On August 4, 2015 our security team identified and stopped unauthorized access to one of our systems. As a result, we reset all reseller Control Panel and Reseller Web Interface (RWI) passwords. Since then, we have worked 24/7 to complete an extensive investigation process and conduct a series of full and detailed sweeps of every infrastructural element of our systems. We would like to take this opportunity to share more details with you.
– The unauthorized access to our systems was gained through the use of elevated credentials. There was no evidence of brute force failed login attempts.
– There was no attempt made to access production systems and data, nor to access or modify the system code base.
– We discovered a secured file transfer outbound from one of our backup servers attempting to copy data to an external address that we were able to disrupt and terminate before it was successfully completed.
We are a security conscious company. We consider any unauthorized access to a system to be a full compromise of data, and have taken a cautious approach of resetting all credentials that could be affected.
Is my reseller account safe?
We have no evidence that any OpenSRS reseller accounts have been accessed, but even the possibility that this could have happened moved us to err on the side of extreme caution.
What should resellers do?
As a precautionary measure, we have asked OpenSRS resellers to do two things:
1) Reset their Control Panel and Reseller Web Interface (RWI) passwords:
On August 4, we sent an email letting OpenSRS resellers know that we had reset their passwords. All passwords are encrypted to ensure their protection. If you have not already done so, go to the Reseller Control Panel at manage.opensrs.com and reset your password using the “Forgot password?” option. If you have already done it after receiving an email from OpenSRS asking you to do so, no further action is required.
2) Reset their API keys:
As an additional precaution, if you access our system through the API, we have asked you to reset your API key. These keys are also encrypted.
Here are some instructions on how you can do it. IMPORTANT: Once the new API key is generated, the old key will stop working. You must be ready to make the change to avoid service interruption.
Who do I contact if I have any questions or concerns about this issue?
We encourage you do get in touch with support at firstname.lastname@example.org
Tucows is deeply committed to the improvement of Internet security practices. We are thankful to the strong and cooperative industry relationships we have built over the last decade and we’ll continue to be a key player in the fight against cybercrime.
We deeply regret this incident and apologize to everyone who relies on OpenSRS as a trusted service provider.
After reading all the comments below, it’s important for us to clarify a few points. We once again apologize for the inconvenience and hope you understand that these measures have been implemented with the security of your account in mind.
3rd party software and API users:
For resellers accessing our systems via 3rd party software, we can activate reseller account level authentication for their accounts. We are also happy to activate this for resellers who access our system via custom API integrations. However, they will need to confirm that they authenticate users themselves and not based on the username and passwords we provide. We ask these resellers to please contact OpenSRS support at email@example.com.
–Users of the WHMCS plugin: the WHMCS development team has updated the OpenSRS module to use an alternative authentication method which removes the reliance on registrant domain passwords.This module is compatible with both WHMCS v5.3.x* and v6.0. Once you deploy this updated module, all OpenSRS functionality will be restored.
OpenSRS end-user interface password retrieval process:
There are some concerns about password reset links being sent to an invalid email address. Resellers can log in to the Reseller Control Panel and edit owner’s contact information (including email address). We recommend you watch the Domain Management tutorial. If you are currently using the Reseller Web Interface (RWI), we encourage you to switch to the Reseller Control Panel as it provides a lot more options and functionality.
Reseller Control Panel functionality:
In the Reseller Control Panel you can manage all aspects of a domain name independently of registrant username and passwords. In very specific cases, where policy prevents us from allowing changes, you will need to contact OpenSRS support at firstname.lastname@example.org and we’ll be happy to assist you with changes. We recommend you watch the Domain Management tutorial.
Domain management via API
Some resellers have expressed concerns about being unable to manage domains on behalf of their customers after the registrant password reset. We’d like to reiterate that the OpenSRS end-user management interface is not intended for reseller use. OpenSRS does provide resellers with APIs and Control Panels to manage domains on behalf of their customers using their reseller account login credentials or API key. We understand that some resellers may still be using older versions of our API, and our support staff will be happy to assist and guide you on how you can update your integrations.
Registrant password length requirements
We have rolled back the change that forced resellers to set registrant passwords that are at least 10 characters long. However, this change will be rolled out again on September 9, 2015 for additional security (a reminder will be sent in early September). This may require you to adjust your systems if you have been setting passwords that are less than 10 characters in length. WHMCS and Parallels/Odin will be able to handle 10-character registrant passwords when interfacing with our system.
Multiple domains under a single profile
We are currently working on making better tools available for identifying all domains under a single profile and merging domains into existing profiles in the Reseller Control Panel.