Fasthosts customers blindsided by emergency password reset

Enough is enough....

I have just been charged a late payment fee!!! They are ignoring all the recent fuss over credit cards and bank charges and if you don't pay within 7 days of your hosting expiring they charge you £20 +VAT!! P.S. They don't tell you about the charge until your renew, in a kind of thank you for your repeat business charge!!

Not sure what is more amusing

Not sure what is more amusing... people not changing passwords when they've been given notice fasthosts has been ransacked or people using fasthosts for mission critical websites......

Password Resets

I have two Fasthosts accounts and as I have my websites generated by WordPress, then the major MySQL database password reset brought both sites down and I was also banned from accessing both FTP accounts.

I changed all my control panel, FTP, MySQL and email passwords on the 18th October when the security breach came to light. Yet, I was still barred from access last night.

Fasthosts is hiding something here, as why would they disable/change my already changed passwords. A second security breach maybe?

Honesty is the best policy here. Own up Fasthosts if there is a second breach.

Also, if user's FTP accounts were breached, the hackers could easily upload sniffer programs to users FTP directories. Fasthosts have never warned the users to look out for suspicious files.

own server

I have used FastHosts dedicated Linux server in the past, until it was hacked, through a (as it later turned out) a well known vulnerability that was not patched, and all the websites on it were defaced.

That was enough for me to buy my own Dell server, and host it in a professional data centre for £100 per month. Now that I, and only I have complete control over my own server, knock on wood, I have not been hacked in 5 years! All you need is to close all ports except the ports that you need, apply all the patches, and disable all, but critical services.

P.S. and having your own server means that you can do whatever you want with DNS, email servers, etc – something hosters will not (or be unable to) do.

First

Oh, am I the only one that can't do any work because our websites down?

My thanks to Fasthosts

I offer my thanks to Fasthosts for this - I have been debating for a while (since the last debacle) whether or not to move to a different hosting company for me & my clients.

Fasthosts by again showing their excellent customer service have made up my mind for me.

Just packing my bags now.

Fasthosts Password Blunder

What a total farce. The person that instigated this change and the timing of it should be sacked along with the person that thought they were competent enough to be given the job. I have 4 fasthosts accounts and so am affected in many areas - web sites down, passwords for email not working, unable to manage domain registrations.

The email says that a SMALL number of clients' FTP areas were compromised so fasthosts have shutdown a large number of their clients sites. This is worse than being hacked because I now just have to wait for the post. I can't call them because their phone lines must be overwhelmed.

I have already wasted time dealing with support calls as a result of these changes and now I need to invest time in finding a replacement provider and transferring over 100 domains since I cannot trust Fasthosts - not the fact that they had a breach but their poor judgement on how best to resolve it.

Not the best business practive

This is not the 1st time that fast host has pulled this trick. I had my clients screaming at me for not being able to access their emails or their bookings( on hosted database), in one case is a private car operator who rely on the database hosted on Fasthosts to manage their bookings - I do not believe he will be staying with Fasthosts for much longer along with many of my other clients.

Sonofabitchbastards!

Great - fantastic, they've reset my Control Panel, FTP and SQL passwords (which also takes down my website) with the mail set to go in 10 days... no need to panic though as they're sending a new password via Post...

... which is nice as I'm working in Hungary for a year and post forwarding takes 4 weeks... if you're lucky.

Tried calling them, but that's not happening. Maybe I should have paid attention to the first email... what a shitter.

re: Not sure what is more amusing

The key point here is that they did NOT give notice of this emergency password reset. They just did it. And now you cannot use the new details to access the FTP, because the FTP servers do not allow connections.

I only have a couple of clients site's on Fasthosts, I keep my eggs in different baskets, resold to me by a third party, so I was completely unaware that a password change was required, and it turns out that this wouldn't have helped anyway, as even those who DID change their passwords got them changed AGAIN last night.

On a different matter, the article posted on the 30th of November talks of email passwords changing on the 9/10 November, was that a typo? Should it say 9/10 of December?

What A Bunch Of Amateurs

We received an email at 22:27 yesterday evening (Thursday 29/11/2007) informing us that all of our Control Panel, FTP and SQL passwords had been changed, effectively disabling all of our database driven websites and locking us out of every single website that we have hosted with them (approximately 200).

A little bit of warning would have been appreciated. As it is we are now an internet company with absolutely no control over 50% of our business because someone at Fasthosts thought it would be acceptable to reset every single password without notice and then send the master password via Royal Mail on a Thursday/Friday. Needless to say that on Friday morning, this master password has not yet arrived!

I can safely say that we will be removing all services currently hosted with Fasthosts within the very near future (or at least as soon as we can log in).

Amateurs

I spent a goodly amount of time changing my passwords, as advised, after the original debacle, and like others above, I now find that they gone and reset them anyway.

Bunch of tossers. Time to move.

Any incentives to stay with FH?

@AC. I've been abroad for the last two months (returned last night) and was unable to change my passwords, thank you. I certainly wasn't expecting the country's biggest host to get hacked in the meantime.

