Heart Internet spreads the Web hosting outfit Heart Internet has caused security-conscious customers to skip a beat by sending them a handy text file email attachment containing other people's new passwords. Last week Heart Internet decided to reset a bunch of FTP and eXtend passwords that had not been changed by their account owners for "an extended …
In the event that there are any e-commerce sites amongst those hosted by these donkeys, perhaps we should be told their names...? I submit to you that entrusting my personal details to such sites after this fiasco would be akin to handing my house keys and credit cards to the stubbled chap with the mask, stripy jumper and large sack marked "SWAG" whom I can see lurking just beyond my hydrangea bush.
Reminds me of a previous job I had when an HR bod managed to send a spreadsheet to the whole company detailing generic anticipated bonus payouts or some such, not realising that on the second worksheet they'd left all of their working data, including the salary of every employee at the head office.
Cue frantic call to the email admin (me) to try and retrieve said email from 450 mailboxes. Having compared my salary to that of my peers, (yes, I looked, despite being asked to delete the emails without actually reading one), I had to say that I wasn't feeling the most valued employee at the time.
I haven't changed my password since I created my account as I deem[ed] it secure enough. And now in the interests of "security" it might have been reset and given away. Great!
I didn't get the email, but I don't know if my email address is associated with my account... whatever; I can't login at the moment.
Hmmm..... IMHO I don't see why changing customers passwords based on age is valid. A good password is no less secure after 5 seconds, 5 minutes, 5 hours, 5 days or 5 years assuming one has some sort of brute force logic in place so that a hacker can not try every single password that is possible over time and eventually crack it.
If they had a way of detecting weak passwords and changing those that might be reasonable. You could change your password every week and still make it an easy to guess/easy to crack one.
Furthermore to then mail the new ones in plain text is highly insecure and opens up all their customers to possible security issues when they had good (perhaps even better) passwords in the first place. Many will possibly even change them back to their original anyway.
Do they have a right to enforce a password change? This could cause a lot of their customers a lot of grief potentially braking automated updates or backups for example.
Sounds ill thought our (and in the light of this) badly actioned. At least they corrected the issue quickly and didn't rely on the royal mail!
The big question is WHY did they do it. It means they have been hacked OR someone has gained a password list (disgruntled employee perhaps) and they are changing them to prevent any possible problems. Either that or someone has been on a security course recently and thinks this is a good idea.
The thing they've forgotten to say here is that the ftp service was down for a good 15 hours too - and then magically a whole host of passwords changed...
Co-incidence?
I challenged them over their ticketing system but were well drilled that it was for security reasons, either because of time elapsed since last change or that it was going to be too easy to guess the password.
Hmm - even the account with their auto-generated password from 2 weeks previous...
But hey - at least I've altered all the passwords they sent in the csv ;-)
and I've got two reseller accounts with them (one for my employer, one for my freelancing).
I only got an email to the one hosting account, and even then it only contained passwords to half of the domains, not all of them.
The email read as follows:
--------
Dear xxxxxxxxxx,
As part of our ongoing efforts to improve security we have reset a
number of FTP and eXtend passwords that have been classed as insecure.
This could be because the password is too simple or because the password
has not been changed for an extended period. Attached to this email is a
file list showing any domain names which have had their password
changed. The new password is shown next to the domain name.
If these domains belong to your clients then you may wish to inform them
of their new password. To simplify this process you can use the web link
below to send your customers their updated password by email:-
https://customer.heartinternet.co.uk/manage/password-changed-notify.cgi
Thank you for using Heart Internet.
--------
The email also contained an attachment, called "customers.csv" which contained a domain name and the associated login password.
The thing is, none of my passwords ever get changed, because when the account is created, the password doesn't get emailed anywhere, I just see it over an SSL connection. So I don't know why only *some* of the domains needed changing, because, based on the same flawed logic, they all do.
Perhaps they had a leak?
Anyway, a better way to do this would be to send out a message saying "we've had to change some of your domain passwords, please click here and log in to see what we've done" rather than sending passwords out over the email.
Pay peanuts, get monkeys.
...ftp down for many hours, followed by a swift password change? Flaky service across the board, slow response times, traffic starting and stopping? It felt like someone was performing a DOS by brute force password attack, especially when coupled with a further two days outage for varying services; even their main website semed to be affected.
When I finally managed to get into the ticketing system I was told the increased server load had been caused by people checking their new ftp passwords. I still have the stench of BS in my nostrils, although apparently "Heart staff don't lie..."
As a reseller with Heart i don't see what the problem is?
I got 1 email which was the same as above with the customers.csv showing all domains attatched to my account which haven't had passwords changed in the last year or so. I then had to notify each of the domain owners that they had a new password.
I'd be interested to know if anyone who isn't a reseller got 1 of the emails with the customers.csv attachment that included domains that they didn't own.
@Martin - I lost access to FTP at 4pm and it wasn't back until 7am - I make that 15 hours.
@Anonymous Coward 25th June 7.31am - I can only assume you aren't a 'large' reseller with over 100 accounts that got changed - that gave me about 5 hours of extra work that I really didn't need. I also have a separate account that is a stand alone, and I received a second e-mail with a number of er, unexpected domain passwords - which I had the decency to send back to heart and then delete.
"Cue frantic call to the email admin (me) to try and retrieve said email from 450 mailboxes. Having compared my salary to that of my peers, (yes, I looked, despite being asked to delete the emails without actually reading one), I had to say that I wasn't feeling the most valued employee at the time."
Mmmm, I would have expected your perusal of that Excel sheet to be a cue for a phone call in true BOFH style, explaining that considering your current salary HR couldn't possibly expect you to pull that off before anyone else could read it. Now let's discuss that raise long overdue...
Mine's the one checking the jacket of the HR bod for any corporate espionage contrabande, before he's finally fired ^^
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
