Merry Christmas from Fasthosts
December 1, 2007
Two days ago, in an extraordinary attempt to regain control over their security, Fasthosts Internet changed the account passwords for an unknown but significant number of their customers with no prior warning, and 24 hours later without having reported the new passwords to the account holders affected.
At the same time FTP, SSH, and Database passwords were changed. Any websites that were running against a database, such as small online shops, blogs or content managed sites were instantly broken. With no access to their accounts, customers are unable to restore service on their websites. Fasthosts say that they will send out new passwords in the post, but have not given any public assurance of when this will happen.
Given that Fasthosts insist that you register your account with an email address that is not hosted on Fasthosts servers, supposedly for this very reason, customers are left wondering why Fasthosts have decided to send out passwords by post.
One rumour circulating suggests that 73% of customers are affected. Another that thousands of sites are either down, or not available for the owner to make updated via FTP. The story was first reported on The Register, with comments that reflect the strength of feeling against this move.
Fasthosts claim this move was unavoidable since the FTP and other passwords were compromised after an attack in October. They have also stated that only a small number of accounts have been affected, those that did not change their passwords after an email recommending users to reset their passwords after the original attack.
In the month between that warning email and yesterdays unfortunate events, no statement from Fasthosts suggested that passwords would be forcibly changed with or without notice if they were not changed by the users concerned. By taking this action, no consideration was given to those companies who were in the process of planning a firmwide password change with the minimum of impact, or those who were simply not available to respond, perhaps away on vacation when the first attack occured.
It has also been reported that accounts owners who have already changed their passwords after the original attack were also forcibly changed. When Fasthosts or any third party claim that customers should have changed their password after the October breach, this does not explain why those that did are still affected. In any case, Fasthost had nearly 6 weeks to plan the password change, send out letters in advance providing new password details and give a date when this would take effect.
Fasthosts initiated this on Thursday night, and by all reports have not been able to send out new passwords by post yesterday (Friday). This means many people will not receive their new passwords until at least Tuesday/Wednesday next week. This amounts to a full week of lost business for any online shop or order-taking business hosting on Fasthosts servers.
The Customer Service telephone number is permanently engaged, and the technical support lines are offering queueing times of over two hours. (”You are at queue position 54″)
The original security breach mentioned compromised credit cards along with passwords, but no official warning about each customers credit card details has been issued. All public comments from Fasthosts have referred to their security being complete, effective and reliable.
This company simply does not care about their customers. Thousands of transfer requests have been registered in the last 24 hours for competitors to take ownership of domains hosted on Fasthosts. If you have critical business processes running on this platform, take great care to back them up. The Government will not step in on this one, this is no Northern Rock.
For me, this is the last in a list of relentless disappointments provided to me as part of my Fasthosts package. As a result of the actions over the last 24 hours, I have decided to go back through my notes from last couple of years and document on this site, some of the experiences I have had with this company.
If you have any stories or experiences about what has happened in your own relationship with Fasthosts, post them here as comments.
More importantly, if you have succesfully moved away from Fasthosts, and are now happy with your new host, please post their details here. I’ll be building a list of alternatives and some guides to moving away from FH over the next week or two.
Personally I am considering (among others) Heart Internet, DonHost, and if any of you would like to get together with me, even a Rackspace Dedicated Server or some co-located kit in Telehouse, Docklands. I’ll investigate all of these and post my findings here.
** UPDATE ** Some customers have reported that they have been given access to their control panels OVER THE PHONE after simple identity checks, so don’t take no for an answer, insist on access to your account today.
December 1, 2007 at 12:28 pm
Over an hour on hold to be told that there was no way they would give me access to the account I pay for, until I had received my postal password. Unreal!!
Good for you for starting this blog. As soon as the post comes, I’m transferring away as fast as I possibly can.
The only thing I have to worry about is my Exchange mailboxes - that will be a pain to move, but not as painful as staying.
December 1, 2007 at 3:36 pm
If I had the cash, I’d move to Rackspace so if you know anyone who would like to join together, let me know.
I have about 200 domains resold with Fasthosts, half of which are database connected. From simple blogs to online shops, my voicemail and email is packed with complaints and there is nothing I can do. What really has me screwed is that I send out invoices by email on the same day, hours before the sites were taken offline. I doubt many of these will be paid.
A Merry Christmas indeed.
December 2, 2007 at 1:40 am
I wonder how long it will be before the post is sent out. They have claimed that only “a few” customers are affected, so only “a few” letters then. I am sure these will all arrive by Monday AM…
Hey, since it was their fault that password were lost in the first place, maybe they’ll pay for fast delivery of those “few” letters - what do you think?
December 2, 2007 at 2:33 am
You were all told to change your passwords in october, if you didn’t, it’s your fault.
In any case, if you are running a critical business or website on a Fasthosts service, you must be plain dumb. You don’t pay peanuts for a business critical service, then complain when it goes tits up!
Serves you all right.
December 2, 2007 at 2:59 am
Mr ‘Evil’, (nice name by the way - we like that)
Three points to put you back on track:
1) This policy has also been applied to many people who “did” change their passwords in October.
2) Fasthosts resellers with hundreds of customers will find it impossible to change all these passwords by notifying the customers, then supporting those customers throughout the change. Many of the resellers were working through their customer lists since October. Bear in mind they have to do that for free, when it was Fasthosts that caused the original problem by storing data such as passwords and credit cards in plain text files.
3) Most businesses have no experience of what to expect from Internet suppliers. The quality of Fasthosts marketing and apparent quality of product have made them the largest Windows web host in the UK. For this reason most people believe the low price reflects the large volumes they manage, like in all businesses, and not that they are providing sub-standard hosting. As it happens, I don’t agree with your opinion on the standard of their hosting, they are not the best by a long shot, but they were definitely not the worst until last Thursday.
December 3, 2007 at 10:57 am
Quite astonishingly inept of Fasthosts. Here’s the thing; Fasthosts deal with people via email, not post. I quite like that; communication is instant and free. So why, at this time of year when Royal Mail is busy as you like, did they suddenly decide that posting to addresses (which may or may not be current) was the appropriate thing to do?
The way I see it, they are worried that a hacker has a list of other user’s passwords from their first attack. So? Email the new passwords concurrently with changing them and then even if a hacker has access to a customer email then they’ll only have access to that account, right? Meanwhile, the most important thing could be achieved, namely that the systems remain UP!
Really, to email users new passwords has got to be quicker than stuffing envelopes and actually more likely to reach the intended recipient.
Finally, are Fasthosts systems so insecure that a single hacker hacking someone’s email can wreak havoc? Because for a few quid a would-be hacker can simply buy a domain…
I don’t know who set this site up but thanks! It’s nice to vent steam.
December 3, 2007 at 11:05 am
Absolutely, in fact why not just email a one time password for the account, and force the customer to change their password on login.
Then the customer can change their FTP/SQL passwords themselves. Then the customer would not feel so bad about their FTP/SQL passwords having being changed since they would have the ability to fix their sites.
FH have really shot themselves in the foot over this.
December 3, 2007 at 11:28 am
They are a disaster, we have seen the service go from bad to disastrous over the past few months. We offer a xml feed from our programme to many ‘high performing’ affiliates, all of which are pretty p****d off at this moment.
I registered a new dedicated server with UKfast on Friday based on the fact that you can speak with an operator within 3 rings.
Not cheap, but if you run a successful business, good reliable hosting is essential.
December 3, 2007 at 11:44 am
Quite so. My site was pole-axed by the SQL password change. Had they just changed the Admin, or even the ftp as well, my site would still be up and running. It’s sooo annoying - I could have it up and flying in seconds, IF I had the password.
December 3, 2007 at 11:49 am
Monday 3rd - Farcehosts cut phone lines …
I didnt change all the passwords - silly me - I have to go and do it now — ooops, I cant. Waiting for the mail every day. Maybe it will be set out second class (Normal service for fasthosts) not first class. Let the customer suffer.
All my 47 accounts will be moved to somewhere else - even if I have to pay more.
