DreamHost customers should change their passwords asap.
That's the word from the Web-hosting service and domain name registrar, which sent an e-mail to customers last night saying that their FTP passwords may have been accessed by hackers.
The company said it had reset all customer FTP passwords as a precaution and that users would have to create new ones by logging in to their DreamHost Web panel. It also advised customers to change their e-mail passwords, though it said e-mail passwords and billing information were not accessed.
DreamHost added today that handling new password requests was taking some time:
"Processing user updates is taking longer than usual due to the sheer number of customers requesting password changes on our system," the company said in a status update posted to its Web site. "We understand your desire to get things working in an expeditious manner and we are working hard to get you there. We're examining ways of decreasing the queue depth, but we're still faced with the fact that there is a considerable amount of work to be processed and apologize for the delay."
As of 11 a.m. PT today, the company said password changes would take one to two hours to fully update.
Customers should also take note of the following caution about phishing schemes that closed the heads-up e-mail of last night:
"DreamHost will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any other e-mails that ask for personal information or direct you to a Web site where you are asked to provide personal information."
Here's the complete text of last night's warning e-mail:
IMPORTANT INFORMATION: We are writing to let you know that there may have been illegal and unauthorized access to some of your passwords at DreamHost today. Our security systems detected the potential breach this morning and we immediately took the defensive precaution of expiring and resetting all FTP/shell access passwords for all DreamHost customers and their users. There are three different types of passwords at DreamHost: a Web panel password (for logging in to the panel), e-mail passwords, and FTP/shell access passwords. Only the FTP/shell access passwords appear to have been compromised by the illegal access. Web panel passwords, e-mail passwords, and billing information for DreamHost customers were not affected or accessed. Refer to the following DreamHost status post for details: http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/
IMPORTANT ACTION REQUIRED:
1. To create a new FTP/shell access password for your DreamHost account, please log in to your DreamHost Web panel (https://panel.dreamhost.com/), select "Manage Users" in the top left, then select "Edit" next to each user, and type in a new password. Make sure you click "Save Changes" at the bottom of the page.
2. We are also requesting that you change your e-mail password. We are not enforcing this change at this time as we do not believe that e-mail passwords were compromised. However we strongly recommend that you change your e-mail password as a precaution. To change the passwords for your e-mail users or yourself, log in to the DreamHost panel at (https://panel.dreamhost.com/), select "Manage Email" in the top left, select "Edit" next to each e-mail user address, and choose a new password for each. Make sure you click "Save Changes" at the bottom of the page.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please contact us through the support page in the panel.
Note that DreamHost will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any other e-mails that ask for personal information or direct you to a Web site where you are asked to provide personal information.
The DreamHost Team