The group used social engineering to access WHMCS’s customer database, then leaked 500,000 records online
By Ted Samson | InfoWorld
WHMCS, a provider of online billing services, is the latest victim of a high-profile security breach launched by a hacker group claiming moral high ground for its actions.
Hacker group UGNazi has taken responsibility for swiping and leaking more than a half-million customer records — including credit card information and passwords — from WHMCS on Monday. The group used WHMCS’s hacked Twitter account as a forum to justify its actions: “Many websites use WHMCS for scams. You ignored our warnings. We spoke louder. We are watching; and will continue to be watching.”
UGNazi joins the likes of Anonymous and The Unknowns in employing hacking as a means of punishing organizations for perceived wrongdoings.
According to WHMCS lead developer Matt Pugh, the perpetrators employed a social-engineering attack to dupe the company’s Web hosting company — reportedly HostGator — to give up administrator credentials. With credentials in hand, the group accessed WHMCS’ database on Monday to steal customer’s credit card information and passwords, as well as user names and support tickets. UGNazi proceeded to leak links to the stolen records on Pastebin.
According to Pugh, the hackers deleted all files on the company’s servers after the heist, including 17 hours’ worth of new orders and help tickets.
The passwords were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.
Compounding the impact of the attack, outside hackers have since hit WHMCS with a large-scale DDoS (distributed denial of service) attack. UGNazi has a reputation for launching DDoS attacks against the U.S. government.
Pugh took pains in the WHMCS blog to point out that the attack “was not directly due to any lapses in the security in place on either our server or WHMCS itself,” implying that the lapse was on HostGator’s part.
Still, Pugh did acknowledge that WHMCS should have had a more robust hosting infrastructure in place. “Plans have already been put in motion for a new multi-server hosting infrastructure to be setup and migrated to,” he wrote.