Hetzner hack: Top South African web host hit with mega-breach, every client may be exposed

Hackers have compromised a major database maintained by Hetzner Ltd, one of the largest data centre and web hosting services in South Africa.

The Johannesburg-based company said on Wednesday (1 November) that a key client portal called "konsoleH" had been accessed by unknown cybercriminals. "We should assume that all our customer data has been exposed," it said in a lengthy statement 24 hours later.

The company claimed that hackers exploited an SQL injection vulnerability its database.

"There is no way for us to ascertain how the exposed data will be used," it warned Thursday.

Hetzner said that konsoleH admin passwords were encrypted but it had "proactively updated all FTP passwords because they were stored in plain text.

"We are deleting all plain text versions of the FTP & database passwords. Going forward, they will be encrypted on our systems," the company said in an FAQ page. For clients, however, it's too late.

Hetzner said details exposed included all customer details, domain names, FTP passwords and partial bank account details. It stressed no credit card details were stored in the portal.

But it urged all customers to urgently update their account passwords.

The hack impacted both current and previous customers – however it did not elaborate on exactly how many customers were likely exposed in the massive cyberattack. On its website, the company states it provides web hosting services to more than 40,000 customers.

Hetzner did note that those impacted by the hacking would not get compensation. At this stage of the investigation, it is unlikely that the company knows the true scale of the incident.

It said on the FAQ page: "The unfortunate reality is that no company is immune to malicious exploits -- our customers have fallen victim, as has Hetzner.

"While Hetzner won't be compensating customers in monetary terms, we are committed to supporting our customers through this time and have our team working around the clock."

It added: "We have external forensic investigators on site working round the clock with our team. We understand that this event has shaken your confidence in us. It is our earnest commitment to provide you with a hosting service you can trust."

Last month, a major database leak hit South Africa which exposed the personal details of millions of citizens. That trove of data was discovered under the name "Master_Deeds".

Hetzner said the two events were "not related in any way" but noted that the leaked files were indeed stored on a "self-managed server" leased by one of its customers.

"This customer has complete responsibility for all data storage and data access on the server, while Hetzner remains responsible for the hardware and only the hardware - we don't have access to the data stored on this hardware," it explained.

The leaked information, as previously reported, contained citizen ID numbers, names, genders, martial statuses, home ownership information, employment details and income data.

Security expert Troy Hunt said the database contained at least 60m records – higher than the estimated population of the country (56m) because it contained entries of people both alive and deceased. The breach was first reported by Tefo Mohapi of tech website iAfrikan.