Social engineers breach billing service WHMCS

Thousands of passwords and credit card details have been exposed online after social engineers breached the billing platform WHMCS.

Attackers obtained the data after masquerading as the platform's lead developer, Matt Pugh, and managed to con the company's hosting provider to release administrator credentials.

Pugh's details were then used to access WHMCS's database and steal hashed customer credit card numbers and passwords, usernames and support tickets. Along with that data, they also dumped a 1.7Gb cache that included the WHMCS control panel and website information.

Almost a day's worth of data was erased from the compromised servers, while links to the cache and other smaller files were hijacked.

Pugh wrote on the corporate blog that attackers from the group UGNazi had provided correct answers to identity verification questions.

“The person was able to impersonate myself with our web hosting company and provide correct answers to their verification questions, and thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details,” he said.

“This means that there was no actual hacking of our server. They were ultimately given the access details. We are immediately reviewing all of our hosting arrangements, and will be migrating to a new set-up at the earliest opportunity.”

Pugh initially said that the database of its ticketing system may have been compromised, and recommended any users who had recently sent a ticket containing their WHMCS or FTP login details to change them.

Around four hours later, Pugh said that the main server was compromised, which hosts the main website and WHMCS installation; he said a malicious user had proceeded to delete all files, losing all new orders placed within the previous 17 hours, as well as any tickets or replies submitted.

Troves of information from Australian hosting companies were displayed during a cursory scan of the breach databases by SC Magazine Australia.

The stolen tickets may also contain sensitive information such as credit card numbers, a mistake RackCentral managing director Shaun McGuane said customers often commit.

He said: “We get people sending us sensitive stuff through tickets all the time and we have to keep telling them to stop.”

McGuane took a swipe at WHMCS's response to the breach – he said it had not yet emailed affected customers to warn them to change passwords and cancel credit cards.

“I only found out about it last night after a friend happened to check their blog," McGuane said. “It is really disappointing.”

McGuane recommended affected customers change passwords both for the WHMCS and on their systems. He said customers should also check to see if their credit card numbers were held by the company and, if so, cancel them.

“Sure they say they're encrypted, but that doesn't mean that they won't be cracked,” he said.

Sign up to our newsletters