Hostus customers started receiving this email yesterday.  I got mine today:

We regret to inform you about a security breach that has happened with our WHMCS client billing system (my.hostus.us) caused by a recent security vulnerability identified in our WHMCS theme Lagom Client Theme, which has led to unauthorised access to our WHMCS database by a hacker. We must acknowledge the possibility that the data accessed during this breach could potentially be misused. We cannot guarantee with absolute certainty that the data that was accessed will remain secure. Therefore, we urge you to implement all necessary precautions to protect your account, services and systems.

If your service (VPS, Shared hosting etc) account password was not changed from the original password that the service was set up with please change it immediately. Please also change your HostUS Customer account password via my.hostus.us We sincerely apologise for any inconvenience this may have caused. Please understand that we are doing everything within our power to assist and support you during this time.

We are currently producing a full transparency report to provide to our customers. It’s with great sadness that this has happened. It’s with great sadness that I send you this email, please be assured we are doing everything in our power with this situation.

You’d think that for $149 per domain, RS Studio could afford a security audit.

I am not a Hostus customer at present but tried them a few times in the past and generally had a good experience.  A shame this happened to @AlexanderM’s company.  They’ve been active in our community for a long time and have earned a good reputation.

And it seems that they are acting out of an abundance of caution, which is a very responsible approach.  RS explains the issue:

About the Security Issue

The issue pertains to a specific function that allowed customers to upload image files (PNG, JPG, SVG, and GIF) when logged into the WHMCS client area. This function used PHP MIME type checks to ensure only these image formats could be uploaded. However, we have discovered that the MIME function’s security measures are not entirely foolproof.

It has come to our attention that skilled hackers could exploit this function. They could bypass the intended restrictions by executing a particular URL, allowing them to upload a PHP file. This vulnerability poses a significant security risk.

We want to assure you that this function was never utilized in the Lagom Client Theme. As a precautionary measure, we have completely removed this function from the addon files to eliminate any potential risk.

Amusingly, googling for “Lagom WHMCS hack” leads to a WHT thread, which points to LowEndTalk for more information.

BTW, I picked the image for this article because it looks like a Nazgûl hacking someone’s web site, and that amused me.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Level Up Your Marketing and Social Media with These FREE Courses on Udemy! - April 26, 2024
• FLASH SALE: Cheap cPanel Shared Hosting from eWallHost for $7.97/YEAR! - April 24, 2024
• Should You Change Your Windows RDP Port?Yes. - April 23, 2024