Hetzner hacked, customer details compromised - TechCentral

Hetzner hacked, customer details compromised

A key database operated by large South African data centre operator and website hosting service provider Hetzner has been hacked, and the company is advising clients to change their passwords immediately.

Hetzner, which is based in Midrand in Johannesburg, advised clients on its website on Wednesday that earlier in the day it had become aware of “unauthorised” access to its konsoleH control panel database.

“We can confirm that a SQL injection vulnerability was identified within konsoleH, which has been corrected,” it said. “We shut down access to konsoleH during the course of the day while investigations proceeded.”

Although konsoleH administrator passwords have not been compromised, Hetzner has “proactively updated all FTP passwords which were exposed”.

“It is imperative that customers update all passwords associated with their Hetzner account immediately, including konsoleH admin passwords,” it said.

The following details were exposed:

  • Customer details (name, address, telephone numbers and e-mail addresses);
  • Domain names;
  • FTP passwords;
  • Bank account details (cheque/savings) — no credit card details were stored.

While FTP passwords have been updated, customers will need to reset this password to gain access. If they have made use of an additional FTP user, they will need to manually update these passwords via konsoleH.

Forensic investigation

“Should you have provided konsoleH access details to any other parties, please advise them to update their login details as soon as possible. Mailbox users are able to update their passwords via our webmail interface.”

Hetzner said it has appointed external forensic investigators, who are already on site, to investigate the breach.

“We understand that this event has shaken your confidence in us. It is our earnest commitment to provide you with a hosting service you can trust.”  — © 2017 NewsCentral Media

  • Peter Baker

    Clear or hashed passwords?

  • Gman

    If they are plain text, whoever is responsible for the security of that system should be fired.

  • Kevin

    How can a company have such low standards , after everything that has been happening on the cyber security front this year. Clearly just a lack of standards. I am furious ,not only as a developer myself but as a customer of Hetzner… Which have been debiting my account with strange transactions for two months now , which I inquired about this week…. I wonder how bad this breach actually is.

  • They are. I have a chain of emails objecting to this dating back to 2014. They said it’s convenient for support purposes to have the passwords in plaintexts.

    So basically, we just had to wait for today.

  • Imaginet says the same thing. Idiots.

  • Peter Baker

    This makes me so sad 🙁 Vox telecom does the same

  • Carli Brits

    Hey Peter, if you dont mind, can you please send me your details relating to the comment about Vox Telecom.
    I would like to look into this for you.
    Thank you, Carli

  • Peter Baker

    Their password recovery facility for the client website mails you your existing password. That means they are not hashing passwords. Unacceptable 🙁

  • Carli Brits

    Hi Peter,
    Please confirm – are you located in Constantia CPT? I would just like to confirm I have the correct account number so I can investigate.
    Thank you