Exclusive: 123-reg suffered serious security lapse while deleting 67 servers

Customers could see each other's accounts after faulty script erased their data

A padlock on a motherboard surrounded by keys

123-reg customers could see each other's account data as a coding error erased numerous businesses and websites across the UK.

The UK's largest web hosting provider suffered a catastrophic failure on Sunday that saw 67 of its servers wiped completely, erasing people's entire businesses in the process.

It also experienced a serious security blunder, allowing some users to see into each other's accounts.

IT Pro's sister site Cloud Pro was exclusively contacted by a number of 123-reg customers who presented evidence of having been redirected to other people's accounts when they tried to log into their own admin panels.

123-reg has since confirmed that an incident took place, but denied that people's personal or sensitive information was exposed, adding that it has voluntarily contacted the Information Commissioner's Office (ICO).

"There was a brief period of time where a minority of 123 Reg customers were able to see another customer's ticket information while logged into the ticket system," the company told Cloud Pro. "During the time in question, a logged in customer was not able to access any other customer's 123 Reg control panel, where product configuration and sensitive information is stored."

"We have put technical measures in place to ensure this does not happen again. Our customer support teams are also invoking additional security measures when dealing with customer information. We are confident that no sensitive data was accessed nor that there is any risk to our customers information," it added.

However, this is contrary to what Cloud Pro has been told by customers, who said that from the control panel, they were immediately able to see another customer's full name, support tickets and a significant amount of personal and sensitive information contained within them, including some billing details, IP addresses, and password notifications.

"I was able to see someone else's account, behind login on the 123-reg support website. Their session management broke for 10 minutes. This is about as serious as it gets," a Cold Fusion specialist and 123-reg customer, who wished to remain anonymous, told Cloud Pro.

Another developer and 123-reg customer, James Tanner, claimed the security lapse went on for up to 30 minutes.

"I could see all [the other customer's] tickets, and the personal information within tickets that she had shared," said Tanner.

"I believe there could've been potential to exploit further but I wasn't prepared to push it and see," he added.

The majority of customers who have contacted Cloud Pro have been informed their data is lost forever unless they have a separate backup.

One business, Free Motor Legal, had its website and email restored this morning, but managing director, Lee Jones, said the company will still move away from 123-reg.

"Following an unsatisfactory response with ultimately no guarantee our site can be restored by 123-reg, I have ... moved host company and we are actively moving our site and facilities to another provider this," said Jones. "We are internet based and therefore [had] no way of communicating with new clients and members as currently we do not exist from search results on Google, where we typically appear on page one."

"Thankfully no [was] data stored with them. [The] site has been restored by them now and full function returned. Regardless I am shifting host company due to loss of confidence," he added.

The ICO told IT Pro: "We're aware of an incident and are making enquiries."

This article was originally published on 20/04/2016 and was subsequently updated on 21/04/2016 with 123-reg's response.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021