If ever there was a way to handle a hack, Hetzner has nailed it. The web-hosting company last night let its customers know that its konsoleH Control Panel database had been compromised. The problem was an SQL injection vulnerability which the company says has already been corrected.
Hetzner followed up their frank admission with a list of the actions they’ve taken since the hack was discovered. It seems that user passwords for konsoleH Admin were not compromised but FTP passwords were. Those have all been updated by the company but there are still actions to be taken.
Information that has been compromised includes: customer names and details (like phone numbers, physical and email addresses and ID numbers, if those had been provided), FTP passwords, domain names, and bank account info. No credit card information was accessed but the information taken could be used for a variety of fraudulent activities.
What Hetzner customers need to do now is: update database access passwords, reset and update FTP passwords and update all email passwords as well. The company also recommended changing the konsoleH Control Panel login password. This last one was not accessed but you know how some users tend to reuse the same password…? Yeah, don’t do that.
The company, to their credit, hasn’t attempted to soften the blow of this hack for any of its users, opting instead to take the intrusion on the chin — a tactic that is ultimately better for user security, even if it sucks considerably at the moment. There are likely other updates to come,
too. Hetzner said “We have external forensic investigators on site working round the clock with our team. We understand that this event has shaken your confidence in us. It is our earnest commitment to provide you with a hosting service you can trust.”