Dreamhost FTP/Shell Password Database Breached 123
New submitter Ccmods writes "Below is a snippet from an email Dreamhost sent to subscribers early Saturday morning, describing an intrusion into the database storing FTP and SSH usernames and passwords: 'We are writing to let you know that there may have been illegal and unauthorized access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. ... Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, email passwords and billing information for DreamHost customers were not affected or accessed.'"
Only since last June.. (Score:3, Interesting)
It got so bad at one point that I recommended that readers of my blog . [dynamoo.com]
Re:Not a big deal (Score:2, Interesting)
It's a bit less trust-inspiring than you represent it.
Brian H. from Dreamhost initially posted on the Dreamhoststatus page that FTP/SSH passwords are only stored hashed. Later he deleted that statement. Why?
Web panel passwords are definitely stored in a retrievable way, because when you forget your web panel password they mail it to you. Not a nonce key that allows you to set a new password, they mail you the actual password. According to Dreamhost CEO Simon Anderson [dreamhost.com], they're now evaluating if they could change this practice.
Anderson also said that FTP/SSH passwords are stored "encrypted". He didn't say "one-way hashed" or "salted and hashed", he said "encrypted". So it could be a reversible encryption with the master password retrievable from somewhere else. Anderson doesn't reply to requests to specify what "encrypted" means.
So they had stored passwords in plaintext in the past and forgotten about it.
Allegedly, email passwords were not compromised, but they recommend changing them just to be sure. Actually an intruder with a FTP password could just FTP into the user's home directories and with a pretty good chance retrieve SQL and email passwords from config files and logs of any webapp that uses a database/email. Most webapps store those in plaintext. Dreamhost doesn't say if they checked which user files where accessed in the vulnerable time span. SQL connections are restricted to Dreamhost servers, but an SQL password gives you web access to databases over phpmyadmin.
There are several requests in the web panel's Suggestions section to stop sending passwords to customers or displaying them in the web panel. Dreamhost has been ignoring those requests for years.
Re:Not a big deal (Score:3, Interesting)
>Where? I've been a DH customer for 5 years...
The "forgot my password" link on the webpanel login page (discovered today by virtue of needing to log in to set user passwords again).
You are right that for users within your webpanel account there is no email reset option - you log into the webpannel to set these passwords.
But the webpanel account itself - passwords are emailed in plaintext.