A Small Orange hacked

Web hosting company, A Small Orange, sent this email to its customers today. I’m reminded of when Media Temple was hacked recently. However, while A Small Orange still hasn’t let us know all the details, for instance the nature of the security hole, at least they were quick to make a public announcement.

We recently discovered that one of our internal servers had been compromised. We have received no reports of any harm to customers as a result of the attack. However, we did want to notify you regarding the situation quickly in order to allow you take any necessary precautions and to inform you of the steps we’ve taken to further secure your information.
What Happened
An attacker was able to gain access to one of our internal servers that hosted our billing system. Our billing system contains the contact information you provided to us when you signed up, as well as encrypted credit card information and encrypted account passwords.

Because the attacker was able to remove a number of server logs, we cannot be sure what (if anything) the attacker was able to access or if the attacker was able to decrypt any sensitive information. However, we are choosing to err on the side of the caution.

What We’ve Done
Immediately after detecting the breach, we initiated a full security lockdown across our entire network and made a series of technical and procedural changes to increase the security of all servers and services.

Besides the security procedures that we have enacted internally, we have also taken a number of other steps to ensure that this never happens again, including the tokenization of all credit card data. For our customers, this means that their credit card data will be stored securely directly with our payment gateway provider. We are also changing our procedures to ensure that customer passwords are not stored in our database.

In an effort to assist in the possible apprehension of the attacker, we have contacted and are fully cooperating with law enforcement officials.

We do not believe that any data from any of our other brands or partners has been compromised as a result of this isolated incident. However, we have taken steps to increase security throughout our entire company.

What You Can Do
We encourage our customers to follow security best practices and continue to use unique and secure passwords that are updated regularly.

If your current cPanel password is still the same as when you signed up with us, we encourage you to change that password and will be sending you a separate email with further instructions later this week. If your current cPanel password differs from the one you had when you signed up (as it does for many of our customers), we will not be contacting you further.

As always, it is also a good idea to review your credit card and bank statements on a regular basis to ensure there is no irregular activity.

Our Apology and Our Commitment
I apologize about any inconvenience that this intrusion generally, or the password resets in particular, might cause you. We are committed to providing our customers with the best possible web hosting experience and part of that is ensuring that our customers’ data is as safe and secure as possible.

If you have any questions or concerns, please do not hesitate to contact us. Like always, we will be available to answer any questions you might have 24 hours a day, 7 days a week.


Douglas Hanna
CEO, A Small Orange LLC


Christian, Voluntaryist, Marine, Southerner, WordPress enthusiast.

8 comments on “A Small Orange hacked
  1. Michael,

    Let us know if you have any questions or concerns. We’re happy to help however we can.

    All the best,

    Douglas Hanna
    CEO, A Small Orange

  2. Simon says:

    thanks for sharing the clear picture and the steps for making the network secure.

    Aileen Simon

  3. Really? says:

    I was with ASO for 3 or so years. You know those circus cars, those tiny little 1950s Fiats? The ones where 10 clowns pile out of? That’s ASO.

  4. Ellie Kenon says:

    this does not affect me but its nice to see a company looking out for their customers and informing them of a possible problem instead of trying to cover it up.

  5. R says:

    Bad company and bad hosting, I can say no more.

    • Michael says:

      I wouldn’t say that they’re a bad company or provide bad hosting. There has been a string of hosting companies having issues, and they are one of the victims. They’ve had their issues, but also have been quick to provide fixes. After I made this post, the CEO of A Small Orange contacted me directly to explain what they’ve done to fix things.

  6. Tina Y. says:

    Michael, they have not fixed it. I signed up for an account with them yesterday and had them install a version of WordPress through Cpanel. When I tried to sign into WordPress it had already been hacked. I decided to switch from Hostgator as I’d been having issues with them saying that I was using too many resources and took my site down 3 times so far. Looking for a new webhost. I am sad to say that ASO did not work out for me.

  7. Kabir Hazarika (@kabirhazarika) says:


    We’ve been using their services for the past 5 years. We have multiple accounts with them. In face we always recommend our clients who want to purchase shared hosting directly.

    Their support team is also quick and prompt.

    Of late, we are facing problems with repeated hacking of shared hosting with 2 of our accounts with them. Without notice they “Suspend” the accounts.

    Today, again we faced with the same problem as one of the server is now under suspension. You can’t login into the cPanel/FTP to check what’s wrong.

    Instead of suspension, these guys should have used some common sense to use any other notice like “The site is under maintenance” etc.

    Can anyone recommend any other hosting company who are reliable?

    The past 5 months have been painful with ASO. Now, I’ve made up my mind to switch. The hosting reviews are not reliable. Please suggest any hosting company who care about their customers.


    Kabir Hazarika

Leave a Reply

Your email address will not be published. Required fields are marked *