According to a blog post at DreamHost Status Blog, the company has detected a security breach at one of their database servers.

In a response to the attack, the company has decided to issue a mass password-reset on all of its customers.

Apparently, the breach occured in November via theone-click install wizard offered by Dreamhost: One click and your wholeWordpress / Drupal web site is installed, ready to use, automatically updatedby the wizard. Apparently, it’s the wizard itself that was compromised andanybody who used it was affected.

DreamHost CEO issued the following statement:

“our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”

Next to shell and FTP passwords, the company is advising its customers to change email passwords as well.

There are not reports of mass abuse of the stolen accounting data so far.


http://packetstormsecurity.org/news/view/20486/DreamHost-Hacked-Mass-Password-Reset-Issued.html

Slyr0x:

According to a blog post at DreamHost Status Blog, the company has detected a security breach at one of their database servers.

In a response to the attack, the company has decided to issue a mass password-reset on all of its customers.

Apparently, the breach occured in November via theone-click install wizard offered by Dreamhost: One click and your wholeWordpress / Drupal web site is installed, ready to use, automatically updatedby the wizard. Apparently, it’s the wizard itself that was compromised andanybody who used it was affected.

DreamHost CEO issued the following statement:

“our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”

Next to shell and FTP passwords, the company is advising its customers to change email passwords as well.

There are not reports of mass abuse of the stolen accounting data so far.


http://packetstormsecurity.org/news/view/20486/DreamHost-Hacked-Mass-Password-Reset-Issued.html

To think that I was only notified 2 days ago! The hackers had almost 3 months to go to town!

Na wa o. Thank God my site, www.onwaweb.com is hosted on google servers.

Gosh!

Thank God my site www.cityflavourmagazine.com not hosted on Dreamhost, but to me 3month is too long to notify their customer about the hacking

Pls can anyone help me with a free(3 months atleast) and reliable host for joomla/drupal out there?

sheyguy:

Pls can anyone help me with a free(3 months atleast) and reliable host for joomla/drupal out there?

You use google's blogger.com. But they dont accept joomla sites.

Slyr0x:

\

    “our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more l[b]egacy unencrypted passwords[/b] in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”
\

It wasn't even encrypted and you still left it there? 

I like something about this guys. They were honest and made the case open. A nigerian host wont do this. Neva! He go tell u say this that

Ymodulus:

I like something about this guys. They were honest and made the case open. A nigerian host wont do this. Neva! He go tell u say this that

ISO audit standards stipulates they should report every breach on their systems.

. . . therefore their honesty wasn't put on the table like a choice among other options.

Meanwhile what is it with bashing Nigerian host service providers at every hit. . . and it has to be so generalized?

sheyguy:

Pls can anyone help me with a free(3 months atleast) and reliable host for joomla/drupal out there?

hi there, I can help u out with Joomla(web hosting, template customization), what exactly do you need.

denzel2009:


ISO audit standards stipulates they should report every breach on their systems.

One of the ISO 27001 controls also says passwords should be encrypted. . .They goofed up big time. . .It's good they admitted tho

Frosti:

Na wa o. Thank God my site, www.onwaweb.com is hosted on google servers.

___________________________________________________________________________________________________________________________

omoloba123:

Thank God my site www.cityflavourmagazine.com not hosted on Dreamhost, but to me 3month is too long to notify their customer about the hacking

[size=18pt]Nice cheap advert!!!![/size]

^^Are you are you just created more awareness for 'the cheap advert?