Softaculous Security Incident
-
Tuesday, 9th August, 2022
-
14:57pm
Good afternoon,
In an effort to maintain transparency, we have been alerted by one of our software vendors, Sofaculous, that they experienced a security breach. No NodeSpace customer data, usernames, or passwords were compromised in this breach.
We have initiated extra monitoring of our systems that Softaculous at any point had access to, and as a precaution, rotated server root passwords.
Once again, I'd like to repeat and stress, no NodeSpace customer data, usernames, or passwords were compromised.
If you have any questions, please feel free to contact us or ask on our community forums.
Regards,
Travis Newton
Founder/Owner
Original email notification from Softaculous:
Salutations,
We are writing this email to inform you about a security breach in our infrastructure.
- We have detected an unauthorised access to some of our mirror servers.
- We have taken immediate steps to move and secure our infrastructure, isolate and protect customer data and engage with third party experts. While doing so customers had experienced some downtime from our websites and servers.
- None of our customers servers are impacted in this incident. Our server software products Softaculous, Virtualizor and Webuzo v3 are audited regularly by 3rd party auditors and security experts with each new version launched. We have also initiated an additional audit of all our software.
- These servers hosted the customers name, address, license information and hashed passwords of customer accounts who license our software (with individual salts per user for encryption). No credit card information was stored on these servers.
- We store the account's password in an encrypted format with a unique salt per user which would be infeasible for anyone to derive your original password from. Hashed passwords are secure, but we recommend you change your account's password and will be setting an expiry on existing passwords. When you reset your password, please use a strong and unique password.
- As an added precautionary measure we recommend customers take immediate action on their own infrastructure and reset any credentials or authentication details that have been shared with our support team while our security team and third party experts continue to assess the nature of this issue.
- API keys of NOC users (if any) which are used to purchase/renew/cancel licenses will be restricted to be accessed by 1 IP only and will expire on 15th August 2022 to avoid any possible license manipulation. You can login to your NOC account and generate new API keys to continue using the NOC API using API Key based authentication.
- We have taken several steps to improve the security of our infrastructure and our customer base at large.
- We apologize and reassure you that security of our software and infrastructure and our customers data is very important and will continue to be a priority for everyone at our company.
If you have concerns, you are welcome to get in touch with us at [email protected]
Sincerely,
The Softaculous Team