back to article Heart Internet spreads the love passwords

Web hosting outfit Heart Internet has caused security-conscious customers to skip a beat by sending them a handy text file email attachment containing other people's new passwords. Last week Heart Internet decided to reset a bunch of FTP and eXtend passwords that had not been changed by their account owners for "an extended …

COMMENTS

This topic is closed for new posts.
  1. AndyC

    So...

    The second email, were the passwords different then the first one?

    Otherwise, rather pointless to say the least.

  2. Ash
    Thumb Up

    Details, details...

    Are the passwords sent different from the ones in the .csv?

    We'd like to think so...

  3. pastamasta
    Alert

    Monkeys, banana factory etc.

    In the event that there are any e-commerce sites amongst those hosted by these donkeys, perhaps we should be told their names...? I submit to you that entrusting my personal details to such sites after this fiasco would be akin to handing my house keys and credit cards to the stubbled chap with the mask, stripy jumper and large sack marked "SWAG" whom I can see lurking just beyond my hydrangea bush.

  4. Anonymous Coward
    Happy

    I wonder

    Wonder if they are going for a government contract.....

  5. Anonymous Coward
    Coat

    Deja Vu?

    So... The Fasthosts Bug is spreading then?

  6. Keir Snelling
    Happy

    You've got to love 'Human Error' stories like these.

    Reminds me of a previous job I had when an HR bod managed to send a spreadsheet to the whole company detailing generic anticipated bonus payouts or some such, not realising that on the second worksheet they'd left all of their working data, including the salary of every employee at the head office.

    Cue frantic call to the email admin (me) to try and retrieve said email from 450 mailboxes. Having compared my salary to that of my peers, (yes, I looked, despite being asked to delete the emails without actually reading one), I had to say that I wasn't feeling the most valued employee at the time.

  7. Andrew Thomas

    Why not just reset all the passwords again to something new?

    Unless I'm missing something why not just reset all the passwords again to something new?

  8. Anonymously Deflowered

    Oh dear

    I haven't changed my password since I created my account as I deem[ed] it secure enough. And now in the interests of "security" it might have been reset and given away. Great!

    I didn't get the email, but I don't know if my email address is associated with my account... whatever; I can't login at the moment.

  9. Law
    Thumb Up

    Actually a GOOD security procedure!!

    Make sure your clients know that if they don't regularly change their passwords, then the host will forward your preferred password to everybody else, therefore forcing you to change your password more regularly!!

    THUMBS UP!! :)

  10. Anonymous Coward
    Unhappy

    How is this secure?

    Hmmm..... IMHO I don't see why changing customers passwords based on age is valid. A good password is no less secure after 5 seconds, 5 minutes, 5 hours, 5 days or 5 years assuming one has some sort of brute force logic in place so that a hacker can not try every single password that is possible over time and eventually crack it.

    If they had a way of detecting weak passwords and changing those that might be reasonable. You could change your password every week and still make it an easy to guess/easy to crack one.

    Furthermore to then mail the new ones in plain text is highly insecure and opens up all their customers to possible security issues when they had good (perhaps even better) passwords in the first place. Many will possibly even change them back to their original anyway.

    Do they have a right to enforce a password change? This could cause a lot of their customers a lot of grief potentially braking automated updates or backups for example.

    Sounds ill thought our (and in the light of this) badly actioned. At least they corrected the issue quickly and didn't rely on the royal mail!

    The big question is WHY did they do it. It means they have been hacked OR someone has gained a password list (disgruntled employee perhaps) and they are changing them to prevent any possible problems. Either that or someone has been on a security course recently and thinks this is a good idea.

  11. Anonymous Coward
    Unhappy

    Hmm.. twas a problem for me too...

    The thing they've forgotten to say here is that the ftp service was down for a good 15 hours too - and then magically a whole host of passwords changed...

    Co-incidence?

    I challenged them over their ticketing system but were well drilled that it was for security reasons, either because of time elapsed since last change or that it was going to be too easy to guess the password.

    Hmm - even the account with their auto-generated password from 2 weeks previous...

