Exclusive: 123-reg suffered serious security lapse while deleting 67 servers
Customers could see each other's accounts after faulty script erased their data
123-reg customers could see each other's account data as a coding error erased numerous businesses and websites across the UK.
The UK's largest web hosting provider suffered a catastrophic failure on Sunday that saw 67 of its servers wiped completely, erasing people's entire businesses in the process.
It also experienced a serious security blunder, allowing some users to see into each other's accounts.
IT Pro's sister site Cloud Pro was exclusively contacted by a number of 123-reg customers who presented evidence of having been redirected to other people's accounts when they tried to log into their own admin panels.
123-reg has since confirmed that an incident took place, but denied that people's personal or sensitive information was exposed, adding that it has voluntarily contacted the Information Commissioner's Office (ICO).
"There was a brief period of time where a minority of 123 Reg customers were able to see another customer's ticket information while logged into the ticket system," the company told Cloud Pro. "During the time in question, a logged in customer was not able to access any other customer's 123 Reg control panel, where product configuration and sensitive information is stored."
"We have put technical measures in place to ensure this does not happen again. Our customer support teams are also invoking additional security measures when dealing with customer information. We are confident that no sensitive data was accessed nor that there is any risk to our customers information," it added.
However, this is contrary to what Cloud Pro has been told by customers, who said that from the control panel, they were immediately able to see another customer's full name, support tickets and a significant amount of personal and sensitive information contained within them, including some billing details, IP addresses, and password notifications.
"I was able to see someone else's account, behind login on the 123-reg support website. Their session management broke for 10 minutes. This is about as serious as it gets," a Cold Fusion specialist and 123-reg customer, who wished to remain anonymous, told Cloud Pro.
Another developer and 123-reg customer, James Tanner, claimed the security lapse went on for up to 30 minutes.
"I could see all [the other customer's] tickets, and the personal information within tickets that she had shared," said Tanner.
"I believe there could've been potential to exploit further but I wasn't prepared to push it and see," he added.
The majority of customers who have contacted Cloud Pro have been informed their data is lost forever unless they have a separate backup.
One business, Free Motor Legal, had its website and email restored this morning, but managing director, Lee Jones, said the company will still move away from 123-reg.
"Following an unsatisfactory response with ultimately no guarantee our site can be restored by 123-reg, I have ... moved host company and we are actively moving our site and facilities to another provider this," said Jones. "We are internet based and therefore [had] no way of communicating with new clients and members as currently we do not exist from search results on Google, where we typically appear on page one."
"Thankfully no [was] data stored with them. [The] site has been restored by them now and full function returned. Regardless I am shifting host company due to loss of confidence," he added.
The ICO told IT Pro: "We're aware of an incident and are making enquiries."
This article was originally published on 20/04/2016 and was subsequently updated on 21/04/2016 with 123-reg's response.
How virtual desktop infrastructure enables digital transformation
Challenges and benefits of VDIFree download
The Okta digital trust index
Exploring the human edge of trustFree download
Optimising workload placement in your hybrid cloud
Deliver increased IT agility with the cloudFree Download
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security toolsDownload now