Multi-stage attack compromises customers of French webhost OVH

French webhost, OVH, is urging customers to change their passwords after attackers were able to compromise the company’s European customer database and gain access to an installation server in Canada.

OVH, the largest webhosting company in France and the fourth largest worldwide, disclosed that they’ve suffered a multi-stage attack that started from their offices in Roubaix on Monday. As a result, they are urging all customers to change their passwords, particularly those in Europe. Letters explaining the incident and steps customers can take were scheduled for delivery starting on Tuesday.

OVH says that the attacker was able to obtain access to a system administrator’s email account, and from there the attacker used that account to gain access to another employee’s VPN credentials. Once the VPN connection access was established, the attack compromised a second administrator account, which handles the internal back office.

[Rogues gallery: Ten infamous hacks and hackers]

From there, the attacker — based on internal investigations — was able to recover a database housing information on customers in Europe and gain access to an installation server in Canada. The European database houses personal information such as first and last name, address, city, country telephone records, and passwords that were hashed with SHA-512 and salted. There was no financial information stored in the database.

“It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password,” OVH explained.

OVH says that before the attack, their level of internal security included just two levels of verification; a password and IP source. The IP restriction enforced the policy that access to the compromised systems would require local connections, or a confirmed VPN connection.

“In short, we were not paranoid enough so now we’re switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH,” the webhost added.

One expert said the incident report and the details within should serve as a cautionary tale for enterprises. OVH, by and large, had security controls in place that exceeded most enterprises.

[9 classic hacking, phishing and social engineering lies]

“Yet, by targeting a privileged user within the OVH network, the attacker was still able to obtain access to the OVH network and ultimately escalate their privileges to access customer data. This should also serve as a reminder that while many things can be outsourced, responsibility can’t be one of them,” Michael Sutton, VP of Security Research for Zscaler, told CSO in a statement.

Security at OVH has been upgraded immediately, including new passwords for all staff, new VPN access, email access restrictions (employees can only access email from within the office or via VPN), and three levels of verification for staffers that have higher access, including the use of IP source data, passwords, and YubiKeys.

Earlier this year, OVH was forced to deal with a separate security incident, as at least two customers had their websites compromised after attackers targeted a vulnerability in OVH’s password recovery system. At the time, the randomly generated passwords were guessable due to a randomization flaw in the recovery script. The attack led to strengthened password policies and a new password reset script.