DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly

Posted on May 22, 2012 by Dissent

Why hack when you can socially engineer employees into giving you the keys to the kingdom?

Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.

The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog.  Later in the day, developer Matt Pugh posted an update:

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

According to John Leyden of The Register:

UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.

In an email to their clients today, WHCMS wrote:

From: WHMCS
Date: 22 May 2012 01:40:03 GMT-03:00
To: XXXxxx
Subject: Urgent Security Alert – Please Do Not Ignore

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

—-
WHMCS Limited
www.whmcs.com

But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:

Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.

According to Ted Samson of InfoWorld, client passwords:

were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.

Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.

There has been no statement from the hosting firm.

Update: There has reportedly been an arrest in the case.

Related posts:

  • Who is on TEKsystems Intel Leak
  • whmcs.com hacked, 1.7GB Data Leaked By #UGNazi
  • WHMCS Attacks Update, DDoS & Forum Defaced, Now Offline
  • 300 Sites hacked and defaced by THA
Category: Breach IncidentsBusiness SectorNon-U.S.Of Note

Post navigation

← whmcs.com hacked, 1.7GB Data Leaked By #UGNazi
NHS patients' health data to be anonymised and shared →

1 thought on “WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly”

  1. IA Eng says:
    May 23, 2012 at 7:24 am

    I seen a post on ISC.sans.org along time ago – May have been about Palins’ yahoo account being broken into. You do NOT need to answer the challenge questions with the so called correct answer. There is no reason for it. As long as YOU know the correct answer is all that matters.

    Paypal is the way out for most corporations – but that isn’t enough. They offer more options so there is a better chance they will get thy cash. So, with those avenues the data is stored and often not encrypted.

    Businesses are into making money and slicing away at the security to save cash. They also lean heavily on the fact they have an insurance type plan that supposedly protects them from some harm. Fallig back on that insurance – or being able to claim this as a loss IF it is deemed their fault is their escape goat. They ride the gravy train until it crashes into something, and then make ammends to correct it and see if it will ride again for a long time.

    It just proves that people are gullible. It’s an easy way out to just give data away rather than double checking the caller ID and doing a call back of a number on file or having software that can shoot the person an email with a confirmation code that they can read back to the rep. Security takes additional steps in any environment. Its nuts, they are willing to jump through a wide variety of security hoops at airports, and accept them – but when it comes to using security software and making the necessary setup and adjustments from time to time is eithr beyond their comprehension or just lack of due diligence.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.