WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly

Why hack when you can socially engineer employees into giving you the keys to the kingdom?

Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.

The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog.  Later in the day, developer Matt Pugh posted an update:

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

According to John Leyden of The Register:

UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.

In an email to their clients today, WHCMS wrote:

Date: 22 May 2012 01:40:03 GMT-03:00
To: XXXxxx
Subject: Urgent Security Alert – Please Do Not Ignore

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

WHMCS Limited

But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:

Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.

According to Ted Samson of InfoWorld, client passwords:

were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.

Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.

There has been no statement from the hosting firm.

Update: There has reportedly been an arrest in the case.

About the author: Dissent