On Monday, February 20th, the SOC team received alerts notifying of logon attempts to our internal systems from the server which used to host the former OVH forum. This server has been isolated since April 2015 following a hacking of the forum and has been unused since then. This server should have been shut down then, but it remained on. We analyzed it and noticed some evidence of malicious activity. As a matter of fact, a hacker connected to this server and managed to access, again, the former database of forum users which had been compromised in 2015 (an incident that we reported to the forum members as well as to the French national information science and liberties commission:
How did the hacker manage to access the former forum server? This goes back to February 17th, 3 days before the alerts. On that date, the hacker managed to connect to the server using a former edge server (b10) which had been unused for 2-3 years. All sensitive data from this server were erased. 2-3 years ago, in addition to a migration and the redesigning of our internal bastions, the server b10 was retired and should have been shut down at that time.
We spent the last 72hrs analyzing the logs to understand what the hacker did and could have done. The hacker got access to server b10 three weeks ago. He made many logon attempts from b10 but all failed. After 3 weeks, he managed to access the former forum server. We think that he may have cracked a password on the b10 server (that was accidentally left in /etc/shadow) and this password may have worked on the former forum server. We haven't used passwords for many years but it seems that these 2 old servers weren't been properly sanitized.
We don't see any access by the hacker aside from these 2 former servers. We didn't detect any access to sensitive data. There was no internal database leakage. You don't need to change the passwords you use at OVH nor do you need to reinstall your services, obviously. No bastion was compromised. No private key was stolen.
To ensure complete peace of mind, we're still analyzing the entire inner perimeter. Even though the hacker couldn't access sensitive data, we are taking this incident very seriously. As a precaution, we are inspecting all the internal infrastructures and we are taking this opportunity to shut down the servers that should have been shut down, and to get all the systems fully straightened out. Such operations should have been performed 1 year ago
Security is a core priority in our business. The trust that you place in us is based on this. When we don't achieve the desired level of security, even if it is an event that does not impact you directly, we owe you the greatest transparency. This is why we created this task.