This is a comment on a recent thread entitled “URGENT: My Dreamhost account is hijacked”, but since this comment is not itself urgent I didn’t want to bring that thread back to the front.
I have sympathy for the OP’s plight and hope their difficulties are well on the way towards being resolved.
If the OP has any idea how their account was broken into, it might be worth posting about that also. And since this is (as Andrew noted) a discussion forum, it would be good to address some wider issues.
I wonder how many DH customers know that (subject to some reasonable assumptions which I will note) their DH hosting acount can be completely hijacked if they merely leave their laptop unattended for 30 seconds while open on their regular email inbox.
Here’s how. Assume for the sake of definiteness that the unattended inbox is gmail (or google apps).
(1) Enter “newslettery” (n.b. the trailing ‘y’) into the Search box and hit “Search”
(2) Click on the most recent match (which conveniently appears at the top)
(3) Select-and-copy the text following “To:” (which also, conveniently, appears near the top)
(4) In another tab, browse to “panel.dreamhost.com” and click on “Forgot password”
(5) Hit “paste” into the text box and click on “Reset my password!”
(6) Go back to the first tab, click on “inbox” and click on the email which has just arrived
(7) click on “You can reset your password by clicking this link:”
(8) A new tab opens; enter a new password twice (the shorter the better, quicker to type) and click on “Reset my password!”
(9) Go back to the first tab and (to cover your tracks) delete the email which you are looking at
(10) Another email arrives (from DH, saying they just re-set the password) - delete this email also.
Total time: well under 30 seconds if on a fast internet connection and you know what you are doing.
Then, later on, at your leisure:
(11) If the account holder has a secret question-and-answer, change it
(12) Harden the password which you entered at step 8
(13) See if the account holder has any MX records; if so, change them, in order to disrupt his or her access to email.
(1) Who would ever leave their laptop unattended for 30 seconds while open on their inbox? It is sometimes claimed that people who would do that are not “administrator material” and should not be attempting to administer websites, esp. if used for business.
Be that as it may, if a person is being maliciously targeted, it might not be difficult to get them to leave their laptop unattended for 30 seconds, even if they are an experienced and savvy administrator. If anyone doubts this I will try to think up a plausible scenario, but it should not be necessary.
(2) Would email sent to their Dreamhost login email address be auto-forwarded to their regular email account? Well, this is an interesting question, and the answer is that it ought not to be. With gmail, for example, one can make one’s secondary email address (to which password-reset links will be sent) go to a rarely-accessed and well-protected account. But with Dreamhost everything - including newsletters and operational alerts needing immediate attention - goes to the same email address. So it is quite likely that even a savvy administrator will end up having his Dreamhost account-related email auto-forwarded to his regular email account.
(3) A few years ago, Dreamhost procedure was far worse, to the extent that a Starbucks waiter with access to computer in a back room could compromise a Dreamhost account by peering over a customer’s shoulder for less than 3 seconds, retiring to the back room, and then emerging and peering again over the same shoulder for 1 second at a precisely engineered moment. Things have now improved … to the extent that a laptop needs to be unattended for 30 seconds for the account to be compromised. But is this good enough?