Exclusive: 123-reg suffered serious security lapse while deleting 67 servers

Customers could see each other's accounts after faulty script erased their data

123-reg customers could see each other's account data as a coding error erased numerous businesses and websites across the UK.

The UK's largest web hosting provider suffered a catastrophic failure on Sunday that saw 67 of its servers wiped completely, erasing people's entire businesses in the process.

It also experienced a serious security blunder, allowing some users to see into each other's accounts.

IT Pro's sister site Cloud Pro was exclusively contacted by a number of 123-reg customers who presented evidence of having been redirected to other people's accounts when they tried to log into their own admin panels.

123-reg has since confirmed that an incident took place, but denied that people's personal or sensitive information was exposed, adding that it has voluntarily contacted the Information Commissioner's Office (ICO).

"There was a brief period of time where a minority of 123 Reg customers were able to see another customer's ticket information while logged into the ticket system," the company told Cloud Pro. "During the time in question, a logged in customer was not able to access any other customer's 123 Reg control panel, where product configuration and sensitive information is stored."

"We have put technical measures in place to ensure this does not happen again. Our customer support teams are also invoking additional security measures when dealing with customer information. We are confident that no sensitive data was accessed nor that there is any risk to our customers information," it added.

However, this is contrary to what Cloud Pro has been told by customers, who said that from the control panel, they were immediately able to see another customer's full name, support tickets and a significant amount of personal and sensitive information contained within them, including some billing details, IP addresses, and password notifications.

"I was able to see someone else's account, behind login on the 123-reg support website. Their session management broke for 10 minutes. This is about as serious as it gets," a Cold Fusion specialist and 123-reg customer, who wished to remain anonymous, told Cloud Pro.

Another developer and 123-reg customer, James Tanner, claimed the security lapse went on for up to 30 minutes.

"I could see all [the other customer's] tickets, and the personal information within tickets that she had shared," said Tanner.

"I believe there could've been potential to exploit further but I wasn't prepared to push it and see," he added.

The majority of customers who have contacted Cloud Pro have been informed their data is lost forever unless they have a separate backup.

One business, Free Motor Legal, had its website and email restored this morning, but managing director, Lee Jones, said the company will still move away from 123-reg.

"Following an unsatisfactory response with ultimately no guarantee our site can be restored by 123-reg, I have ... moved host company and we are actively moving our site and facilities to another provider this," said Jones. "We are internet based and therefore [had] no way of communicating with new clients and members as currently we do not exist from search results on Google, where we typically appear on page one."

"Thankfully no [was] data stored with them. [The] site has been restored by them now and full function returned. Regardless I am shifting host company due to loss of confidence," he added.

The ICO told IT Pro: "We're aware of an incident and are making enquiries."

This article was originally published on 20/04/2016 and was subsequently updated on 21/04/2016 with 123-reg's response.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021