Shortly after the incident took place, the company’s representatives came forward with a statement, admitting that their systems were penetrated.
A few hours later, almost everything had been restored to normal and the site’s owners could make an estimate of the damages caused. According to Matt Pugh, WHMCS founder and lead developer, the passwords are “stored in hash format” so they’re safe, but the credit card information may be at risk, along with the contents of all the recently submitted tickets.
The company has also learned that the breach is a result of a social engineering attack. “Following an initial investigation I can report that what occurred today was the result of a social engineering attack. The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions,” Pugh explained. “And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details.” On the other hand, the hackers told Softpedia that the passwords could be easily decrypted.
They claim that they gained access by combining “social engineering and injections.” Apparently, the company became a target after the hacktivists learned that it offered its services to cybercriminals and fraudsters. “Many websites use WHMCS to scam and rip people off. For example: Users from “hackforums.net” are using WHMCS to sell illegal hosting, booters, malware, etc,” a member of UGNazi explained. “We have reported these sites to WHMCS before and they did not take any action whatsoever to stop the illegal activity. By releasing their files, we wanted to make it known that we are watching; and will continue to be watching.”