I don’t normally do negative posts about another person or company, but I feel this needs to get out there. A few hours ago I received an email from MediaTemple, where I host several of my clients. It was an automated message informing me that:
This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.
Since Media Temple doesn’t offer customers any FTP/SSH server logs for me to check, I called them to discuss. The initial tech support representative and his manager were polite and helpful, explaining that an enormous amount of login attempts had been going on through many accounts, with a number of them being successful. Many sites on many Media Temple accounts had been attacked and contained injected links in the footer:
<!– [6eb602d48b8b7f42aba0ce0c31ebe3f5 --><!-- 9190819521 --><noscript><ul><li><a href="http://rg8rhg34h34h.cc/c">.</a></li></ul></noscript><!-- 6eb602d48b8b7f42aba0ce0c31ebe3f5] –>
I asked how in the world did hackers magically guess so many FTP/SSH passwords. At first I was told that these were old passwords (I wasn’t explained the significance of why old passwords should be vulnerable). Then I was told that the login data was stored in plain text in a database that had been compromised. My jaw dropped. In my entire life, I’ve never heard of a company storing passwords in plain text. This is bad enough, but then the database where these passwords were stored was somehow accessible to someone on the outside.
They weren’t able to give me any really good answer, other than that the issue was being worked on to revamp security on the servers, and that new account level security measures (like not emailing passwords to new customers) would be implemented. I asked when they became aware of this issue, and was told within the past day. Oddly enough, Kyle Brady at the Inquisitr and Ross Dally at Tinyenormous seemed to be aware of this long before earlier today.
I asked if Media Temple would be making a public announcement detailing the issues which led to the hacks, and what is being/has been done to correct them. I was told to expect such an announcement. So wait and see?