Updated German hosting company DomainFactory has taken down its forums after someone posted messages alleging to have compromised the company's computers.
Acknowledging the attack, the GoDaddy-owned (via Host Europe, acquired in 2016) company has advised customers to change their passwords and detailed the extent of the data breach claimed by the hackers.
“While we investigate this data breach, we already know that third parties could have had unauthorised access to the following categories of data: Customer name; Company name; Customer number; Address; E-mail addresses; Phone number; DomainFactory Phone password; Date of birth; Bank name and account number (eg IBAN or BIC); and Schufa score”
The company says it has secured the systems the attacker accessed.
Details of the data breach first emerged via Heise, which viewed the now-deleted forum posts in which the attacker said he had accessed the systems.
Journalist Fabian Scherschel also posted on Twitter (in German) that he was also watching a Twitter thread “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests” (all before DomainFactory's disclosure).
The Heise article said “when he realised that DomainFactory did not want to communicate the fact that he had broken into the company's servers, he disclosed his hack”.
Heise said the attacker used a Dirty Cow variant to access the systems, but that wasn't addressed in DomainFactory's post.
DomainFactory's disclosure puts the date of the data breach as January 28, 2018. ®
Update: Call it a cruel irony and we won't disagree: it turns out that Domainfactory misconfigured an error log, causing it to be published as an XML field, which would have simplified the attacker's task considerably.
In this https://www.heise.de/newsticker/meldung/Wegen-DSGVO-Panne-Domainfactory-Kundendaten-waren-als-XML-Feed-offen-im-Netz-4107074.html follow-up from Heise (in German), if a was saving updated data and there was an error, that record got published to the feed.
The problem field? “Ironically, the very field that should save the customer's attention to the customer's DSGVO (GDPR in English) declaration was the problem - it expected Boolean data, but was filled with a string.”