This article addresses Frequently Asked Question regarding the KonsoleH Database Compromise announced on 1 November.
(Updated: 08 Nov: 15h30)
What are the updates that have been made to date?
- All passwords are now encrypted.
- Forgotten passwords can’t be recovered but can be reset. You can find out how to do this here.
- New domains are now created with a randomised, unrecorded, encrypted FTP/SSH password. You will have to first set the FTP password before you can manage your website.
Can my customer information be used for Phishing?
Yes. This information can be used by scammers, posing as Hetzner (making use of our logo and your personal details). If you think you’ve received a phishing scam, delete the email message. Do not click any links in the message. A good practice is to type the web address directly into your browser and make sure that the site is protected with HTTPS.
How can I protect myself from identity theft?
Unfortunately there is very little that can be done to protect oneself from identity theft. This article will provide some useful information should you suspect you are a victim of identity theft.
Why do you still store unencrypted data in your database?
While the konsoleH control panel Admin passwords are encrypted on our systems, Hetzner did store FTP & database passwords in plain text. The reason for this was to be able to assist our customers by having this information on hand to provide support. We believed that the security measures we had in place were adequate to protect these passwords.
As a result of this breach, we are deleting all plain text versions of the FTP & database passwords. Going forward, they will be encrypted on our systems.
Even though the PoPI Act is not yet in effect, is Hetzner compliant?
Even though the PoPI (Protection of Personal Information) Act has not yet become law, we do take our responsibilities to protect your personal information very seriously. We have complied with all legal obligations and this will not change. We can confirm that we have notified our customers via SMS, email, our website, phone systems, Twitter as well as communication with key media on the day of the incident. Customers were notified within 24 hours of Hetzner becoming aware of the breach.
PoPI does not require that Hetzner prevents all unauthorised access because this is impossible to do. It does require that we take measures to secure personal information and then if there is a compromise, to respond in a responsible way:
- Hetzner took immediate action, once we became aware of the vulnerability, to take measures to address the security compromise.
- As a precautionary measure, we locked down access to our konsoleH control panel.
- We are deleting the FTP & database passwords saved on our system.
What compensation can you expect from Hetzner?
We deeply regret the time and effort required of our customers to recover from this situation and offer our full support to assist -- our team is available 24/7 to shoulder this administrative burden with you.
Unfortunately, no company is immune to malicious exploits. This is an attack on Hetzner and on our customers. While we are not compensating customers financially, we are committed to supporting our customers through this time and have our team working around the clock.
(Posted 02 Nov: 08h28)
I have hundreds of domains, how can you expect me to update all the passwords associated with these domains?
We fully appreciate the time-consuming effort this will take for many of our customers. Our Support team is available 24/7 and able to assist you where we can. If you would like our assistance, please contact firstname.lastname@example.org with the list of domains you need assistance with.
How secure is your data centre and network?
This compromise is very specific to the konsoleH Control Panel code that had a vulnerability which was discovered and exploited. This incident, while serious, should not affect our customers’ confidence in our hosting infrastructure: there are various layers of security deployed within our hosting environment. While the konsoleH control panel compromise exposed customer data, the incident has in no way impacted the security protocols of our switched network, hosting platform or data centre infrastructure.
To what extent have customer details been exposed?
We should assume that all our customer data has been exposed. While we’re able to see where and how the data was accessed, there is no way for us to ascertain how the exposed data will be used.
Hetzner hosts the server that was involved with the Master_deeds incident. Is this compromise related to ‘Master_deeds’?
Master_deeds is hosted on a self-managed server, leased by one of our customers. This customer has complete responsibility for all data storage and data access on the server, while Hetzner remains responsible for the hardware and only the hardware -- we don’t have access to the data stored on this hardware. The two incidents are not related in any way.
Have the databases on my website been compromised?
No, only the konsoleH Control Panel database was compromised. However, you are urged to change the access details to your database as this information may have been exposed.
What about my banking details?
We do not store any credit card information. Only banking details used for debit order instructions may have been exposed. As a precaution ensure that you regularly check your bank statement for unauthorised debits.
I am a previous Hetzner customer -- has my information been exposed?
Yes. As a standard procedure, Hetzner does not delete information when a customer terminates their service with us. However, should a customer terminating their service with us specifically ask for their information to be removed, we do so without question.
What has been the extent of your communication to customers?
We have notified our customers in good time via SMS, email, our website, phone system, Twitter as well as communication with key media on the day of the incident.