Exclusive: 123-reg suffered serious security lapse while deleting 67 servers

Customers could see each other's accounts after faulty script erased their data

123-reg customers could see each other's account data as a coding error erased numerous businesses and websites across the UK.

The UK's largest web hosting provider suffered a catastrophic failure on Sunday that saw 67 of its servers wiped completely, erasing people's entire businesses in the process.

It also experienced a serious security blunder, allowing some users to see into each other's accounts.

IT Pro's sister site Cloud Pro was exclusively contacted by a number of 123-reg customers who presented evidence of having been redirected to other people's accounts when they tried to log into their own admin panels.

123-reg has since confirmed that an incident took place, but denied that people's personal or sensitive information was exposed, adding that it has voluntarily contacted the Information Commissioner's Office (ICO).

"There was a brief period of time where a minority of 123 Reg customers were able to see another customer's ticket information while logged into the ticket system," the company told Cloud Pro. "During the time in question, a logged in customer was not able to access any other customer's 123 Reg control panel, where product configuration and sensitive information is stored."

"We have put technical measures in place to ensure this does not happen again. Our customer support teams are also invoking additional security measures when dealing with customer information. We are confident that no sensitive data was accessed nor that there is any risk to our customers information," it added.

However, this is contrary to what Cloud Pro has been told by customers, who said that from the control panel, they were immediately able to see another customer's full name, support tickets and a significant amount of personal and sensitive information contained within them, including some billing details, IP addresses, and password notifications.

"I was able to see someone else's account, behind login on the 123-reg support website. Their session management broke for 10 minutes. This is about as serious as it gets," a Cold Fusion specialist and 123-reg customer, who wished to remain anonymous, told Cloud Pro.

Another developer and 123-reg customer, James Tanner, claimed the security lapse went on for up to 30 minutes.

"I could see all [the other customer's] tickets, and the personal information within tickets that she had shared," said Tanner.

"I believe there could've been potential to exploit further but I wasn't prepared to push it and see," he added.

The majority of customers who have contacted Cloud Pro have been informed their data is lost forever unless they have a separate backup.

One business, Free Motor Legal, had its website and email restored this morning, but managing director, Lee Jones, said the company will still move away from 123-reg.

"Following an unsatisfactory response with ultimately no guarantee our site can be restored by 123-reg, I have ... moved host company and we are actively moving our site and facilities to another provider this," said Jones. "We are internet based and therefore [had] no way of communicating with new clients and members as currently we do not exist from search results on Google, where we typically appear on page one."

"Thankfully no [was] data stored with them. [The] site has been restored by them now and full function returned. Regardless I am shifting host company due to loss of confidence," he added.

The ICO told IT Pro: "We're aware of an incident and are making enquiries."

This article was originally published on 20/04/2016 and was subsequently updated on 21/04/2016 with 123-reg's response.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 most secure web browsers
web browser

8 most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020