Dreamhost FTP/Shell Password Database Breached 123
New submitter Ccmods writes "Below is a snippet from an email Dreamhost sent to subscribers early Saturday morning, describing an intrusion into the database storing FTP and SSH usernames and passwords: 'We are writing to let you know that there may have been illegal and unauthorized access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. ... Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, email passwords and billing information for DreamHost customers were not affected or accessed.'"
FTP? (Score:5, Insightful)
If the passwords are used for FTP they should be considered comprimised anyway.
Re:Not a big deal (Score:3, Insightful)
Re:Not a big deal (Score:5, Insightful)
I actually think it's a big deal, but not for the reason most people are crying about.
It's a bit deal that they have been open, honest, & cautious about the intrusion. Having seen so many high profile companies take the opposite stance lately, the DH intrusion should be made a big deal of, if anything, to show other companies how you react to being hacked without losing face with customers.
For me, there is only one chance when it comes to security to get it right. If you try to hide intrusions, lie to customers, or stonewall tech sites trying to get more information, you aren't a company to be trusted with my data.
I'll see your SFTP and raise you... (Score:5, Insightful)
I'll see your SFTP and raise you disabling password authentication entirely, and using SSH public key authentication only.
If your SSH server is visible over the Internet, you should use public key authentication instead of passwords if at all possible. If you don't think it's important, try logging all of the malicious login attempts you get for the next week.
-- https://help.ubuntu.com/community/SSH/OpenSSH/Keys [ubuntu.com]
Re:Not a big deal (Score:3, Insightful)