DreamHost customers should change their passwords ASAP.
That's the word from the web-hosting service and domain name registrar, which sent an email to customers over the weekend saying that their FTP passwords may have been accessed by hackers.
The company said it had reset all customer FTP passwords as a precaution and that users would have to create new ones by logging in to their DreamHost web panel. It also advised customers to change their email passwords, though it said email passwords and billing information were not accessed.
DreamHost added today that handling new password requests was taking some time.
"Processing user updates is taking longer than usual due to the sheer number of customers requesting password changes on our system," the company said in a status update posted to its website. "We understand your desire to get things working in an expeditious manner and we are working hard to get you there. We're examining ways of decreasing the queue depth, but we're still faced with the fact that there is a considerable amount of work to be processed and apologise for the delay."
The company said password changes would take one to two hours to fully update.
Customers should also take note of the following caution about phishing schemes that closed the heads-up email of last night:
"DreamHost will never ask you for personal or account information in an email. Please exercise caution if you receive any other emails that ask for personal information or direct you to a website where you are asked to provide personal information."
Here's the complete text of last night's warning email:
IMPORTANT INFORMATION: we are writing to let you know that there may have been illegal and unauthorised access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. There are three different types of passwords at DreamHost: a web panel password (for logging in to the panel), email passwords and FTP/shell access passwords. Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, email passwords and billing information for DreamHost customers were not affected or accessed. Refer to the following DreamHost status post for details: http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/
IMPORTANT ACTION REQUIRED:
- To create a new FTP/shell access password for your DreamHost account, please log in to your DreamHost web panel (https://panel.dreamhost.com/), select "Manage Users" in the top left, then select "Edit" next to each user and type in a new password. Make sure you click "Save Changes" at the bottom of the page.
- We are also requesting that you change your email password. We are not enforcing this change at this time as we do not believe that email passwords were compromised. However, we strongly recommend that you change your email password as a precaution. To change the passwords for your email users or yourself, log in to the DreamHost panel at (https://panel.dreamhost.com/), select "Manage Email" in the top left, select "Edit" next to each email user address and choose a new password for each. Make sure you click "Save Changes" at the bottom of the page.
We sincerely apologise for any inconvenience this may cause. If you have any additional questions about this process, please contact us through the support page in the panel.
Note that DreamHost will never ask you for personal or account information in an email. Please exercise caution if you receive any other emails that ask for personal information or direct you to a website where you are asked to provide personal information.
The DreamHost Team