    But hey - at least I've altered all the passwords they sent in the csv ;-)

  12. Anonymous Coward
    Pirate

    I'm with Heart,

    and I've got two reseller accounts with them (one for my employer, one for my freelancing).

    I only got an email to the one hosting account, and even then it only contained passwords to half of the domains, not all of them.

    The email read as follows:

    --------

    Dear xxxxxxxxxx,

    As part of our ongoing efforts to improve security we have reset a

    number of FTP and eXtend passwords that have been classed as insecure.

    This could be because the password is too simple or because the password

    has not been changed for an extended period. Attached to this email is a

    file list showing any domain names which have had their password

    changed. The new password is shown next to the domain name.

    If these domains belong to your clients then you may wish to inform them

    of their new password. To simplify this process you can use the web link

    below to send your customers their updated password by email:-

    https://customer.heartinternet.co.uk/manage/password-changed-notify.cgi

    Thank you for using Heart Internet.

    --------

    The email also contained an attachment, called "customers.csv" which contained a domain name and the associated login password.

    The thing is, none of my passwords ever get changed, because when the account is created, the password doesn't get emailed anywhere, I just see it over an SSL connection. So I don't know why only *some* of the domains needed changing, because, based on the same flawed logic, they all do.

    Perhaps they had a leak?

    Anyway, a better way to do this would be to send out a message saying "we've had to change some of your domain passwords, please click here and log in to see what we've done" rather than sending passwords out over the email.

    Pay peanuts, get monkeys.

  13. Ben
    Unhappy

    Me three...

    ...ftp down for many hours, followed by a swift password change? Flaky service across the board, slow response times, traffic starting and stopping? It felt like someone was performing a DOS by brute force password attack, especially when coupled with a further two days outage for varying services; even their main website semed to be affected.

    When I finally managed to get into the ticketing system I was told the increased server load had been caused by people checking their new ftp passwords. I still have the stench of BS in my nostrils, although apparently "Heart staff don't lie..."

  14. Martin

    FTP was only down for 7 hours

    And yes not all passwords were changed only some, I think there was only a couple of FTP Servers compromised and they changed those and left the others be

  15. DZ-Jay

    Security through stupidity

    Priceless!

    -dZ.

  16. Anonymous Coward
    Pirate

    Me again.

    ALL of my Heart passwords have been changed.

    The email makes it sound like only one or two accounts were affected, but every single domain I own has the password reset on it.

  17. Anonymous Coward
    Anonymous Coward

    Another reseller here.

    As a reseller with Heart i don't see what the problem is?

    I got 1 email which was the same as above with the customers.csv showing all domains attatched to my account which haven't had passwords changed in the last year or so. I then had to notify each of the domain owners that they had a new password.

    I'd be interested to know if anyone who isn't a reseller got 1 of the emails with the customers.csv attachment that included domains that they didn't own.

  18. Anonymous Coward
    Thumb Down

    me again too...

    @Martin - I lost access to FTP at 4pm and it wasn't back until 7am - I make that 15 hours.

    @Anonymous Coward 25th June 7.31am - I can only assume you aren't a 'large' reseller with over 100 accounts that got changed - that gave me about 5 hours of extra work that I really didn't need. I also have a separate account that is a stand alone, and I received a second e-mail with a number of er, unexpected domain passwords - which I had the decency to send back to heart and then delete.

  19. Jeetje
    Coat

    @ Keir Snelling

    "Cue frantic call to the email admin (me) to try and retrieve said email from 450 mailboxes. Having compared my salary to that of my peers, (yes, I looked, despite being asked to delete the emails without actually reading one), I had to say that I wasn't feeling the most valued employee at the time."

    Mmmm, I would have expected your perusal of that Excel sheet to be a cue for a phone call in true BOFH style, explaining that considering your current salary HR couldn't possibly expect you to pull that off before anyone else could read it. Now let's discuss that raise long overdue...

    Mine's the one checking the jacket of the HR bod for any corporate espionage contrabande, before he's finally fired ^^

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019