BUT - It IS all my fault…… You get what you pay for. Or in some case not even that. Buyer beware ….. Look long and hard at which company you want to invest your, or your clients money in.
JUST NOT Fasthosts.
December 4, 2007 at 10:14 am
Well hats off to Fasthosts.
Who on Earth made the decision to Change passwords on a Thursday Evening! Without passwords in the post?
The Norfolk Broads Forum was pole axed also, as they changed the SQL database password!!! No Forum running.
Until one password needs to be edited in the Config.php
Its a 30 seconds job. I’m so annoyed !
December 4, 2007 at 8:20 pm
Well folks, I got my password through the post today, didn’t work so I had to log in with original password and then change to new one. Now my web server is stopped and I cannot restart it, tried SSH also but to no avail. On the plus side my email still works but am losing revenue every day from Google Ads which does pay well, also cannot access my UKReg account and cannot get a password reminder sent as “that service is not currently available”. So tried ringing…”you are in a queue, number 51, more like Area 51. No wonder the founder sold out last summer! Time to move methinks
December 5, 2007 at 5:52 pm
In going to the expence of using Royal Mail to notify their customers of new passwords Fasthosts are publicly declaring a Vote of no confidence in the security of their own eMail Servers.
Further more by not notifying there customers of the security breach and sending out eMail’s requesting a password change it has left hundreds of customers potentially at risk if their data has been stolen as the attacker will now be in possession of potentially hundereds of peoples details and their passwords to their computer systems.
December 5, 2007 at 10:28 pm
Here i sit wasting my Wednesday night at queue position 34 reading emails that insist I have to change my password in seven days or face certain death.
I would happily log in to change it if a knew what my password was. I used to know my password but fasthosts chose to change it for me.
Incompetent idiots!
Anyone going from London to gloucester? I am tempted to sit in reception it may be quicker than the phone.
December 6, 2007 at 12:28 am
To Noel,
Persist mate - you will get through in the end, and they have now backed down a little and are giving out passwords over the phone.
If it’s any consolation, we have been working almost 24/7 since Friday trying to solve our own problems.
Good Luck Mate.
December 6, 2007 at 2:31 pm
Nice of you all to give them an early Christmas bonus by hanging onto a premium rate line, I’ve started my own blog about this at http://solar101.blogspot.com still no passwords recieved and I’ve taken the liberty of posting it to the hacker community so they can see how fasthosts treat it’s customer’s.. This is not the work of a hacker its the work of a cracker theres a big difference!
December 6, 2007 at 4:18 pm
Having used Fasthosts service I have experienced ignorance and stupidity of monolithic proportions, as well as daylight robbery. Please let me explain.
1) Firstly, they debited my card without my permission for the renewal of 3 domain names I no longer needed. Having contacted them (after waiting an hour to get through on an 0870 number which they make money out of) they advised that there was nothing they could do as the payment had already been taken, and they couldn’t or rather wouldn’t refund it. They also stated it was my fault I didn’t read the small print and payment is automatically taken. Actually, there was no small print - I was a UKREG customer and Fasthosts took over UKREG and changed their procedures without telling their customers. Nice.
2) In the same week, they email ALL of their customers stating that due to their servers being hacked they would have to *post* all the new passwords out to customers. I have not received the letter, cannot login to my account to change anything, and so am left high and dry. I have customers screaming at me to update web sites etc and there is nothing I can do. If you use their password reminder a page tells you it is down due to this event. If you try calling them, the phones are so busy you get a network busy tone on all their lines. When I tried earlier in the week, I did get through but was told by an automated voice I was at que 86! I didn’t wait.
Never in all my life have I EVER experienced such mind-numbing stupidity from a company with nothing but total contempt for its customers. This rather begs the question - is this why they were hacked in the first place? I have about 20 domains with them. I’d love to transfer them all away, but because I can’t login I’m stuck with them. Oh, and they still have my credit card details to plunder at their every whim. I urge you to warn all your readers of the vile service to expect from Fasthosts.
December 6, 2007 at 9:08 pm
Since I only use UKReg(Fasthosts) as registrar for a couple of my domains my problems pale into insignificance. However, I was considering moving my email and web sites to them. They’ve blown that now.
I was in the midst of moving ISP and needed access to my control panel to change redirection etc. Luckily I just managed to put that on hold. Meanwhile, nothing in the post, no reply to email, number 58 on the hold queue. What incompetent bunglers they are…
That’s better - thanks for this place to let off steam.
December 7, 2007 at 3:18 pm
You may not be aware that only .co.uk domains can be transferred out within 24 hours.
Most other TLD’s such as .com/.net take up to 60 days to transfer. This is standard industry policy and not a Fasthosts specific thing.
However, this means that from 5th February, the numbers of domains registered with UKReg/Fasthosts is likely to change dramatically. I wonder what incentives Fasthosts will issue during the next 60 days? Perhaps guarenteed respect and cheerfulness on the Technical Support lines.
December 8, 2007 at 12:43 pm
I got a new password through the post - it does not work.
I called them in week to sort it out was on hold for a hour the lady was very rude to me.
To be fair this is not the first time I had problems with fasthost. My accounts been used to spam people. Also have email going missing all sorts of problems. I think its time to move on!
January 23, 2008 at 3:48 pm
I recently cancelled my dedicated server service at Fasthosts because of a truly unbelievable lack of support when something went wrong.
In a nutshell, the server began refusing connection to our various domains. We would reset the box and it would reestablish connection for a few minutes and then lost connection again. It had us stumped.
Sent urgent emails. In a nutshell, between 21 Dec 2007 and when we cancelled on jan 15 we had one email response from them that they had investigated something completely different!?! There were periods of up to nine days when we would hear nothing from them. And finally we were in the engineering queue for 11 DAYS.
Um…our business is based in South Africa and I have thought that the “leading” hoster in the UK might have some kind of support service in place. Wrong.
I sent a mail to “escalations” and got a curt mail back saying that they didn’t know what my problem was but that they could get an engineer to look at it ??? and that was from Stuart Brereton, apparrently the support “team leader”. i have waited 8 days for a response to my subsequent mail.
If our business wasn’t server based I would have had more of a sense of humour about this all. Needless to say we’ve moved our services along.
March 7, 2008 at 2:20 pm
In a bit of excitement I started a reseller account with FASTHOST to try their API to integrate with my website as I wanted to resell domains, dns, web hosting and email hosting etc. as my website was attracting 1000 unique visitors from web per day just in first few months of launch. Anyway I thought I can resell the FASTHOST products under the umbrella of rootinternet.co.uk. I downloaded PHP api samples and tried it. First of all it was painfully slow to access just few bytes using SOAP client from FASTHOST servers. I only added one contact record and a few domains to try and it did work but was too slow. Important part after the domain reg process to be able to change dns and name servers etc. But I was not able to change it. There was no documentation or help. I called but after frustrated hour long hold I spoke to somebody who said nobody is available with API expertise. Can you log a ticket online and somebody will come back in few days. I logged a ticket and nobody came back from FASTHOST. All that time spent on this was wasted. I knew ENOM will allow me to resell domains as well but they asked for money upfront which I didn’t want to spend. Anyway back to FASTHOST I know my other clients frustrated from FASTHOST and who are moving away from them. I have come across many. I got myself nice API from other vendor and works like a charm and making money for me http://hosting.rootinternet.co.uk
March 9, 2008 at 10:35 pm
Another big flaw in FASTHOST SOAP API is it charged me for a domain I just wanted to try to see how things worked. Charged me is fine because I registered it but the domain was actually not even registered at all. So I am thinking I have a good domain name but after couple of days I found out that WHOIS show no record of it. They also charged me £5 per domain to use their API which is not working properly yet.
March 16, 2008 at 9:22 pm
I’ve just spent a day of trying to deal with Fasthosts Dedicated Sever Customer Service and Tech Support.
12 hours later and still no server.
Add to this that I lost 4 days of service in October (one of my busiest periods) and they have cost me a small fortune.
Without a single doubt this is not a company to deal with if you are in any way reliant on your servers being down less than a few hours during a breakdown.
I’ll be moving my opration tomorrow, 9am sharp.