Nearly a week ago, a malicious person or group of persons hacked into DreamHost, the company I use as a web host. The passwords for over 3,500 FTP accounts were compromised, and some customers found unauthorized changes to files or directories. My account was among those that got hacked, and the experience has made me a better computer user.
Having a password stolen is frightening enough, but my situation was nearly a worst case scenario. When I originally set up my user account with DreamHost, I naturally provided the password to be used with that account. This user account granted me access to the DreamHost web panel, FTP uploads, and access to the web server's shell (via either telnet or ssh). When I later set up an email account, I chose to use this same account out of sheer convenience. I made a likewise decision for access to my web server logs. So, in short, one username and password provided me access to five areas:
- The DreamHost Web Panel
- My web storage (via FTP)
- My web server home directory (via telnet or ssh)
- My primary email address
- My server logs
Do you see the problem here?
As soon as I got the email that my FTP password had been compromised, I realized how slack I had been about security and panicked. Thankfully, none of my files or databases were corrupted (though I'm still taking a look through everything). I have since changed all of my passwords, and they now all differ from one another, something I should have done from day one.
I try to be as security conscious as possible, but I really dropped the ball in this area, mostly for convenience's sake. This is the first time I have been 'hacked' like this, and I'm actually glad it happened. The experience has motivated me to be more secure in my password handling.
Lots of people are jumping ship as a result of this, but doing so seems premature to me. The folks at DreamHost are being open and honest about the problem, and I really appreciate that. Any company that steps up and says "we made a mistake and we're trying to prevent it from happening again" is worth sticking with. At the very least, I've learned a much needed lesson.
I forgot to mention that other web hosts were also hit by this attack (according to this post), so it wasn't solely a DreamHost issue.