Security

Website admin cPanel hacked, loses a bunch of folks' contact details

Press the big red password reset button anyway

Website administration firm cPanel told customers that it had been hacked over the weekend, potentially exposing contact information in the process.

Customers' names, contact details, and encrypted (and salted) passwords were publicly aired due to a series of unfortunate events.

Payment information, kept on a separate system, remains safe.

Passwords ought to be safe too, but cPanel is taking the opportunity to get customers with older password encryption to change up anyway.

“I am writing to let you know that one of our user databases may have been breached,” the firm warned customers in an email over the weekend (republished online here). “Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible.”

“The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach.”

“Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” it added.

This is a fairly minor breach and the main outcome – if crooks manage to get their hands on the potentially exposed contact info – is more convincing phishing emails.

cPanel, which provides tools for managing Unix-powered websites, disregarded requests for comment from El Reg.

The firm has form when it comes to security flaps, as evidence from previous El Reg stories shows (here and here). ®

Sponsored: Best practices for writing a successful NSF MRI grant proposal