Blacknight Hacked?

bluemachaveli

Just after reading an email from yourselves about user data being comprimised!

Any idea what details other than email address are out in the open?

Morlar

Got the email too. I thnk customers have a right to know where this came from, who it was directed at and how long it lasted.

Telling customers 'Change passwords' is woefully insufficient in terms of customer service.

Boards.ie: Neil

Guys give them a chance.

We've been there as well, and the scars are still here in this office and it's been 2 years. I can still remember the day and the weeks following and the stress that it forced upon in here.

There are procedures they have to follow with regards to a data breach and I'm sure they are doing them. It's such a time sensitive issue that they probably can't release any more information than they have at the moment.

The guys at Blacknight are decent chaps (use them for my personal hosting and domain names) and are a pleasure to deal with. I have no doubts that they'll handle this to the best of ability.

sf80

They'll have a lot to deal with, and they'll need to do a lot of analysis and talks with the Gardai before they can fully inform their customers.

Morlar

sf80 wrote: »

They'll have a lot to deal with, and they'll need to do a lot of analysis and talks with the Gardai before they can fully inform their customers.

So long as they do actually inform paying customers.

johnmurph01

*facepalm*

I got the email this morning.

It never ceases to amaze me how arrogant they can sound when something happens. Same with the time their email system went south a few months back for 48 hours.

Yeah, it takes time to investigate, but whats with the crappy email and tweets. Time for some humility on their part. Stick your hands up and stop dodging.

cian1500ww

I just got a fake paypal email sent to the email address I had registered with Blacknight: http://twitpic.com/8ep4pq I mentioned it on twitter as well in case anyone falls for it.

johnmurph01

Actually, thinking about it...im done with them. Im going to move my VPS and client's to vps.net or dediserver

- Mail up and down like a yoyo for months

- Mail down for 48 hours solid in 2011

- VPS server with no backups for 1 client last year = Data loss. (because of their hardware failing)

- Blacknight on tax DEFAULTERS list for VAT (721,291.08 quid - http://www.carlowpeople.ie/news/carlow-tax-defaulters-appear-on-revenue-commissioners-list-2881702.html). Software error my eye. I was worried at first, checked their accounts this year on the CRO and they're nowhere near having it paid off.

- Servers up and down like a yoyo aswell (check their status page - says it all). Even spotted one of their engineers saying 'Since I start covering on call for @blacknight over 2 years ago, 16,382 SMS alerts were sent to my phone.' - work that out per day!!! Alot of issues there.

https://twitter.com/#!/bkenny/status/162525581244764160

Once they get through their backlog of support mails, they'll find my cancellation. One step too far at this point.

mneylon

bluemachaveli wrote: »

Just after reading an email from yourselves about user data being comprimised!

Any idea what details other than email address are out in the open?

At this juncture customer contact details.
We know for sure that email addresses were affected

We're still investigating and are in contact with various 3rd parties who are assisting us.

Pacing Mule

Hi there Blacknight,

First off I'd like to say as a cutomer of yours that I'm very sorry to hear of this hack for everybody concerned - including yourselves who are in the front face of the fallout. I hope things work out for you.

I have a major concern though that needs to be addressed sooner rather than later. The email advises changing customer passwords to the control panel. Have you any indication at all that these have been compromised or is this a simple precaution ?

As you're no doubt well aware control panel access can be used to get to everything else on the server including databases which would in turn would compromise all of your customers own customers / registrant details for forums etc. This is worrying and on far greater scale to boards.ie's own experiences and I would appreciate if it could be confirmed as soon as possible if these passwords were compromised.

Quick Edit - Would also in fairrness like to point out that my own control panel logs show no access being made on my account other than myself.

mneylon

Just to confirm, no passwords that we can see have actually been compromised and all passwords and sensitive financial information (such as credit cards) are encrypted.

From what we can see here the only information compromised is your first name, last name, and email address.

However as a precaution we are advising customers to change their passwords just in case.

Morlar

Blacknight wrote: »

Just to confirm, no passwords that we can see have actually been compromised and all passwords and sensitive financial information (such as credit cards) are encrypted.

From what we can see here the only information compromised is your first name, last name, and email address.

However as a precaution we are advising customers to change their passwords just in case.

Can you confirm - do you plan on informing customers where this breach came from, how long it lasted and if it was directed against specific customers ? What level of detail are you intending to provide ?

Pacing Mule

Blacknight wrote: »

Just to confirm, no passwords that we can see have actually been compromised and all passwords and sensitive financial information (such as credit cards) are encrypted.

From what we can see here the only information compromised is your first name, last name, and email address.

However as a precaution we are advising customers to change their passwords just in case.

Thanks for the reassurance.

mneylon

Morlar wrote: »

Can you confirm - do you plan on informing customers where this breach came from, how long it lasted and if it was directed against specific customers ? What level of detail are you intending to provide ?

We are liaising with IRISS, Data Protection and I believe one of our managers is in contact with the Gardai

We cannot provide any further details at this time as it could compromise an ongoing investigation.

col.in.Cr

Im a customer too and I just got that paypal spoof email as well

Kohhal

I got it too and am a customer. Also having client site issues which may be related - investigating now...

col.in.Cr

I think you need to send out another email warning your customers of that paypal spoof email.