Now I'm locked out of my sites until snail mail decides to send new passwords in a few weeks (that's assuming the postal workers don't go on strike again or they get lost in the Christmas deluge).

Some sort of financial apology from fasthost would be in order if they want to keep my custom -otherwise they can all burn in hell

Bye!

If a small selection of accounts have been compromised, then just reset those account details. If you want to target people who haven't changed their passwords since the last hack then just reset theirs. To put a large selection of your client base through a major inconvenience because of the lax security of a few is ludicrous.

I agree with the earlier poster - it does seem like they've been hacked again and had all their passwords siphoned off. Unfortunately it's likely that we'll never know. I'm looking forward to the day when companies are legally forced in the UK to publicly report in a timely fashion any security breaches resulting in the exposure of customer data.

I forgave them after the previous incident. Now that it's happened again, I'm outta here. Any recommendations?

You have noone to blame but yourselves

Ok, none of you lot who replied have any excuse - you read The Register, I do to. All my passwords on our three Fasthosts boxes were changed within minutes of catching The Register story, and long before the weasels at Fasthosts actually bothered to tell us of the problem.

If you have a hosting account with anyone, you have to pay attention to security announcements - and you can't claim Fasthosts gave no warning, you've had AGES since the hack to get your passwords in order.

Not that Fasthosts are a shining light in the hosting world, by any means. I wouldn't host anything more with them now because of this.

Fasthosts Phone Number

Does anyone have a phone number other than 0870 888 3600 for Fasthosts, I need to give off, but haven't been able to get through all morning!

UKReg/FastHosts Suck

Like many others, I changed all my passwords back in October when the first balls up came to light, then moved my important bits to another host. When I tried to log in to UKReg this morning to complete the move and change my IPStags to my new DNS host, low and behold I was met with the 'Wrong Username & Password' message. I thought, 'right maybe its me and I've genuinly forgot my password' so I clicked on the Forgot Password link only to find "Unfortunately this service is unavailable at the moment. Please contact Customer Support for assistance.", so I try to call customer support and get "All lines are busy".

I'm now left sitting at my desk with UKReg/Fasthosts on redial contemplating driving up to Gloucester to speak to their 'Customer Support' face to face, if anyone wants to car pool drop me a line.

/cry

ARGHHH!!!

We have 100 domains with an average of about 4 emails per domain with them. Since they have no export function I'm going to spend a good hour putting together a list of all our emails.

Then generating random passwords for them all and writing a script to mail the new passwords to them all.

THEN wait for the shit to hit the fan in 10 days when most people's emails stop working.

And I can't even start on this until my master CP password arrives through the post :(

I changed my passwords...

... after the first hack. They have now been changed again by Fasthosts.

So yes, I do pay attention to security announcements. And no, I have no idea why they decided to reset my details and others who took the same precautions.

Their fubar, not mine. Their responsibility, not mine. Still my problem though.

Get rid of the geek at the top...

The way Fasthosts works is like the IT department of yester-year. An arrogance - "WE know best, you're just a dumb user!". Remember those days?

Well, the retard who should have stuck to sitting in a darkened room programming has somehow got to a position of authority and is still acting like those long-gone arrogant IT dinosaurs.

This is not customer-service. This is not good management. This is not professional. It's a sweeping "we will do this because it's easier for us and we know best what is safest".

Well, patently they don't. They forget that they are dealing with IT professionals of equal if not better abilities.

Anyone with a modicum of sense would have thought the problem through and done the important thing which is KEEP THE SYSTEMS UP! A moment's thought would have revealed that sites in this century cannot be offline for several days while the postman does his thing. But then, why should this bother Fasthosts?

I'll tell you why. Because the money saved in cheap hosting is money lost from disgruntled on-line customers. I cannot, and will not, keep my sites in a place where they are exposed to such unimaginative and unintelligent handling of security issues. Can you blame me?

Would it have been so hard to send an email telling all customers of the problem, urging them to have all passwords changed within 24 hours and then putting in place measures to support those who for one reason or another did not change their passwords? Is it really necessary to "validate" authentic owners by posting passwords to the stored postal address? Could not the same validation be done on-line or on the phone using this and the plethora of other data held by Fasthosts? Could not "The Team" call the phone numbers which are also held by Fasthosts to explain and support? A quicker, cheaper solution and as secure as using postal information? If I can sit here coming up with better customer solutions over a cup of coffee, could not those paid professionals at Fasthosts come up with something even more elegant and efficient?

Shoot the dinosaur. Heads must roll at Fasthosts.

local number

don't let fasthosts profit from their own misdemeanors, call tech support on the local number:

01452 541499

at 3am i was number 25 in the queue. good luck getting through!

just wanted to add +1 voice for "i changed my passwords when told to, they still locked me out".

fasthosts = incompetence by another name

Farcehosts

Ask for a new password over the phone, they will do it after 3 hours on hold, and 6 security questions. 3 hours on an 0870 thats £15 on which fasthosts must getting a revenue share ...we've changed the passwords on 2 out of our 178 domains we manage - think 500-800+ passwords to change including emails! But even after the change we still can't FTP

BMSoftware

I can't believe they actually did this....

