Web hosting provider DreamHost reset all 300,000 FTP and shell access passwords after hackers breached a database. DreamHost advises changing your FTP/shell access and email passwords. Anonymous may have launched massive Megaupload revenge DDoS attacks against DOJ, FBI, MPAA and RIAA websites, but sadly even stating a “deep-seated moral opposition” and denouncing SOPA doesn’t keep a site from being hacked. Web hosting service provider and domain name registrar DreamHost suffered a database breach on Friday and reset all 300,000 customers’ FTP and shell access passwords. On January 21, DreamHost sent an email stating, “Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users.” All customers are advised to change their FTP/shell access passwords immediately, and although “web panel passwords, email passwords and billing information for DreamHost customers were not affected or accessed,” the company “strongly” recommended changing your email password as a “precaution.”According to the DreamHost blog, “One of DreamHost’s database servers was illegally accessed using an exploit that was not previously known or prevented by our layered security systems in place. Our intrusion detection systems alerted our Security team to the potential hack, and we rapidly identified the means of illegal access and blocked it.”Although the DreamHost status page marked the issue as “resolved,” there are currently 598 responses to “changing shell/FTP passwords due to security issue.” Some of those customers expressed difficulties accessing the web panel or a prolonged delay while waiting for the password change to work. Other folks complained about suffering with malware-infected sites for months after allegedly using the DreamHost one-click install wizard to setup WordPress or Drupal. One has to wonder if the security issue of embedded malware on some sites has more to do with customers not keeping WordPress updated. Sucuri Research Blog reported that is has cleaned “quite a few of these websites and most of them were infected through outdated software installed by the customer. The important note to take here is it’s crucially important to ensure you’re keeping your sites updated. Remember, security is everyone’s responsibility. If you’re running a website you have a responsibility to your readership, customers, and the online world in general.” Sucuri offers a free malware and blacklist scan. DreamHost CEO Simon Anderson gave these additional details, “Our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though). Re your shell accounts, I’d suggest that you select a new password just to be sure.”Despite seeing one hack after another, password reuse is still a rampant problem. DreamHost customers who used that same password elsewhere should change it immediately before hackers can compromise those other accounts. Software architect and Microsoft MVP Troy Hunt advised “The only secure password is the one you can’t remember.” Like this? Here’s more posts:Hacking For Privacy: 2 days for amateur hacker to hack smart meter, fake readings Geeks under fire: War on privacy, freedom and general computation Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button? Irony: Surveillance Industry Objects to Spying Secrets & Mass Monitoring LeaksPrivacy Advocates Sue DHS for Big Bro Fake ‘Friends’ Monitoring Social Media Give the TSA more power so it can grope and then arrest you? Google Search Strips Privacy from ‘Your World’ DARPA’s Spy Telescope Will Stream Real-Time Video from Any Spot on Earth Busted! DOJ says you might be a felon if you clicked a link or opened email Privacy Freaks Rejoice: Privacy to be a ‘Hot Job Skill’ in 2012 FTC May Investigate Google for Favoring Google+ in Search Plus Your WorldWoz on smartphones: Wishes his iPhone could do all his Android canCNET Accused of Wrapping Malware in Windows Installer for Nmap Security ToolDo you give up a reasonable expectation of privacy by carrying a cell phone? Follow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe