DreamHost used its status page to update customers of the password reset process
(WEB HOST INDUSTRY REVIEW) — Web hosting provider DreamHost has told its customers to change their passwords in an email on Friday night after it detected unauthorized activity on its database, according to a report by CNET.
In the email, DreamHost claimed it had reset all customer FTP passwords as a precaution and that users could create new ones through the online panel. Web panel, email passwords and billing information were not exposed during the breach, according to the report. Despite this, DreamHost still urged customers to change email passwords as a precaution.
According to its status page, things were back to normal as of January 22 at 9:12 pm PST. DreamHost said the delay was due to the “sheer number of customers requesting password changes.”
“We understand your desire to get things working in an expeditious manner and we are working hard to get you there,” DreamHost said in a post on its status page. “We’re examining ways of decreasing the queue depth but we’re still faced with the fact that there is a considerable amount of work to be processed and apologize for the delay.”
On Thursday, the WHIR spoke to DreamHost technical support manager Brian Hill about its email-focused customer support. In the interview, Hill said it updates its users on outages or issues via its status page, and explained its process for dealing with widespread outages. Hill also noted that transparency was important to DreamHost, a sentiment that CEO Simon Anderson echoed in a in a blog post on Saturday.
“In the DreamHost spirit of transparency and openness, I’m providing this update on our blog on the security issue yesterday. It’s necessarily pretty dry and factual, unlike most DreamHost posts, but that’s important to communicate as much detail as possible while not disclosing the inner workings of our security defenses,” Anderson said in the post. “The bad news is that we detected access to one of our databases and took rapid action to protect customer accounts and passwords. The good news is that it does not appear that any significant malicious activity has occurred on any customer accounts as a result of the illegal access.”
Anderson said that DreamHost’s software and security teams have investigated if any customer sites, apps or blogs had been affected by the intrusion and said that so far, no major issues had been identified “potentially as a result of the swift action to force a password reset.”
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
{ 1 comment… read it below or add one }
I hope my medical records were not hosted here. It’s really scary to think of all the systems being compromised, especially in the financial and healthcare information. But our data needs to be out there and accessible, so what do we do?
If I’m sick, really sick, and different doctors need to see my healthcare records to help me, I want them to have that access to my information – period. But while I’m healthy, and my health data is at rest, just sitting on a few hard drives, in files, I do want that data to be safe. Is it safe at my dentist? My doctor? The urgent care I went to in the off hours? The hospital where we visited the ER?
There are some attacks and data breaches that cannot be protected against. When humans are involved, anything can happen. Humans design the security components and architecture that access and hold PHI data, and other humans designs the hiring/monitoring/firing process for those individuals who are authorized to access the PHI data. Hopefully, a step in the process is to monitor the data access logs by unique user name, and revoke access to humans that have left a particular entity.
In the “Security 101 for Covered Entities” report published by the Dept of Health & Human Services, I think they said it best when they wrote “HHS recognizes that each covered entity is unique and varies in size and resources, and that there is no totally secure system”.
In a December 2011 survey of 72 healthcare groups by the Ponemon Institute, they found that 96% reported that some data had been lost, stolen, or compromised within the last two years.
The industry needs to find the right balance of security and accessibility for financial, personal, and healthcare HIPAA related data.
Mike Flaherty
Online Tech
734-213-2020 phone
http://www.onlinetech.com/secure-hosting/overview