Fasthosts has promised it will bring in more support staff to deal with the volume of calls it is still receiving following its poorly-handled password reset on Friday. Many customers haven't received the replacement passwords that the Gloucester webhost said it had sent in the post. We asked for an update on the debacle, and …
Is what we're calling them at the moment
Yesterday I received the password to one of two Farcehosts accounts I have, luckily it's the one I want to cancel before it's re-billed at the end of the month, but logging into thier (particularly pants) control panel
- after typing out the password several times because I thought capitol "i" was a lower case "L" and their 'scrambled letter' anti-bot password is not much better either because how can you tell the difference between x and X? or o and O?
anyway after I eventually successfully logged in I spent a further 15 minutes trying to navigate the damn interface trying to find the cancel account option, which doesn't seem to be there, they don't want me to leave? which means I'm probably going to have to waste even more fricken time (and also money) on the phone to these prats
Forcing passwords changes for people to stupid, shortsighted and/or selfish to do it themselves after a widely publicised major break-in seems perfectly reasonable to me. Your laziness is potentially affecting my business.
Why the hell Fasthosts was storing plain text passwords in the first place is another question.
"can be provided with their new passwords over the phone"
doesn't that sound like they're storing unencrypted passwords still?
please please tell me that they're generating new ones over the phone and not storing them unencrypted again
They say they're re-setting the e-mail passwords soon if you don't manually change it first.
They'll probably e-mail out the new ones :)
On the 13th December they are resetting the passwords on all the email accounts which have not been changed since 10th October.
So these people will lose their email too!
lost customer 'losthosts'
As soon as I receive my passwords(if ever) I will be taking my business eslewhere.
This is an absolute joke. I've been locked out of my control panel for well over a week now. They had the cheek to sent another email yesterday 'announcing' the forced change of passwords for webmail too.
I don't have the time to sit on hold, trying to get through to have my details 'verified'
How will they even know it really is me in the event the hacker has all the necessary details?
exasparated...don't come close
My Fasthosts saga
I have two hosting accounts with Fasthosts, using a total of 3 MySQL databases. When I got the password change advisory letter in October, I changed my control panel and FTP passwords. The SQL passwords are not quite as simple a matter - if you change those, you have to go inside the applications that are utilising the databases, and change the details which connect the application to the database - not always a simple matter. So I decided I'd take the chance and leave those, and the e-mail passwords, until a later date when I had some time to spare. OK I went against the advice there, but that was my choice.
Last Thursday evening I had reports from my users that they could not get in. When they tried to log into forums etc, they were faced with SQL 'cannot connect' errors. I got the e-mail from Fasthosts saying that all my passwords had been changed blah blah and they'd be sent in the mail to me. I e-mailed Fasthosts support on Friday morning asking for my new password details to be e-mailed to me by return. Obviously, all I needed was the control panel password then I could go in and change all the other passwords and get my sites back up and running again. That e-mail was auto-acknowledged by Fasthosts, but has never been responded to.
I happened to notice in one of the comments on this forum that, if you had changed your passwords when the original advisory was issued, that password would still be valid. That enabled me to log in and change the SQL passwords so that I could access the databases again. Then all I had to do was find out how to change the password details in each affected application and all would be well. This unfortunately is not as easy as it sounds, and I wasn't able to get my second site up and running until Friday evening.
If I had waited for help from Fasthosts, my sites would still be down now, almost a full week later, and still no letter has arrived in the post. They left me high and dry. Needless to say I'm moving my accounts, and am already getting on famously with my new hosts, Heart Internet, and setting up my new sites. The Register has been invaluable through all of this, without it none of us would have had a clue what was going on.
I used to have an account with their "StreamLine" face, but recently ditched it after the growing amounts of spam and diabolical "Control Panel" - you couldn't control anything with that piece of crap
Having suffered as many other Fasthost customers have recently. Does anyone have any better suggestions of where to take my business?
Quote from main article:
"Customers who haven't changed all their email passwords will face similar problems when they're also reset on Sunday."
The 13th is a Thursday in my diary???
Re: Other Options
Johnn, yes we moved to www.sar-hosting.co.uk and they are top notch, they are a small - medium firm and their support is fantastic.
@AC "Customers who haven't changed all their email passwords will face similar problems when they're also reset on Sunday."
The 13th is a Thursday in my diary???"
