DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly

Posted on May 22, 2012 by Dissent

Why hack when you can socially engineer employees into giving you the keys to the kingdom?

Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.

The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog.  Later in the day, developer Matt Pugh posted an update:

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

According to John Leyden of The Register:

UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.

In an email to their clients today, WHCMS wrote:

From: WHMCS
Date: 22 May 2012 01:40:03 GMT-03:00
To: XXXxxx
Subject: Urgent Security Alert – Please Do Not Ignore

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

—-
WHMCS Limited
www.whmcs.com

But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:

Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.

According to Ted Samson of InfoWorld, client passwords:

were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.

Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.

There has been no statement from the hosting firm.

Update: There has reportedly been an arrest in the case.

Category: Breach IncidentsBusiness SectorNon-U.S.Of Note

Post navigation

← whmcs.com hacked, 1.7GB Data Leaked By #UGNazi
NHS patients' health data to be anonymised and shared →

1 thought on “WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly”

  1. IA Eng says:
    May 23, 2012 at 7:24 am

    I seen a post on ISC.sans.org along time ago – May have been about Palins’ yahoo account being broken into. You do NOT need to answer the challenge questions with the so called correct answer. There is no reason for it. As long as YOU know the correct answer is all that matters.

    Paypal is the way out for most corporations – but that isn’t enough. They offer more options so there is a better chance they will get thy cash. So, with those avenues the data is stored and often not encrypted.

    Businesses are into making money and slicing away at the security to save cash. They also lean heavily on the fact they have an insurance type plan that supposedly protects them from some harm. Fallig back on that insurance – or being able to claim this as a loss IF it is deemed their fault is their escape goat. They ride the gravy train until it crashes into something, and then make ammends to correct it and see if it will ride again for a long time.

    It just proves that people are gullible. It’s an easy way out to just give data away rather than double checking the caller ID and doing a call back of a number on file or having software that can shoot the person an email with a confirmation code that they can read back to the rep. Security takes additional steps in any environment. Its nuts, they are willing to jump through a wide variety of security hoops at airports, and accept them – but when it comes to using security software and making the necessary setup and adjustments from time to time is eithr beyond their comprehension or just lack of due diligence.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.