Page 1 of 1

Dreamhost hacked

Posted: Fri Jan 20, 2012 4:15 pm
by JonPorobil
Dreamhost - the web hosting service used by Song Fight! and various members of this community - has been hacked. Users are urged to change their passwords ASAP.

http://www.dreamhoststatus.com/2012/01/ ... ity-issue/

Hopefully, everyone who needs to know this already does.

Re: Dreamhost hacked

Posted: Fri Jan 20, 2012 4:43 pm
by jb
Yeppers. Yup.

Re: Dreamhost hacked

Posted: Fri Jan 20, 2012 5:35 pm
by Manhattan Glutton
And since the dumb fuckers store passwords in plaintext...

Thanks for the heads-up. I did not know.

Re: Dreamhost hacked

Posted: Fri Jan 20, 2012 5:38 pm
by Spud
Manhattan Glutton wrote:And since the dumb fuckers store passwords in plaintext...
Do you know that, or just assuming? Just wondering...

Re: Dreamhost hacked

Posted: Sat Jan 21, 2012 12:19 am
by Billy's Little Trip
MG is the hacker. I knew he was a shenaniganist.

...for the record. shenaniganist ~BLT 2012

Re: Dreamhost hacked

Posted: Sat Jan 21, 2012 12:26 am
by fluffy
I don't know if the passwords are stored in plaintext but they are plaintext-recoverable, which means that anything that has access to their decryption key has plaintext access to them. (And plaintext-recoverable by email is yet another hacking vector.)

Re: Dreamhost hacked

Posted: Sat Jan 21, 2012 12:29 am
by Manhattan Glutton
Spud wrote:Do you know that, or just assuming? Just wondering...
What fluffy said. Use the password recovery form sometime - it emails you your password in plaintext.

Re: Dreamhost hacked

Posted: Mon Jan 21, 2013 12:14 am
by fluffy
Incidentally, I got in a debate with the Dreamhost folks about this recently, because it turns out that it's not just for recovery, but for how they diagnose account problems. Rather than logging in as an admin and doing a 'sudo -u username' thing they actually decrypt your password from the database and copy-paste it into their ssh session, which is ridiculous and opens up even more possibilities for malware-as-attack-vector if they ever have to diagnose your account for some reason.

So, it's best to just set your Dreamhost password to something that is truly unique from anywhere else (maybe even randomize it completely once a week?) and not even use that password to login - use .ssh/authorized_keys instead. (if you know wtf that means.) I use authorized_keys anyway because it's easier for me to deal with AND more secure, and also makes it easy for people to grant and revoke access to each other without sharing a common password (it's how we're finally set up on the Song Fight shell account now) but really, there's no excuse for them to make this necessary.