We are writing to inform you that we have reason to believe some systems may have been compromised.
The basis of this belief is that two customers reported products being ordered for their accounts that were not placed by themselves yesterday (15th April 2014). We currently believe this was done with access to their account passwords. Whilst we cannot be sure our customer systems haven't been compromised, we want to ensure that we have taken every action to ensure our systems are secure.
We are currently investigating the issue but have immediately taken the following actions:
1) Taken our management platform offline
2) Requiring all our customers change their password
3) Security phrases will be changed
As part of the Heartbleed issue, we recommend you change all other OpenITC passwords (e.g. root passwords for VPS, dedicated servers, etc) at a minimum. Although not related to us, you should reset all your passwords on all systems you use over the Internet for peace of mind. This is especially true if you re-use your passwords across different sites.
We are still early in our investigations but beyond these random orders being placed, we have no further evidence of ill intent.
We do not have any further information at this time and will be unable to comment further until we have concluded our investigation at which point we will send out another e-mail.
As the management platform is offline, the VPS control panel will also be offline. This will remain the case for at least the remainder of the day. We apologise for the inconvenience.
We would like to take this opportunity to remind customers about how your private data is stored:
a) Authentication details for our management platform at clients.openitc.co.uk are stored with a unique random (per account) salt and hashed (multiple rounds).
b) All data stored on clients.openitc.co.uk resides on fully encrypted hard drives.
c) Physical access to clients.openitc.co.uk is secured.
d) Administrative access to clients.openitc.co.uk is restricted by strong passwords and very narrow IP access lists.
16 Apr 2014