Creamy Goodness

col.in.Cr wrote: »

I think you need to send out another email warning your customers of that paypal spoof email.

No they do not, if you fall for that glaringly obvious paypal phishing attempt you deserve to lose all your money.

Oh and they aren't related I get these every two to three days.

Morlar

Creamy Goodness wrote: »

No they do not, if you fall for that glaringly obvious paypal phishing attempt you deserve to lose all your money.

No you don't.

Creamy Goodness wrote: »

Oh and they aren't related I get these every two to three days.

If there is suspicion of a connection Blacknight need to update the vast bulk of customers who do not read this thread.

MacGyver

I don't think the paypal one is anything to do with blacknight, I've been getting those about once a week since before christmas

Kohhal

I rarely if ever get spam making it to my inbox in gmail - I did get this paypal one today, coincidence... who knows

col.in.Cr

Kohhal wrote: »

I rarely if ever get spam making it to my inbox in gmail - I did get this paypal one today, coincidence... who knows

same here

Morlar

I did not get the pp mail.

Phibsboro

Just a +1 on the paypal scam email, and ive never seen it before

TouchingVirus

What encryption was used on the passwords Blacknight? Did you md5 them ? md5 + salt them? were the salts unique per user? sha1? sha256? sha512? A little more detail on this would go a long way

I can confirm that the email address from my last job which I used for Blacknight has been sent a Paypal scam email and has never received anything like it before (either in Spam filter, or right to the inbox like this).

Scam Paypal Email wrote:

Subject: PayPal: Your account has been temporarily limited. CASE ID: 19Xu32
From accounts <notice@limitedpaypal.com>
Date Thursday, February 2, 2012 11:17
To: <redacted>
Message:

Hello,

Your account has been temporarily limited.
To remove the limitation from your account please
proceed right away and update your account details.

For confirmation, please click the link below:

Log on to your PayPal account

Pure phishing stuff and the link throws a Reported Web Forgery error for me in Firefox/Chrome - if you have the brains to buy a domain/hosting then you shouldn't fall for this.

Wendolene

TouchingVirus wrote: »

What encryption was used on the passwords Blacknight? Did you md5 them ? md5 + salt them? were the salts unique per user? sha1? sha256? sha512? A little more detail on this would go a long way

Hi Blacknight,

Firstly - you all have my sincere sympathies on the sh!tstorm that is your workplace atm.

[ReallyReallyNotWantingToSoundCondescendingBut...]

I've been there, and as a customer, I want you to come out of this. Most customers are mature and experienced enough to accept that breaches happen when it can be demonstrated that reasonable precautions were in place.

You have had a number of requests (both here and on Twitter) to confirm that passwords were hashed. These requests have not been answered directly by you.

People need a simple, clear and concise answer to these requests to allay their current fears about the integrity of their passwords. Denying, delaying or obfuscating such an answer only heightens peoples fears for their services and further damages their confidence in you as their service provider.

Do yourselves (and your customers) a massive favour and give a simple answer to a simple question, please ... and we can all rest a little easier and let you get back to the job of clearing up the mess.

We don't need the nitty gritty details of the hashing / salting - divulging that to us would also potentially divulge it to the neerdowells, and we don't want to make their lives easier - but we do need a little more on this from you.

Oh, and BTW, (before anyone suggests it might) such a concise reply will not adversely affect ongoing investigations. You have an opportunity to quell some grave worries - please take it.

Yours most sincerely,
Wendolene.

jh385

I've already emailed BK support this. But I'll +1 the request to know how the passwords are stored; plaintext or hashed?

It's a simple question, really.

mneylon

Critical user data is encrypted using 2 factor encryption.

However we don't know for sure if the control panel passwords were decrypted or not.

We are asking people to change passwords only as a precaution.

jh385

Blacknight wrote: »

Critical user data is encrypted using 2 factor encryption.

Thanks, but that really doesn't answer the question.

Sure, the database file or 'user data' might be encrypted. But were the user control panel passwords stored in the table in plaintext or hashed form?

If they were stored in plaintext, then it doesn't make much difference how the file was encrypted, if the encryption was compromised then the passwords are out there.

ETA: I'm not asking this to hang anyone - I genuinely want to know so I can assess the risk myself. I have a ton of databases, sites with other hosts etc. that might be using the same password. It'll take me hours to go through changing passwords everywhere. I need to know if I have to go to that effort, or if I'm willing to take the risk.

Amalgam

What about back ups?

Any sign of duplication?

If I'm running a PHPBB Forum on your site, I presume the Admin passwords should get a change, along with maybe the Moderators?

This is worrisome.

jh385

Amalgam wrote: »

If I'm running a PHPBB Forum on your site, I presume the Admin passwords should get a change, along with maybe the Moderators?

phpBB stores hashed passwords: http://www.phpbb.com/kb/article/difference-between-encryption-and-hashing/ Which means even if someone got hold of your phpBB database, they won't be able to tell what the passwords are.

You'll only have to worry about changing your phpBB admin passwords if you were using the same passwords as your blacknight control panel (and if the blacknight passwords were stored in plaintext, which we're waiting for an answer on)