Merry Christmas from Fasthosts

December 1, 2007

Two days ago, in an extraordinary attempt to regain control over their security, Fasthosts Internet changed the account passwords for an unknown but significant number of their customers with no prior warning, and 24 hours later without having reported the new passwords to the account holders affected.

At the same time FTP, SSH, and Database passwords were changed.  Any websites that were running against a database, such as small online shops, blogs or content managed sites were instantly broken.  With no access to their accounts, customers are unable to restore service on their websites. Fasthosts say that they will send out new passwords in the post, but have not given any public assurance of when this will happen.

Given that Fasthosts insist that you register your account with an email address that is not hosted on Fasthosts servers, supposedly for this very reason, customers are left wondering why Fasthosts have decided to send out passwords by post.

One rumour circulating suggests that 73% of customers are affected.  Another that thousands of sites are either down, or not available for the owner to make updated via FTP.  The story was first reported on The Register, with comments that reflect the strength of feeling against this move.

Fasthosts claim this move was unavoidable since the FTP and other passwords were compromised after an attack in October.  They have also stated that only a small number of accounts have been affected, those that did not change their passwords after an email recommending users to reset their passwords after the original attack.

In the month between that warning email and yesterdays unfortunate events, no statement from Fasthosts suggested that passwords would be forcibly changed with or without notice if they were not changed by the users concerned.  By taking this action, no consideration was given to those companies who were in the process of planning a firmwide password change with the minimum of impact, or those who were simply not available to respond, perhaps away on vacation when the first attack occured.

It has also been reported that accounts owners who have already changed their passwords after the original attack were also forcibly changed.  When Fasthosts or any third party claim that customers should have changed their password after the October breach, this does not explain why those that did are still affected.  In any case, Fasthost had nearly 6 weeks to plan the password change, send out letters in advance providing new password details and give a date when this would take effect.

Fasthosts initiated this on Thursday night, and by all reports have not been able to send out new passwords by post yesterday (Friday).  This means many people will not receive their new passwords until at least Tuesday/Wednesday next week.  This amounts to a full week of lost business for any online shop or order-taking business hosting on Fasthosts servers.

The Customer Service telephone number is permanently engaged, and the technical support lines are offering queueing times of over two hours. (“You are at queue position 54”)

The original security breach mentioned compromised credit cards along with passwords, but no official warning about each customers credit card details has been issued.  All public comments from Fasthosts have referred to their security being complete, effective and reliable.

This company simply does not care about their customers.  Thousands of transfer requests have been registered in the last 24 hours for competitors to take ownership of domains hosted on Fasthosts.  If you have critical business processes running on this platform, take great care to back them up.  The Government will not step in on this one, this is no Northern Rock.

For me, this is the last in a list of relentless disappointments provided to me as part of my Fasthosts package.  As a result of the actions over the last 24 hours, I have decided to go back through my notes from last couple of years and document on this site, some of the experiences I have had with this company.

If you have any stories or experiences about what has happened in your own relationship with Fasthosts, post them here as comments.

More importantly, if you have succesfully moved away from Fasthosts, and are now happy with your new host, please post their details here.  I’ll be building a list of alternatives and some guides to moving away from FH over the next week or two.

Personally I am considering (among others) Heart Internet, DonHost, and if any of you would like to get together with me, even a Rackspace Dedicated Server or some co-located kit in Telehouse, Docklands.  I’ll investigate all of these and post my findings here.

 ** UPDATE **  Some customers have reported that they have been given access to their control panels OVER THE PHONE after simple identity checks, so don’t take no for an answer, insist on access to your account today.


31 Responses to “Merry Christmas from Fasthosts”

  1. Danny Scott Says:

    Over an hour on hold to be told that there was no way they would give me access to the account I pay for, until I had received my postal password. Unreal!!

    Good for you for starting this blog. As soon as the post comes, I’m transferring away as fast as I possibly can.

    The only thing I have to worry about is my Exchange mailboxes – that will be a pain to move, but not as painful as staying.

  2. Anony Mouse Says:

    If I had the cash, I’d move to Rackspace so if you know anyone who would like to join together, let me know.

    I have about 200 domains resold with Fasthosts, half of which are database connected. From simple blogs to online shops, my voicemail and email is packed with complaints and there is nothing I can do. What really has me screwed is that I send out invoices by email on the same day, hours before the sites were taken offline. I doubt many of these will be paid.

    A Merry Christmas indeed.

  3. Simon Says:

    I wonder how long it will be before the post is sent out. They have claimed that only “a few” customers are affected, so only “a few” letters then. I am sure these will all arrive by Monday AM…

    Hey, since it was their fault that password were lost in the first place, maybe they’ll pay for fast delivery of those “few” letters – what do you think?

  4. You were all told to change your passwords in october, if you didn’t, it’s your fault.

    In any case, if you are running a critical business or website on a Fasthosts service, you must be plain dumb. You don’t pay peanuts for a business critical service, then complain when it goes tits up!

    Serves you all right.

  5. no2fasthosts Says:

    Mr ‘Evil’, (nice name by the way – we like that)

    Three points to put you back on track:

    1) This policy has also been applied to many people who “did” change their passwords in October.

    2) Fasthosts resellers with hundreds of customers will find it impossible to change all these passwords by notifying the customers, then supporting those customers throughout the change. Many of the resellers were working through their customer lists since October. Bear in mind they have to do that for free, when it was Fasthosts that caused the original problem by storing data such as passwords and credit cards in plain text files.

    3) Most businesses have no experience of what to expect from Internet suppliers. The quality of Fasthosts marketing and apparent quality of product have made them the largest Windows web host in the UK. For this reason most people believe the low price reflects the large volumes they manage, like in all businesses, and not that they are providing sub-standard hosting. As it happens, I don’t agree with your opinion on the standard of their hosting, they are not the best by a long shot, but they were definitely not the worst until last Thursday.

  6. John@SWM Says:

    Quite astonishingly inept of Fasthosts. Here’s the thing; Fasthosts deal with people via email, not post. I quite like that; communication is instant and free. So why, at this time of year when Royal Mail is busy as you like, did they suddenly decide that posting to addresses (which may or may not be current) was the appropriate thing to do?

    The way I see it, they are worried that a hacker has a list of other user’s passwords from their first attack. So? Email the new passwords concurrently with changing them and then even if a hacker has access to a customer email then they’ll only have access to that account, right? Meanwhile, the most important thing could be achieved, namely that the systems remain UP!

    Really, to email users new passwords has got to be quicker than stuffing envelopes and actually more likely to reach the intended recipient.

    Finally, are Fasthosts systems so insecure that a single hacker hacking someone’s email can wreak havoc? Because for a few quid a would-be hacker can simply buy a domain…

    I don’t know who set this site up but thanks! It’s nice to vent steam.

  7. no2fasthosts Says:

    Absolutely, in fact why not just email a one time password for the account, and force the customer to change their password on login.

    Then the customer can change their FTP/SQL passwords themselves. Then the customer would not feel so bad about their FTP/SQL passwords having being changed since they would have the ability to fix their sites.

    FH have really shot themselves in the foot over this.

  8. They are a disaster, we have seen the service go from bad to disastrous over the past few months. We offer a xml feed from our programme to many ‘high performing’ affiliates, all of which are pretty p****d off at this moment.

    I registered a new dedicated server with UKfast on Friday based on the fact that you can speak with an operator within 3 rings.

    Not cheap, but if you run a successful business, good reliable hosting is essential.

  9. John@SWM Says:

    Quite so. My site was pole-axed by the SQL password change. Had they just changed the Admin, or even the ftp as well, my site would still be up and running. It’s sooo annoying – I could have it up and flying in seconds, IF I had the password.

  10. J Says:

    Monday 3rd – Farcehosts cut phone lines …

    I didnt change all the passwords – silly me – I have to go and do it now — ooops, I cant. Waiting for the mail every day. Maybe it will be set out second class (Normal service for fasthosts) not first class. Let the customer suffer.

    All my 47 accounts will be moved to somewhere else – even if I have to pay more.

    BUT – It IS all my fault…… You get what you pay for. Or in some case not even that. Buyer beware ….. Look long and hard at which company you want to invest your, or your clients money in.

    JUST NOT Fasthosts.

  11. Brian Says:

    Well hats off to Fasthosts.

    Who on Earth made the decision to Change passwords on a Thursday Evening! Without passwords in the post?

    The Norfolk Broads Forum was pole axed also, as they changed the SQL database password!!! No Forum running.
    Until one password needs to be edited in the Config.php

    Its a 30 seconds job. I’m so annoyed !

  12. Neil Says:

    Well folks, I got my password through the post today, didn’t work so I had to log in with original password and then change to new one. Now my web server is stopped and I cannot restart it, tried SSH also but to no avail. On the plus side my email still works but am losing revenue every day from Google Ads which does pay well, also cannot access my UKReg account and cannot get a password reminder sent as “that service is not currently available”. So tried ringing…”you are in a queue, number 51, more like Area 51. No wonder the founder sold out last summer! Time to move methinks

  13. Daniel Says:

    In going to the expence of using Royal Mail to notify their customers of new passwords Fasthosts are publicly declaring a Vote of no confidence in the security of their own eMail Servers.

    Further more by not notifying there customers of the security breach and sending out eMail’s requesting a password change it has left hundreds of customers potentially at risk if their data has been stolen as the attacker will now be in possession of potentially hundereds of peoples details and their passwords to their computer systems.

  14. Noel Says:

    Here i sit wasting my Wednesday night at queue position 34 reading emails that insist I have to change my password in seven days or face certain death.

    I would happily log in to change it if a knew what my password was. I used to know my password but fasthosts chose to change it for me.

    Incompetent idiots!

    Anyone going from London to gloucester? I am tempted to sit in reception it may be quicker than the phone.

  15. no2fasthosts Says:

    To Noel,

    Persist mate – you will get through in the end, and they have now backed down a little and are giving out passwords over the phone.

    If it’s any consolation, we have been working almost 24/7 since Friday trying to solve our own problems.

    Good Luck Mate.

  16. Daniel Says:

    Nice of you all to give them an early Christmas bonus by hanging onto a premium rate line, I’ve started my own blog about this at still no passwords recieved and I’ve taken the liberty of posting it to the hacker community so they can see how fasthosts treat it’s customer’s.. This is not the work of a hacker its the work of a cracker theres a big difference!

  17. Paul Ripley Says:

    Having used Fasthosts service I have experienced ignorance and stupidity of monolithic proportions, as well as daylight robbery. Please let me explain.

    1) Firstly, they debited my card without my permission for the renewal of 3 domain names I no longer needed. Having contacted them (after waiting an hour to get through on an 0870 number which they make money out of) they advised that there was nothing they could do as the payment had already been taken, and they couldn’t or rather wouldn’t refund it. They also stated it was my fault I didn’t read the small print and payment is automatically taken. Actually, there was no small print – I was a UKREG customer and Fasthosts took over UKREG and changed their procedures without telling their customers. Nice.

    2) In the same week, they email ALL of their customers stating that due to their servers being hacked they would have to *post* all the new passwords out to customers. I have not received the letter, cannot login to my account to change anything, and so am left high and dry. I have customers screaming at me to update web sites etc and there is nothing I can do. If you use their password reminder a page tells you it is down due to this event. If you try calling them, the phones are so busy you get a network busy tone on all their lines. When I tried earlier in the week, I did get through but was told by an automated voice I was at que 86! I didn’t wait.

    Never in all my life have I EVER experienced such mind-numbing stupidity from a company with nothing but total contempt for its customers. This rather begs the question – is this why they were hacked in the first place? I have about 20 domains with them. I’d love to transfer them all away, but because I can’t login I’m stuck with them. Oh, and they still have my credit card details to plunder at their every whim. I urge you to warn all your readers of the vile service to expect from Fasthosts.

  18. Martin Says:

    Since I only use UKReg(Fasthosts) as registrar for a couple of my domains my problems pale into insignificance. However, I was considering moving my email and web sites to them. They’ve blown that now.
    I was in the midst of moving ISP and needed access to my control panel to change redirection etc. Luckily I just managed to put that on hold. Meanwhile, nothing in the post, no reply to email, number 58 on the hold queue. What incompetent bunglers they are…
    That’s better – thanks for this place to let off steam.

  19. Anon. Says:

    You may not be aware that only domains can be transferred out within 24 hours.

    Most other TLD’s such as .com/.net take up to 60 days to transfer. This is standard industry policy and not a Fasthosts specific thing.

    However, this means that from 5th February, the numbers of domains registered with UKReg/Fasthosts is likely to change dramatically. I wonder what incentives Fasthosts will issue during the next 60 days? Perhaps guarenteed respect and cheerfulness on the Technical Support lines.

  20. stuart Says:

    I got a new password through the post – it does not work.

    I called them in week to sort it out was on hold for a hour the lady was very rude to me.

    To be fair this is not the first time I had problems with fasthost. My accounts been used to spam people. Also have email going missing all sorts of problems. I think its time to move on!

  21. I recently cancelled my dedicated server service at Fasthosts because of a truly unbelievable lack of support when something went wrong.

    In a nutshell, the server began refusing connection to our various domains. We would reset the box and it would reestablish connection for a few minutes and then lost connection again. It had us stumped.

    Sent urgent emails. In a nutshell, between 21 Dec 2007 and when we cancelled on jan 15 we had one email response from them that they had investigated something completely different!?! There were periods of up to nine days when we would hear nothing from them. And finally we were in the engineering queue for 11 DAYS.

    Um…our business is based in South Africa and I have thought that the “leading” hoster in the UK might have some kind of support service in place. Wrong.

    I sent a mail to “escalations” and got a curt mail back saying that they didn’t know what my problem was but that they could get an engineer to look at it ??? and that was from Stuart Brereton, apparrently the support “team leader”. i have waited 8 days for a response to my subsequent mail.

    If our business wasn’t server based I would have had more of a sense of humour about this all. Needless to say we’ve moved our services along.

  22. In a bit of excitement I started a reseller account with FASTHOST to try their API to integrate with my website as I wanted to resell domains, dns, web hosting and email hosting etc. as my website was attracting 1000 unique visitors from web per day just in first few months of launch. Anyway I thought I can resell the FASTHOST products under the umbrella of I downloaded PHP api samples and tried it. First of all it was painfully slow to access just few bytes using SOAP client from FASTHOST servers. I only added one contact record and a few domains to try and it did work but was too slow. Important part after the domain reg process to be able to change dns and name servers etc. But I was not able to change it. There was no documentation or help. I called but after frustrated hour long hold I spoke to somebody who said nobody is available with API expertise. Can you log a ticket online and somebody will come back in few days. I logged a ticket and nobody came back from FASTHOST. All that time spent on this was wasted. I knew ENOM will allow me to resell domains as well but they asked for money upfront which I didn’t want to spend. Anyway back to FASTHOST I know my other clients frustrated from FASTHOST and who are moving away from them. I have come across many. I got myself nice API from other vendor and works like a charm and making money for me

  23. Another big flaw in FASTHOST SOAP API is it charged me for a domain I just wanted to try to see how things worked. Charged me is fine because I registered it but the domain was actually not even registered at all. So I am thinking I have a good domain name but after couple of days I found out that WHOIS show no record of it. They also charged me £5 per domain to use their API which is not working properly yet.

  24. Eddie Skelson Says:

    I’ve just spent a day of trying to deal with Fasthosts Dedicated Sever Customer Service and Tech Support.

    12 hours later and still no server.

    Add to this that I lost 4 days of service in October (one of my busiest periods) and they have cost me a small fortune.

    Without a single doubt this is not a company to deal with if you are in any way reliant on your servers being down less than a few hours during a breakdown.

    I’ll be moving my opration tomorrow, 9am sharp.

  25. Disgruntled of Suffolk Says:

    Good luck to those who say they were going to “move” to another host. You may have already found that leaving Fasthosts is like pulling yourself out of quicksand. Be warned: Fasthosts dont take NO for an answer. If they have your credit card, they will try and debit money from it, regardless of whether you still have an account with them. Don’t be surprised if they continue billing you long after your Fasthosts account is supposedly “closed”.

    I CLOSED my Fasthosts account in November 2006, well I say “closed”, it took 4 months to finally get a confirmation email from them to say the account was actually closed. They made me fill in an email survey and all kinds of other crap before finally saying “goodbye”.

    Ironically, at the time, I wasn’t p*ssed off with Fasthosts – I just didn’t require the website or domain any more ‘cos I didn’t have time to keep it updated. So I let the domain expire, and closed the account. I told them this, too.

    Two or three times since the “closure” of my account, they’ve tried to collect money off me, (yes, even though I’m nothing to do with them any more), a couple of times have sent me emails saying my domain is “due for renewal”, and they were “going to collect payment” – to which I replied “no, you’re not”. (I got no reply, but thankfully money didn’t get debited from my card).

    The latest email (today) warned me rudely that my credit card was about to expire (I must apparently provide them with my current card details or face an “administration charge”). All this and I am NOT a customer of theirs!

    Fasthosts do NOT seem to understand the meaning of “goodbye”, and keep on trying to collect money for services you neither want nor asked for. It HAS to be ILLEGAL surely to retain payment details of ex customers and continue billing them long after the account was closed? At best, it is cheeky Fasthosts “trying it on” to fool people into giving them money, at worst its downright THEFT – like a shopkeeper dipping into the pockets of customers as they leave the shop.

    In response to my latest email (where they demand I update my card details for the hosting account that was closed in 2006), I sent them back a strongly worded refusal and demanded an explanation and apology for them trying to collect my money off me again. I stated that I wanted a definitive answer TODAY and it better not be automated.

    The response? An automated email saying I must supply my account number and PIN before they even look at my enquiry. Of course I dont have either account number nor PIN because I am not a Fasthosts customer any more. What a bunch of complete and utter dick heads.

    I am going to bypass their so called escalation system and write a letter (by post, since they seem to like that), direct to their managing director.

    For the rest of you who have left Fasthosts, I strongly advise you cancel your credit/debit cards and get new ones. Or don’t be surprised if you see the “F” word on your card statement one day in the future.

  26. Disgruntled of Suffolk Says:

    Oh, and by the way, it’s not just me. A lot of people out there have been robbed of hundreds of pounds and have been stonewalled when asking for refunds. Just try Googling “Fasthosts steal money” and you will get some idea…

  27. Philip Says:

    Please never use Fasthosts, they are crap, crap, crap.

    Trust the reaction to them on the web, and the absence of a forum, both public or private, as it would be filled with dissatisfaction and even hate.

    They are very good at being very bad, in every way possible. It is amazing that they are still around, with their attitude, bad management, and ability of their forgetful/confused support.

    One day they will collapse, and leave all those desperate to escape with the chore of moving sites, possible many, elsewhere. Once the dust has settled past clients will be relieved at a more stable life, away from Fasthosts and the constant fear of the next big crazy disaster.

    Backup while you can and spend your holidays moving sites, even if it means running two resellers accounts for a year! We are. Run, while you can.

  28. I have had two websites with FAsthosts for many years. I just left them with Fasthosts despite their absolutely ridiculous appalling communication. It seems to be that everything is organised to serve Fasthosts and not the customer. When the passwords all changed last year I was one of the customers who could reach support. The names of my accounts have changed and the prices have gone up over time dramatically despite my limited use of bandwidth.

    It’s only that i find the contemplation of moving hosts to be often too stressful when I consider it.

    Whenever I have tried to get support the emails bounceback … The list goes on.

    Also they hold strong hold over your domain name registration as well as the use of sitee….. aaaargh I’m frustrated.

  29. Danny Fearn Says:

    Well where do i start,

    Been with fasthosts for over 2 years now.

    Never had a problem until i took out my dedicated server in February 2009.

    Setting the server up wasnt a problem it was the little things that made the problem as when i rang up for help i was told i would have to pay for an engineer to help.

    Luckily there are lots of helpful people on the internet who are more than happy to help.

    Anyway, i dont use the dedicated server anymore and pay £113 a month for it. I cant physically afford to pay the thing anymore so emailed fasthosts asking for them to cancel the server. they informed me i was under a 12 month contract until Feb 2010. i then told them i didnt use the dedicated server and couldnt afford to pay the payment each month.

    I was again emailed back saying im under a 12 month contract.

    What upset me the most is how when i was taking the dedicated server out over the phone not at any point during the 20 minutes phone call did they tell me i would be under a 12 month contract.

    i then emailed them again saying i am a loyal customer, have spents £££££’s with them over the years and is there nothing they can do for me.

    AGAIN i was told no and im under contract till 2010.

    So basically they are still taking the payment out of £113 a month for a server i dont use. As money is tight which i have informed them about when they take the payment it is then leaving no money in my bank topay for my other hosting packages. So the i get charged £23 for a missed payment.

    I think it is disgusting how they treat long standing, loyal customers!!!!!

    Has anyone managed to get out of a contract?

    I feel they should make it clear when people take out a dedicated server about the 12 month contract instead of hiding it in the terms link on the activation email!

    any one help?

    • no2fasthosts Says:

      We recommend you seek legal advice on this Danny.

      It looks like at least £500 will be spent on this server, so why not speak to a solicitor about the situation. If your solicitor believes you’ve been mis-sold the contract, I am sure you would rather the money go to him than FH.

      If you bought this package personally, and not under a Limited Company or other business vehicle, then you arguably have a strong case under Distance Selling Regulations.

      Don’t sit by and let it die, there are many people who will provide evidence of the same sales behaviour, some of whom have commented on this sit. If enough problems are registered with Trading Standards, they will act, and FH will have to repay every penny.

      Good Luck.

  30. Steve Says:

    Fasthosts are the most awful site hosts I have ever encountered.
    I lost count of the times I would be left hanging on the phone for hours when I had clients screaming at me cos their site had again gone down.
    I only use US host now, their reseller packs cost from as little as $100 per year, about £60, much cheaper and supreamly better that fasthosts £500-£600 for complete crap.
    They are like a bad smell though, and even if you walk away from them they will find some way to charge your credit card and if its expired, tell you that you have to pay anyway.
    Crap support, rude, ignorant, outdated control panel, and dont even get me started about if you happen to forget a password, the crap you have to go through.
    My advice, keep WELL away from them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: