The hosting company Fasthosts has reset all its customers' passwords after the breach of one of the company's servers.
In mid-October the company, which also provides business ADSL, wrote to its customers to make them aware of the breach and ask them to change their control panel, email and FTP passwords. According to a statement on Thursday, "a very small number of customers who did not change their passwords had experienced a compromise to their FTP space".
"This damage varied from a change to the home page of a website to some files being uploaded to the FTP space which had no visible effect," a Fasthosts spokesperson told ZDNet.co.uk on Friday. "Fasthosts is currently in the process of working with these customers to resolve any outstanding technical requirements."
Fasthosts has now automatically reset all control panel and FTP passwords that had not been changed, the company announced on Thursday. Email passwords that have not been changed yet will be reset automatically in nine days' time.
"These affected customers will receive their new passwords by Royal Mail and have been informed today of all these changes and what they are required to do," read Fasthosts' statement.
The company statement said that the breach had been found during a system-wide external security audit, adding that: "Fasthosts considers that its practices and procedures are up to date, and represent good practice in continually protecting the security of its customer data, and the company remains fully confident in its ability to do so."
Fasthosts apologised for the breach, and claimed that the password changes would shore up the security hole that became apparent last month.
Talkback
Now if the action had been taken after the initial breach then understandably it would reduce the number of website impacted by malicious content, yet to perform it over a month later appears to be more of an 'in hindsight' thought.
While all action is good action, does it avoid the fact that resetting the password on a compromised accounts where 'evil ones' could have amended the email address for the account already.
If that is factored into their actions then how do they determine if the accounts password was amended by the owner or by other persons? Becuase if the password is changed then it must be the owner, right?
Thats a big assumption to be making.