Hetzner database hack – The details
Hetzner’s konsoleH database was recently compromised, exposing customer details, FTP passwords, domain names, and banking details. Hetzner said the hackers used an SQL injection vulnerability to gain access to the database. The vulnerability has since been fixed.
The company has now provided further details about the konsoleH compromise on its website – which provides answers to common client questions. I have hundreds of domains, how can you expect me to update all the passwords?
We fully appreciate the time-consuming effort this will take for many of our customers. Our Support team is available 24/7 and is able to update all passwords on a domain to a randomly generated password and provide you with these passwords via an FTP download.
How secure is your data centre and network?
This compromise is very specific to the konsoleH Control Panel code that had a vulnerability which was discovered and exploited. This incident, while serious, should not affect our customers’ confidence in our hosting infrastructure: there are various layers of security deployed within our hosting environment. While the konsoleH control panel compromise exposed customer data, the incident has in no way impacted the security protocols of our switched network, hosting platform or data centre infrastructure.
To what extent have customer details been exposed?
We should assume that all our customer data has been exposed.
While we’re able to see where and how the data was accessed, there is no way for us to ascertain how the exposed data will be used.
Hetzner hosts the server that was involved with the Master_deeds incident. Is this compromise related?
Master_deeds is hosted on a self-managed server, leased by one of our customers. This customer has complete responsibility for all data storage and data access on the server, while Hetzner remains responsible for the hardware and only the hardware – we don’t have access to the data stored on this hardware.
The two incidents are not related in any way.
Have the databases on my website been compromised?
No, only the konsoleH Control Panel database was compromised. However, you are urged to change the access details to your database as this information may have been exposed.
What about my banking details?
We do not store any credit card information. Only banking details used for debit order instructions may have been exposed.
As a precaution ensure that you regularly check your bank statement for unauthorised debits.
I am a previous Hetzner customer – has my information been exposed?
Yes. As a standard procedure, Hetzner does not delete information when a customer terminates their service with us. However, should a customer terminating their service with us specifically ask for their information to be removed, we do so without question.
What has been the extent of your communication to customers?
We have notified our customers in good time via SMS, email, our website, phone system, Twitter as well as communication with key media on the day of the incident.
Even though the PoPI Act is not yet in effect, is Hetzner compliant?
Even though the PoPI Act has not yet commenced, we are already compliant.
We take our responsibilities to protect personal information very seriously. Customers were notified within 24 hours of Hetzner becoming aware of the breach. PoPI does not require that Hetzner prevents all unauthorised access because this is impossible to do.
It does require that we take measures to secure personal information and then if there is a compromise, to respond in a responsible way. Hetzner took immediate action, once we became aware of the vulnerability, to take measures to address the security compromise. We locked down access to our konsoleH control panel as a precautionary safety measure.
We are deleting the FTP and database passwords saved on our system.
What compensation can I expect from Hetzner?
We deeply regret the time and effort required of our customers to recover from this situation and offer our full support to assist – our team is available 24/7 to shoulder this administrative burden with you. The unfortunate reality is that no company is immune to malicious exploits – our customers have fallen victim, as has Hetzner. While Hetzner won’t be compensating customers in monetary terms, we are committed to supporting our customers through this time and have our team working around the clock.
Why do you still store unencrypted data in your database?
While the konsoleH control panel Admin passwords are encrypted on our systems, Hetzner did store FTP and database passwords in clear text.
The reason for this was to be able to assist our customers by having this information on hand to provide support. We believed that the security measures we had in place were adequate to protect these passwords. As a result of this compromise, we are deleting all plain text versions of the FTP and database passwords.
Going forward, they will be encrypted on our systems.