Yep - it's a Thursday. As stated in the Fasthosts emails. It is El'Reg who made the typo this time. :)
With my client who is on fasthosts.... when the story initially broke here on El'Reg, I went and changed my FTP and Control Panel passwords. A short time later, I changed half of the email passwords (mine, the boss and financial boss). I left all the staff members email passwords unchanged.
I got an email last week mentioning the Thursday 13th deadline.... and just five mins ago I got an email telling me exactly which accounts need to be changed, and therefore which accounts would be scrambled next week.
So things seem logical here.... but only because I followed the story via El'Reg. If it had not of been for El'Reg, I would not of known to go and change my control panel passwords after the initial hack. Didn't even put anything about it on the RSS feed (well, not anything I saw).
All a bit patchy really... but who else gives decent Hosted Exchange Server support? I don't have time to learn M$ Exchange, but my client needs all the features for his small team.
Wednesday and still no letter in the post.
Yep its Wednesday at 6:30pm and still no letter from Fasthosts, what a joke.
According to the Fasthost statement above they will be increasing support staff numbers, I rand tonight at 6:15pm and was in queue position 52. Great and on an 0870 number, there is no way I'm hanging on for that long.
Bye Bye Fasthosts, I'm off.
@ Johnn Fitzgerald
I offer competitive pricing and personal service; if you're satisfied with hosting in the USA, I'll be glad to talk to you. However, I am *very* picky about who gets to be a customer, and I won't accept more than 100 hosting customers total (I currently have about 10). I will not host FrontPage nor Exchange, either; the system is Linux and will remain Linux.
If that interests you, you can reach me via gmail.com under username morelydotes.
And if El Reg (understandably) prefers not to post this, I imagine Johnn Fitzgerald would appreciate having it forwarded.
The point is that it wasn't just people who didn't change their passwords who got hit, people with the good sense to do what Fasthosts told them in the first place suffered too.
Farcehosts have effectivly killed their own business!
I used to host some sites with them but thank GOD I moved them last year. I've been using DreamHost in California for 2 years now and they are pretty good. Not perfect, they had some power outages end of last year and that caused some issues, but the people who run it seem to actually GIVE a damn and their communications are pretty rapid and effective, even though there is no telephone number to call.
In going to the expence of using Royal Mail to notify their customers of new passwords Fasthosts are publicly declaring a Vote of no confidence in the security of their own eMail Servers.
Further more by not notifying there customers of the security breach and sending out eMail's requesting a password change it has left hundreds of customers potentially at risk if their data has been stolen as the attacker will now be in possession of potentially hundereds of peoples details and their passwords to their computer systems.
Link too follow Changing passwords before Fasthosts do!
Here is a link too Help People change Email Passwords if they have forgotten their current passwords.
FREE Password Recovery + FREE Remote Access
I received an email three days ago stating that I needed to update my billing records since the card I used to pay for the service was about to expire. The email stated:
"*** You must have a valid credit/debit card on your account at all times in accordance with our Terms of Service. ***
Please note, any failure to pay for your service on time will result in an administration charge as per your Terms of Service."
So I went to the "Fast"hosts control panel to login, entered my username and password, hmm....incorrect username/password...that's funny. Fired up password safe and double checked the username + password - it was correct (I updated once I had reset my passwords in October).
I tried the password reminder feature...sorry this feature is currently unavailable (according to others on this site because the password reminder services used to read the passwords from a cleartext file?).
I have been calling "Fast"hosts "support" on their 0870 number for the past three days (until I spotted this article and the alternative numbers - thanks!) and always end up at number 50+ in the queue and after an hour I can't seem to get past queue position 44 - my phone bills going to hurt.
If I end up having to pay a Admin fee for not paying the bill on time I think I'll ask for a refund with interest. In fact I think I'll demand they pay the cost of the calls to their support line.
I think they should retract the following statement from their website:
"If you need to contact us, you'll get a quick and accurate answer, any time, day or night.
* We aim to resolve all queries within 2 hours.
* Always someone here to answer your call."
I have been trying day and night. Yeah right, I'd have more of a chance of getting through to the Elvis.
"The UK's number 1 web host" indeed.
"Home to more website than any other provider" - not for long judging by the number of people who have been effected.
I don't know about you guys but I will be changing providers ASAP.
Move, move, move
I have been giving FastHosts "one more chance" for the whole of 2007. But this is the Straw that broke the Camels back. Since the whole thing kicked off, I have been hunting for another Host and settled with csnewmedia.co.uk.
The support guy I conversed with - Carl - told me that it has been a busy weekend for them with a whole raft of new sign ups from [soon-to-be] ex-fasthost resellers.
I have moved my Linux accounts over to CSNM and the process has gone very smoothly and it is actually cheaper for me. I have 75 Windows accounts too and they have offered to help port them all - for free!
I wish there was some way of seeing how many reseller customers FastHosts had before the Security breach, and how many they will have in the new year :o)
Dont know if they can do what you want, but I have been impressed by heart internet, ticketed support rather than phone, but every support problem I have raised has been responded to in about 10 minutes, by someone who actually seems to know what they are doing.
Currently moving my e-commerce site to them after a 1&1 support debacle.
We moved all our business away from Fasthosts after the last big problem, when their facility in Gloucester was flooded and this caused power issues. Thankfully this means we don't have to worry about passwords being forcefully reset and sent via Royal Mail, you'd think after the farce with HMRC sending sensitive information unencrypted in the post, it might make private enterprise less likely to do so ...... evidently not!
About sixty percent of our business went to Rackspace, we rolled the dice somewhat with the other forty percent and went to a smaller outfit called Bytemark - the dice didn't come up snake eyes, we've been happy with the outcome and would highly recommend them both.
More trouble to come
At first it was a few customers, now over 1 million. Just wait until the email passwords are changed. http://www.fasthostshell.co.uk
Thursday & still locked out
It's Thursday maorning and were still locked out of all our web sites.Nothing has come in the post, and their customer service number is constantly engaged (it sounds very mush as if there's somethinf wrong with the line as there's a loud 'click' before the two-tone sound is heard.
Sent an email support request in to them on Tuesday at mid-day - we still haven't had a response.
Up to now, we've been very happy with Fasthosts - but not responding to its customers is the quickest way they will lose our business.
David McCarthy ... WORD-right & IDEAS-right
Tis Thursday. Still no emailed password. I'm still locked out of updating my websites. And the support number that I have is engaged permanently, and the customer support website at fasthosts - well, you have to login to access it!
(posted anon for obv reasons)
10:43AM Still no password in the post. Tried to call got to que position 50, sent a support ticket in - nada.
Pain in the backside
When asked about their new security...
...they pointed to old Jim who mans the front desk
Zero Customer Service
No email messages. Not one before or since 'the event' last week.
I was completely in the dark and would still be in that situation if it wasn't for The Register.
I have sent in a support request last Friday and received the automated enquiry number.
Despite two further attempts to chase this via e-mail still no response.
I will not pay to speak to them.
Since I have not been included in any email updates or requests I wonder if they actually know for sure which accounts have been crippled.
My only consolation is that my credit card expires before the next bill is due.
What a farce.
Dedicated servers - resellers, just do it.
I can't believe some people here are resellers....so expensive, you use shared servers which are slow and unreliable, you are subjected to reset passwords and other sudden changes made by the hosting company - and you can't back-up your data properly (i.e. daily, automatically).
If you host more than 10 domains, you might as well get a dedicated server. No mySQL or scripting costs. No downtime, no slow loading pages, autonomy (i.e. no interference with FH updating mySQL and breaking your scripts or resetting your passwords).
Dedicated servers are cheaper, faster, more secure (i.e. you can backup easily) and more flexible (you can install any components you like).
Dare I say it, but we've not had any troubles with FH dedicated servers. Reseller account? All we had was trouble with FH. Ditch your reseller account and get a dedicated server (be it with FH or another company).
Just managed to get my password through on the phone.
However, the FH customer login pages are now down
Can you prevent a password scramble?
What can you do to prevent Fasthosts re-setting your email passwords if you have already changed them? You might spend the next week changing passwords, only to find that another Fasthosts blunder forces you to do the whole thing again, this time with irate users/customers. Is there anything we can do to inform Fasthosts that passwords have been changed and insist that your account is exempt from the great password scramble - well there might be
Incompetence to the power of Incompetance
This now even beyond farcical.
I have spent hours and hours trying to get through on the support line - at great expense as these 0870 calls are not cheap. On two occaisions I have gone from queue position 20 or 18 back to 58!
