Dreamhost hacked

Let us know when something isn't working correctly, or if you find a typo. Do not post complaints or suggestions here.
Post Reply
User avatar
JonPorobil
Beat It
Posts: 5682
Joined: Sat Sep 25, 2004 11:45 am
Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass, lots of VSTs
Recording Method: Cubase 10.5
Submitting as: Jon Eric, Jon Porobil, others
Pronouns: He/Him
Location: Pittsburgh, PA
Contact:

Dreamhost hacked

Post by JonPorobil »

Dreamhost - the web hosting service used by Song Fight! and various members of this community - has been hacked. Users are urged to change their passwords ASAP.

http://www.dreamhoststatus.com/2012/01/ ... ity-issue/

Hopefully, everyone who needs to know this already does.
"Warren Zevon would be proud." -Reve Mosquito

Stages, an album of about dealing with loss, anxiety, and grieving a difficult year, now available on Bandcamp and all streaming platforms! https://jonporobil.bandcamp.com/album/stages
User avatar
jb
Hot for Teacher
Posts: 4158
Joined: Sat Sep 25, 2004 10:12 am
Instruments: Guitar, Cello, Keys, Uke, Vox, Perc
Recording Method: Logic X
Submitting as: The John Benjamin Band
Pronouns: he/him
Location: WASHINGTON, DC
Contact:

Re: Dreamhost hacked

Post by jb »

Yeppers. Yup.
blippity blop ya don’t stop heyyyyyyyyy
User avatar
Manhattan Glutton
Ice Cream Man
Posts: 1530
Joined: Tue Feb 15, 2005 12:10 pm
Instruments: Angst
Recording Method: REAPER
Location: Madison, WI
Contact:

Re: Dreamhost hacked

Post by Manhattan Glutton »

And since the dumb fuckers store passwords in plaintext...

Thanks for the heads-up. I did not know.
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.

Nur Ein Archives | The New Ugly Podcast
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Dreamhost hacked

Post by Spud »

Manhattan Glutton wrote:And since the dumb fuckers store passwords in plaintext...
Do you know that, or just assuming? Just wondering...
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
Billy's Little Trip
Odie
Posts: 12090
Joined: Mon Nov 13, 2006 2:56 pm
Instruments: Guitar, Bass, Vocals, Drums, Skin Flute
Recording Method: analog to digital via Presonus FireBox, Cubase and a porn machine
Submitting as: Billy's Little Trip, Billy and the Psychotics
Location: Cali fucking ornia

Re: Dreamhost hacked

Post by Billy's Little Trip »

MG is the hacker. I knew he was a shenaniganist.

...for the record. shenaniganist ~BLT 2012
User avatar
fluffy
Eruption
Posts: 11028
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Dreamhost hacked

Post by fluffy »

I don't know if the passwords are stored in plaintext but they are plaintext-recoverable, which means that anything that has access to their decryption key has plaintext access to them. (And plaintext-recoverable by email is yet another hacking vector.)
User avatar
Manhattan Glutton
Ice Cream Man
Posts: 1530
Joined: Tue Feb 15, 2005 12:10 pm
Instruments: Angst
Recording Method: REAPER
Location: Madison, WI
Contact:

Re: Dreamhost hacked

Post by Manhattan Glutton »

Spud wrote:Do you know that, or just assuming? Just wondering...
What fluffy said. Use the password recovery form sometime - it emails you your password in plaintext.
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.

Nur Ein Archives | The New Ugly Podcast
User avatar
fluffy
Eruption
Posts: 11028
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Dreamhost hacked

Post by fluffy »

Incidentally, I got in a debate with the Dreamhost folks about this recently, because it turns out that it's not just for recovery, but for how they diagnose account problems. Rather than logging in as an admin and doing a 'sudo -u username' thing they actually decrypt your password from the database and copy-paste it into their ssh session, which is ridiculous and opens up even more possibilities for malware-as-attack-vector if they ever have to diagnose your account for some reason.

So, it's best to just set your Dreamhost password to something that is truly unique from anywhere else (maybe even randomize it completely once a week?) and not even use that password to login - use .ssh/authorized_keys instead. (if you know wtf that means.) I use authorized_keys anyway because it's easier for me to deal with AND more secure, and also makes it easy for people to grant and revoke access to each other without sharing a common password (it's how we're finally set up on the Song Fight shell account now) but really, there's no excuse for them to make this necessary.
Post Reply