe it's best to wait for the post - i can always redirect the website to a holding page till then.... oh no, wait, I can't.
Right, so who should i move my hosting to?
0870 888 3600 came up with Fasthosts Internet Ltd 01452 541499
And other information:
01452 541250 /01452 541251 /01452 541252
Fax: (0870 8883555) 01452 538485
Also for 0870 8883500, 0870 8883530, 0870 8883700 & 0870 8883800
Are Fasthosts faking it?
This makes you wonder if the reviews and recommendations they display on their site are fakes?
Fasthosts debacle - vote with your feet!
Only Fasthosts could have poured contempt on their customers in this way! I run a small business - fasthosts have now disabled my website - rendering it useless, (even though I changed the passwords as instructed last month). I will now loose business in what will be one of my busiest weekends of the year. If I survive this, I will move my online business to another host.
Heads should roll at Fasthosts - but they probably wont. Vote with your feet - find a host that doesn't show such contempt to their customers!
Count me in. And if I can work out a way to successfully move 100+ domains without causing my customers grief before my reseller account renews in Jan I'm off. I also changed all the requested passwords from the original PDF on the day it was sent. I don't really want to run a dedicated server but they've just tipped the balance of work decidedly in favour of it.
It's very true that you get what you pay for and, aside from a couple of minor gripes that could happen on any shared server system, I've been more than happy with the return from FastHosts up to the last couple of months. I was fairly unimpressed with the original issue but it's the cackhandedness of the response to this one that is just unacceptable - and I'm one of the lucky ones in that at least all of my sites are still up.
I'm also working abroad and won't be able to personally see any post they send me; fortunately it can be securely read for me. On this subject though, I also have a tip for those of you who've been told they've reset your CP password: I think they've said this in the PDF even when you changed that as requested and they've only changed the Admin one, not the overall CP one, if you didn't change the Admin one as well.
Enough is enough, can't get hold of anyone on support, changing passwords for all email accounts, web accounts etc. etc. etc. wasting time painful process - moving to Rackspace....
Two CD's eh?
oh, pardon me, I thought you said Royal Mail
Full of Crap . . .
Some spotty little work placement student has pressed the BIG RED BUTTON and some numpty at Fasthosts thought it would be a good idea to fill all of their customers full of crap.
This stinks of a major blunder and a rubbish cover-up to me, no-one in their right mind would knowingly agree to this kind of service. I don't really know how good Heart Internet are, but they're getting about 200 new hosting accounts from us!
I think Fasthosts will suffer reatly after this, their latest little cockup.
why are the passwords available anyway?
okay, I must be missing a step here.
why on earth was Fasthosts storing passwords in a clear text format in the first place?
we run a rather large blogging community, and even if our system was hacked, the list of passwords would be completely useless to them. our passwords are stored using a special encryption.
where they using the standard linux "passwd" mechanism to store the passwords?
i think more questions need to be asked in how the passwords where being stored.
But they've not changed everything...
I'm also with Fasthosts, and in general been very happy with them (it's just a personal domain, web @ email) - on the few occasions I've delt with support they've been good.
This password change is crazy.
I changed all my passwords except 1 (my wife's email) when I heard of the hack, so reading this I was expecting to have to reset her email to somethign she'd remember, but no, just logged in via webail using the old (and not very secure!) password with no problems!
Agree with the earlier poster - to fix this you send a warning email and post replacement passwords in advance. Its not that difficult to figure out surely...
This is why I don't host with amateurs anymore...
I've watched this and other horror stories unfold over the years and thank the heavens that when I chose to move in '99, I chose well. I have never had security issues with my current provider who are on the ball when it comes to 'sploits, patches, upgrades and the like. And I'm joined by some of the big names out there... Tom's Hardware (THE hardware review site in the world) being one.
Vote with your feet, switch providers to someone who believes that customer service and security are not necessarily exclusive of each other. Viva Pair.
Given the amount of angst this is causing, and given that they have "closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again", might I suggest that they revert all passwords which they changed en masse (and not those changed since) to those current before this farce began?
I think we have now got the message that someone wants us to change our passwords.
Can this be a risky strategy since they "closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again" back in October?
And on a risk management basis, getting the majority of users back on-line far outweighs the chances that a hacker is standing by to wreak, what? Havoc?
I think even the most successful hacker could only dream of causing this much chaos.
Rethink this, Fasthosts
Having changed all the FTP passwords as advised in October, I now have to do it again? But also the email addresses as well?
With hundreds of accounts on a reseller package, this may take a week, and your control panel is already struggling.
Please reconsider this email debacle if you want to keep us.
Blaming this on people who did not change their passwords is a red herring and I smell this fish. If they had not been changed, you should have done it for them there and then. Simply incompetent.
To Rich Harding
Depending on whether your customer sites are Unix (BSD/Linux) or Windows based, moving all of them across to a reputable service (like Pair Networks like I've done) should be fairly straight-forward. They also offer resellers significant discounts (I'm too small to be a reseller, but I've looked at their programmes), so it may be useful into looking at them.
The only negative (if it is a negative) would be that they are based in Pennsylvania (and hence under US jurisdiction).
"Mass legal action for loss of profit anyone and associated costs, anyone?"
if you know of anyone in the legal industry prepared to take a look at this then count me in.
Come on people!
How many stories like this (not just Fasthosts, many other low cost hosting companies) do you need to read before you get a clue?
If your business can loose money/reputation through downtime, either pay for a quality host, multiple hosts, or at least drawn up (and if possible rehurse) plans for moving hosts (using your backed up sites/data) asap.
We use fasthosts for domain registration (and have DNS servers at two other separate locations). We changed our passwords when advised, and they were not locked out yesterday. I think some people on here may be telling porkies to cover their arse cos they didn't act in time...
Just to say, I have been using them as one of my baskets for some accounts, as to date they have been fantastic.
They respond to queries rapidly and are very knowledgeable.
But then, Fasthosts were like that once, weren't they?
Just to really cover my arse, I haven't had any problems with Heart, and would recommend them, but your mileage may vary, as well as your needs from the service.