Today I recieved mail! This you will not believe. Instead of recieving my domain account and scrambled password I have recieved SOMEONE ELSES. They can't even stuff envelopes.
Meanwhile I am still unable to change my passwords.
Don't use 0870
Some kind soul on the "original" reg thread started last week put down a load of alternative numbers which WEREN'T 0870 .
The one that I can remember and gets you through to the main menu where you press 2 for "support" is 01452 541499.
For overseas people this will translate as 0044 1452 541499.
Still not free, but gets them less revenue whilst we have to sit in their "support" queues.
Definitely try them for compensation, if not, as mentioned on other forums if you used a credit (not debit) card you are protected and may be able to issue a chargeback through them.
Me, I'm moving my remaining stuff from farcehosts to dedicated server with hetzner.de. Already had one with them for over a year, and really happy with their service.
Support number: 01452 541499
No need to use their costly support number, here's the standard number: 01452 541499.
What I find amazing is how officious they are on the telephone, make sure you know your blood group, they'll probably ask for that, too.
Oh, and it made it into The Times today:
It doesnt end there
This week after being told to change all my passwords i did so on Tuesday to get my site working again. Then on Wednesday it had been reset again so i changed them back since once again the site was down. Of course once again today they have scrambled my passwords for the third time in three days.. after i have done exactly as requested by them. This is denial of service. What a farce.
I will be demanding all my money back.
It's now one week later, and still no access,
I eventually got through to them on Saturday (after 2 hours), was given new passwords which did not work!
It's now Thursday 6th December, one week after Fasthosts' monumental screw-up.
I've still no post from Fasthosts and their "support" numbers have been engaged again all day. I can't even get into a queue. I've also given up with email "support", no answers after a week of emailing.
There is not a single mention of this farce on the Fasthosts website. I consider this as dishonest. All we get is Fasthosts claiming their customers are full of "understanding and cooperation". B******ks am I! How dare they speak for me in such a patronising way!
Fasthosts deserve to have their business go down, though I feel sorry for the people who would have to find new jobs through no fault of their own.
PS. don't anyone reward Fasthosts for their arrogant incompetence by ringing their expensive 0870 number, try the numbers below that don't give them a cut of the call fees:
Fax: (0870 8883555) 01452 538485
Charge back on your credit cards for any fasthosts payments - it costs them
"Forcing passwords changes for people to stupid, shortsighted and/or selfish to do it themselves after a widely publicised major break-in seems perfectly reasonable to me. Your laziness is potentially affecting my business."
Thanks for that, Mr Fasthosts employee, but many of us did all of the resetting demanded of us.
Anyway, needless to say, still locked out, will never get back in in forseeable future.
I will be charging back my credit card - can someone tell me what name they appear as on credit card statements? I have so many hosting/domain related charges I can't tell one from the other.
Farcehosts telephone support
Previous to all this debacle, if you had to telephone their support lines, you were placed in the queue straight away and knew which "queue position" you were in immediately.
So, they only get "their share" from the 0870 number on every whole minute spent on the line.
Some time over the last week the b*stards have changed this - when you select 2 for "support" you have to wait just over 1 minute before finding out "you are at queue position 60-something".
If that isn't a deliberate attempt at revenue generating then I don't know what is.
Sorry, but I simply don't believe for a second that they have laid on more support people. Me, I'm still waiting a response for a fault logged BEFORE all this happened.
In the interests of public awareness, anybody reading this who's a member of other forums might like to distribute the non-0870 numbers. The more people that know, the better.
BBC Now reporting
Got a phone call
I was called by fasthots today too give me my password, I could not remember my pin (who can) so the guy just buggered off and im no further forward. He asked for my by name and used the number on the accont so who ele is it gonna be?
going by a lot of peoples stories i was quite lucky, i got up saturday morning rang them "Que. position 36" i put phone down (not hung up) and would check every 20min for changes it was 2 and half hours till i got to speak to a human. after all that time i made sure i had all the details of the account holder right down to his shoe size i was not leaving anything to chance. i got the new password and made the guy on the phone repeat it about 4 times just to make sure. dose anyone know how much that call has cost me from a BT line?
don't what is about those stupid fasthost text capitol things but i have to reload the the page about 10 times before i get one that i can see the difference i L l 1 !!!! unreal
this hole thing has given me a kick up the ass i now store all my passwords for everything in a encrypted file and i have changed them all so they are all different
i have a other sites hosted with a another company and they changed the mysql DB server address structure but they had the common decency to do a find and replace on your database connection scripts to make sure they worked! why could fasthosts not do this so that the web sites continued to function?
