Many years ago I was fairly active in the Joomla community and wrote and published various plug-ins, which were available from my website. I also had some other websites for various small projects, and hosted them with Pickaweb who provided me with years of reasonable service.
A few years ago, Pickaweb was bought out by Hostek, since when the support has been abysmal. This wouldn’t normally concern me, as I rarely need technical support, but I do expect IT providers to meet a basic level of security. Unfortunately, it turns out that Hostek aren’t capable of even minimum security or any kind of investigation when their systems are compromised.
A couple of weeks ago I noticed an odd email that stated I’d changed my password to cPanel. As I hadn’t done this myself, I decided to check out my website. Turns out it had been replaced by a gambling site. Fortunately, I was able to reset my password, but of course the bigger question is how and what happened?
To reset my cPanel password, a verification code should be sent to my email address(es). This happened as expected when I changed my password after the event, and I received the verification code and the confirmation email afterwards. However, when cPanel was hacked I only received the confirmation email – no verification code was issued (and of course I wouldn’t have responded if it had, as I hadn’t initiated it at that point).
So, given that the evidence points to a breach at my hosting provider, I opened a support ticket with them. Or rather, attempted to. Hostek don’t have support tickets anymore. There are links to a ticketing system on their website, but the system itself doesn’t exist. Instead, the only option is to use their chat. So I reported the issue and asked them to investigate what happened.
I heard nothing for several days, and then received a short reply stating "we are looking into it". Nice to know they take security seriously, isn’t it? Security breaches apparently don’t register as important for them.
After a few more days, I received the following reply:
Going over the information provided, the IP 188.8.131.52 is from Indonesia, Jakarta and not the Netherlands. The IP had used the password reset but you have two email addresses set up for the password reset to be sent to (email@example.com and firstname.lastname@example.org). If the password reset was not reset from your email address then it was from the other email address. In which that email address is compromised. You will need to update the password information for that email address and have any device used for that email account scanned for viruses, malware and keylogger information which could have been used to obtain that email accounts password information. If that is not an email address you use anymore, then I would recommend updating the second email address settings in your Contact Information to be blank or a new valid address.
Right… So all this was my fault and my email and computers must be hacked?!
Well, of course not. I run my own mail server, and if it or any of my other machines were compromised I’d have far more problems than an old website being hacked. As a sanity check, I did analyse my Exchange and server access logs, and confirmed that the only email received during the website breach was the confirmation after the cPanel password had been changed – there were no codes or anything else sent to me prior. I reported this back to Hostek, though now they no longer respond. If the code emails had been diverted somewhere else, then it could only have been from Hostek’s side, not mine.
There’s nothing further I can check on my side. As Hostek are not interested, and are clearly not competent to run and support web-hosting services, I’ll be moving on. Fortunately none of the sites I host with them are needed anymore, so I’ll transfer the domains I want away and let everything else expire.
This is the second security incident I have had with Hostek. The first one was very similar (though affected more websites on my shared hosting plan), and Hostek were similarly disinterested in investigating (and in fact their conclusion was almost word for word the same – blame the customer, and don’t bother investigating at all).
I doubt I’ll use a web host again, but if you are looking for a provider I suggest you steer clear of Hostek.