OpenITC security breach

· 2 min read

This noon, I’m receiving an email regarding OpenITC security breach as below :

Dear Erawan,
We are writing to inform you that we have reason to believe some systems may have been compromised.
The basis of this belief is that two customers reported products being ordered for their accounts that were not placed by themselves yesterday (15th April 2014). We currently believe this was done with access to their account passwords. Whilst we cannot be sure our customer systems haven't been compromised, we want to ensure that we have taken every action to ensure our systems are secure.
We are currently investigating the issue but have immediately taken the following actions:
1) Taken our management platform offline
2) Requiring all our customers change their password
3) Security phrases will be changed
As part of the Heartbleed issue, we recommend you change all other OpenITC passwords (e.g. root passwords for VPS, dedicated servers, etc) at a minimum. Although not related to us, you should reset all your passwords on all systems you use over the Internet for peace of mind. This is especially true if you re-use your passwords across different sites.
We are still early in our investigations but beyond these random orders being placed, we have no further evidence of ill intent.
We do not have any further information at this time and will be unable to comment further until we have concluded our investigation at which point we will send out another e-mail.
As the management platform is offline, the VPS control panel will also be offline. This will remain the case for at least the remainder of the day. We apologise for the inconvenience.
We would like to take this opportunity to remind customers about how your private data is stored:
a) Authentication details for our management platform at are stored with a unique random (per account) salt and hashed (multiple rounds).
b) All data stored on resides on fully encrypted hard drives.
c) Physical access to is secured.
d) Administrative access to is restricted by strong passwords and very narrow IP access lists.
*** This e-mail has been sent to you as a subscriber of our ANNOUNCEMENTS mailing list. You may alter your communication preferences at any time from within our Client Portal. ***
16 Apr 2014

Possibility caused by heartbleed bug which might been discovered before the anouncement a few days ago and used to gather some critical data. Before they send me this email, I’ve changed most of my password from many websites.