How many letters have they posted?
Friday and no letter. This means it has not been posted.
I agree with a previous poster: I think they are being dishonest. They are also probably guilty of fraudulent trading. The negligent way in which they have dealt with it provides the basis of a claim. If they had worded things differently and done things differently they would not be liable for the criminal acts of a third party. However the negligence with which they have dealt with it leaves them wide open to litigation. A week's loss of revenue for all affected parties will be more money than they are worth so technically if everyone made a claim they would be forced into receivership. Anyone who pays by credit card can recover up to about £75000.00, it may have gone up in the latest Consumer Credit Act, even if they do go bust.
I think the best way to deal with it is to send them an email claim for loss of revenue based on their negligence, get back in to your account, then transfer out any domains, paying any fees to do so. Host with someone else of course.
If we all do this and they go bust everyone who has made a claim, even if not followed through (lets face it who can be arsed?) should make a complaint of fraudulent trading to the Police. I think the are guilty of fraudulent misrepresentation now as well because they have not made mention of the problem on their website. Someone should complain to the Gloucesterhire Trading Standards Office as they may be committing consumer offences as well as the Companies Act and Misrepresentation Act stuff.
I'm just glad I don't host with them anymore.
Another one bites the dust.
Just as soon as I can get a response from the farcehosts support team I'm shifting my account to another hosting service.
Unfortunately this could take some time since I've yet to get a response from them in under two weeks by email and every time I phone I'm somewhere around queue position 58!
Can't use old passwords
I have a few customers who are quitting on me because they can't use their old passwords. They claim that technically the only thing that is at risk is their own mailboxes, it's not as if a hacker could compromise Fasthosts through an email password.
They have also said that although it's a good plicy to change your passwords from time to time, people have the right not to, even if their own email is at risk.
I guess the only other risk is that someone could use their account to generate spam, but Fasthosts already have filters in place that stop you sending out a certain number of emails in a short period, and this is a problem Fasthosts has to deal with, not the customer.
Re: Password Security - Sign of the Times
Lets face it nothing is secure as the HMRC have demonstrated, and as a good customer of them and fasthosts, what really bugs me is the sudden unavailability and distinct lack of information available from Fasthosts.
I sympathise with them in some respects as they obviously are not dealing with this at all well and some heads will roll and customers will retreat. But what grieves me is that they cannot even put anything on their websites about the current situation (unless they locked themselves out of course).
If I was in that situation and was the CEO of Fasthosts, I wouldnt continue to take on new business until all my existing customers were happy, but you can bet your bottom dollar if you call the sales line, you will not be placed at queue position 64.
But please can we stick by them until at least we are all back up and running again - I am really upset it has happened on the busiest time of the year, but I think that it will get sorted out - and just stop and think how many millions of online retailers who take all our information online whilst working from their bedrooms, but you make your choices and I think that at least Fasthosts will hopefully be more careful in future!
Letter Arrives Password Does Not Work
Some may say that a week long delay in sending the letters out will encourage people losing thousands to ring the premium rate phone number. Some would go further and say that if a percentage of the passwords that get sent out are not working this will encourage more. Some would say the whole thing is a scam.
Not me. No. I am going to issue a summons on Tuesday morning in Lancaster County Court and seek an order making them tell me the password. I would rather give the County Court a hundred quid than Fasthosts ten pence. I can seek other disclosure as well, this will be interesting, like what was the alleged security breach then? As long as the question is relevant to my case they must answer or be in contempt and lose.
I think if enough complained to ICSTIS (I think this is the acronym), who are the regulators in the UK of premium rate numbers, they may well intervene.
It is looking as if those who say it is a premium rate phone scam, not me though, may be right.
Currently been onthephone for two and a half hours - started at position 60 now at 13- moving 1 place every 15 minutes roughly
Further privacy leak
Well fasthosts sent me someone elses Contoll panel passwords today, i have tried to call them to find out how/why they sent me the letter when its not my account but am unable to even get the phone to ring never mind speak to someone.
The company is an utter joke and i have 4 boxs with them :( paid for a year in advance and only just renewed 3 months ago grrrr
PROOF Submitted to TheRegister by email.