LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

WHMCS Hacked, Client data leaked online

WHMCS is a popular billing software used by most of the small to medium scale hosting companies. The intruder gained access to the servers using “social engineering attack”. There are approx half a million (500,000) user records with Credit Card info leaked online.

“Following an initial investigation I can report that what occurred today was the result of a social engineering attack. The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions, And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details.” Matt Pugh explained.

It is also worth mentioning that the WHMCS twitter account was also taken over by the hackers.

It is rumoured and believed that Matt’s email account was hacked and hence the hackers gained access to the server details and the Twitter account at the same time. Nothing has been done so far to get the twitter account back, although WHMCS is back online after being hacked and defaced with a DDoS attack.

Hackers told Softpedia that they can easily decrypt password and they gained access to the servers using “social engineering and injections”.

It is advised that all companies using WHMCS installations should either bring it offline or protect their /admin/ folder by configuring IPs (this MAY save your WHMCS installation IF it there is still a vulnerability in WHMCS as the hackers stated earlier)

You can follow the LowEndTalk.com thread for latest info and discussion.


  1. Frank:

    Dammit. Weren’t we just complaining about the raw passwords in the database? As much as I hate paypal, this is exactly why I wouldn’t give these VPS companies access to my raw credit card info.

    Fortunately, paranoid me, has already changed most of my passwords that were (stupidly) shared with my VPS passwords. I know, I know. We shouldn’t share passwords.

    May 30, 2012 @ 6:34 am | Reply
  2. BronzeByte:

    I decided to make my own simular solution to WHMCS because it couldn’t provide us what we needed.
    Now I am glad I am doing so because of all vulnerabilities in it!
    PHP is an unsafe, bad performance scripting language, I took my hands of it

    June 2, 2012 @ 11:34 pm | Reply

      I don’t think PHP is unsafe and having bad performance for web environment. Safety and performance depend upon your skills of coding.

      June 3, 2012 @ 6:27 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *