Hosting company hacked - how worried should I be?

I received an obviously-spam e-mail from my hosting company and contacted them about it. They replied:

I apologies for the inconvenience caused. The reason you received the email was because our vbulletin forums script seem to have been exploited and was being used to send mass emails.

We have disabled the script and put it in maintenance mode. Please be assured, we do not disclose our clients email addresses. However, it seems the spammer seem to have used our exploited script to send mass emails. The moment, we noticed this, we have put our community forums into maintenance mode.

However, I have never used their forums, so I couldn’t see why a hacked forum would affect me. I said as much to the company, and they said:

The spamming that was done, was done due to an exploited script, where malacious files were uploaded to our exploited forums, and were used for spamming.

We never had your email address, as far as I believe, however the spammer uploaded his email database, and used our exploited forums as a medium to spam people. Most likely your email was in that database that was uploaded by the spammer, as a result you were one of those people who received those spam emails believing it was sent by us.

I again apologies for the spam emails that you received because of our exploited forums. As you see, we have immediately taken down our forums for maintenance purpose to get it patched and secured.

Well, that can’t be right, because I received the spam e-mail at three different e-mail addresses, all of which I have used for accounts with this company, and one of which I have only used for accounts with this company, so the only place the spammer could have obtained it is from there. I explained all this, and they replied:

First of all we never disclose our clients contact address, also from the files which were uploaded by the exploiter used the Mass Email Sender script and it queried the SQL command through PHP, picking up the contact details and sent the mass email.

We’ve already disabled the old exploited forums, and updated the forum application with latest version along with the security patch provided by vbulletin team.

Frankly, I don’t even understand that one. My knowledge of PHP, SQL and how forums operate is minimal, to say the least.

If only the forum was hacked, surely they shouldn’t be able to obtain my details, given I’ve never used the forums? And could they have obtained other information, such as my passwords? (I’ve changed them all, just to be on the safe side.) Am I being paranoid, as usual, or is my hosting company not taking this seriously enough?

They could have theoretically used a screwed up script in the forum to make their way in to the database and poke around, but honestly, if that’s the case, their security is bad!

What you normally do is create a separate database for each application (forum, client crm, company website, etc) and create a unique username/password combination for access to that database. You never (ever ever ever) share username/passwords between databases, or put different websites in one database. From the looks of it they’ve done one of those things.

What I find weird is that they first claim the hacker had your email themselves, and when you call them on it they come out to say it was probably “borrowed” from them after all…
Sounds all pretty fishy if you ask me.

As for passwords, they should not be able to find that, but there is no way to be sure as we don’t know how the host stores them. So we get to the most heard answer, “it depends”

Thanks, Scallio - that rather backs up what I thought. There’s a kind of warped satisfaction here, because three of my sites, on two different servers, were hacked some months back, and the company were insistent that the problems must be at my end, because their security is so good. I am gradually moving my sites away from this company, but I can’t afford to move them all at once.

I decided to ask the company outright if any of my other details could have been accessed, and the reply was

From the exploit script which the hacker queried the SQL command through just retrieved the contact information from one database table and mass emailed to the users which were listed in that table.

I’ve confirmed that none of other confidential details like login password etc were not disclosed. It was just a spam emails send through the exploit PHP script.

I might even feel reassured, if only they could write grammatical English They are based in London, so that shouldn’t be too much to ask. I have the feeling they’re trying to play down the incident - perhaps they’re worried about falling foul of data protection legislation - but I’d be happier if I felt they were being honest.

They wouldn’t exactly give me any reassurance with their wishy-washy claims I’d consider taking it further or moving on to somewhere more competent especially regarding their past performance regarding shifting blame.

I’ve confirmed that none of other confidential details like login password etc were not disclosed. It was just a spam emails send through the exploit PHP script.

Wow. Just wow.

Yeah, I would go look for a different host as well!