Who was affected by the password breach?


#1

So, now that the dust has settled, who was affected?

According to this post, some people’s accounts were accessed using the stolen passwords. The post seems to claim that DH actually said that 3500 accounts were accessed with the stolen information.

Edit: Oops, my bad. Apparently the post above refers to a previous security incident a few years ago. Please disregard this post.

But DH’s blog claims that no customer FTP or SSH user accounts have been maliciously accessed due to this password breach.

After the event, I contacted support to ask directly whether my passwords were in the table that was unencrypted. I needed to know this because I sometimes use a pattern approach to create unique passwords across sites and services but keep them memorable to me. Someone may be able to figure out the pattern though. DH Support very confidently said:

I’m not referring here to hacked WP accounts. I’m talking about actual access using a stolen password. Anyone get hit? Any other claims on teh internets?


#2

It looks like the “this post” you linked to was written on Posted Jun 06, 2007 – which significantly predates any recent incident.


#3

@Bobocat - Guess it depends on what you mean by “affected”. None of my sites were hacked but I sure had the unpleasant task of updating clients and then running through all the websites and checking the files using Nessus and other tools. Took several weeks of my time.

old legacy database

And that’s what I meant when I posted that if that claim is true then why the over reaction? If I had enhanced security on all my setups/domains and my users/passwords weren’t part of that database then I don’t see the need to nuke my passwords like they did.

I think DH just took it as an opportunity to clean house so to speak.

Jw