Unbelievable!?!?!? How about a warning that failure to reset your password would result in an automatic reset? Or how about posting the new passwords prior to the reset so we can log in again imediately after the reset? I have, as i'm sure many do, an important launch on monday which NEEDS the website updating. Will they give me a temporary password if i call? Given that it will take days to get through, maybe it's best to wait for the post - i can always redirect the website to a holding page till then.... oh no, wait, I can't.

Right, so who should i move my hosting to?

Other Numbers

Use www.saynoto0870.co.uk

0870 888 3600 came up with Fasthosts Internet Ltd 01452 541499

And other information:

01452 541250 /01452 541251 /01452 541252

Fax: (0870 8883555) 01452 538485

Also for 0870 8883500, 0870 8883530, 0870 8883700 & 0870 8883800

Fasthosts debacle - vote with your feet!

Only Fasthosts could have poured contempt on their customers in this way! I run a small business - fasthosts have now disabled my website - rendering it useless, (even though I changed the passwords as instructed last month). I will now loose business in what will be one of my busiest weekends of the year. If I survive this, I will move my online business to another host.

Heads should roll at Fasthosts - but they probably wont. Vote with your feet - find a host that doesn't show such contempt to their customers!

Legal Action

Count me in. And if I can work out a way to successfully move 100+ domains without causing my customers grief before my reseller account renews in Jan I'm off. I also changed all the requested passwords from the original PDF on the day it was sent. I don't really want to run a dedicated server but they've just tipped the balance of work decidedly in favour of it.

It's very true that you get what you pay for and, aside from a couple of minor gripes that could happen on any shared server system, I've been more than happy with the return from FastHosts up to the last couple of months. I was fairly unimpressed with the original issue but it's the cackhandedness of the response to this one that is just unacceptable - and I'm one of the lucky ones in that at least all of my sites are still up.

I'm also working abroad and won't be able to personally see any post they send me; fortunately it can be securely read for me. On this subject though, I also have a tip for those of you who've been told they've reset your CP password: I think they've said this in the PDF even when you changed that as requested and they've only changed the Admin one, not the overall CP one, if you didn't change the Admin one as well.

Had enough

Enough is enough, can't get hold of anyone on support, changing passwords for all email accounts, web accounts etc. etc. etc. wasting time painful process - moving to Rackspace....

Full of Crap . . .

Some spotty little work placement student has pressed the BIG RED BUTTON and some numpty at Fasthosts thought it would be a good idea to fill all of their customers full of crap.

This stinks of a major blunder and a rubbish cover-up to me, no-one in their right mind would knowingly agree to this kind of service. I don't really know how good Heart Internet are, but they're getting about 200 new hosting accounts from us!

I think Fasthosts will suffer reatly after this, their latest little cockup.

why are the passwords available anyway?

okay, I must be missing a step here.

why on earth was Fasthosts storing passwords in a clear text format in the first place?

we run a rather large blogging community, and even if our system was hacked, the list of passwords would be completely useless to them. our passwords are stored using a special encryption.

where they using the standard linux "passwd" mechanism to store the passwords?

i think more questions need to be asked in how the passwords where being stored.

This is why I don't host with amateurs anymore...

I've watched this and other horror stories unfold over the years and thank the heavens that when I chose to move in '99, I chose well. I have never had security issues with my current provider who are on the ball when it comes to 'sploits, patches, upgrades and the like. And I'm joined by some of the big names out there... Tom's Hardware (THE hardware review site in the world) being one.

Vote with your feet, switch providers to someone who believes that customer service and security are not necessarily exclusive of each other. Viva Pair.

Rescue bid?

Given the amount of angst this is causing, and given that they have "closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again", might I suggest that they revert all passwords which they changed en masse (and not those changed since) to those current before this farce began?

I think we have now got the message that someone wants us to change our passwords.

Can this be a risky strategy since they "closed the vulnerability through which access was gained, and have taken steps to ensure that this cannot happen again" back in October?

And on a risk management basis, getting the majority of users back on-line far outweighs the chances that a hacker is standing by to wreak, what? Havoc?

I think even the most successful hacker could only dream of causing this much chaos.

Legal action?

"Mass legal action for loss of profit anyone and associated costs, anyone?"

if you know of anyone in the legal industry prepared to take a look at this then count me in.

Cheers

Come on people!

How many stories like this (not just Fasthosts, many other low cost hosting companies) do you need to read before you get a clue?

If your business can loose money/reputation through downtime, either pay for a quality host, multiple hosts, or at least drawn up (and if possible rehurse) plans for moving hosts (using your backed up sites/data) asap.

We use fasthosts for domain registration (and have DNS servers at two other separate locations). We changed our passwords when advised, and they were not locked out yesterday. I think some people on here may be telling porkies to cover their arse cos they didn't act in time...

Heart Internet

Just to say, I have been using them as one of my baskets for some accounts, as to date they have been fantastic.

They respond to queries rapidly and are very knowledgeable.

But then, Fasthosts were like that once, weren't they?

Just to really cover my arse, I haven't had any problems with Heart, and would recommend them, but your mileage may vary, as well as your needs from the service.