Cyber Incident Victim: ThrustVPS
Date:
Jan 2014
Location:
United Kingdom
Summary
A virtual private server provider experienced a security breach when an attacker compromised its WHMCS installation to upload a PHP shell and mailer script, enabling phishing attacks originating from the company's infrastructure. The firm promptly removed malicious files, secured affected systems, notified customers, and advised password resets while clarifying that no financial data was stored or exposed. Customer reactions varied, with some criticizing communication delays during downtime while others commended the transparency and swift resolution of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In January 2014, ThrustVPS, a virtual private server provider, experienced a security breach when an attacker compromised its WHMCS (Web Host Manager Complete Solution) installation. The attacker uploaded a PHP shell and a mailer script to ThrustVPS’s servers, enabling them to launch a phishing attack directly from the company’s infrastructure. The incident first came to public attention through social media, with initial discussions appearing on Twitter before a Reddit user posted a warning about a potential "honeypot." ThrustVPS confirmed the breach in an email to customers, acknowledging that the phishing attack originated from their compromised server. The company’s administrative team removed the malicious files and secured the affected server, assuring customers that no credit card information was stored on their systems, thereby eliminating financial data exposure risks. As a precaution, ThrustVPS instructed customers to log in and update their passwords. The company also stated it was implementing additional security measures to prevent future incidents, though specifics were not disclosed in the available sources.
Public reactions to the breach were mixed, as reflected in Twitter exchanges. Some customers criticized ThrustVPS’s communication and operational reliability, citing prolonged downtime and lack of updates during the incident. For example, one user accused the company of having "done a runner," while another questioned whether attackers had exfiltrated database copies. Conversely, other customers commended ThrustVPS for its transparency and rapid response, with one user praising the team for promptly notifying customers and resolving the issue. ThrustVPS later tweeted that the situation had been fully resolved, though the timeline between the breach’s detection and full remediation remains unspecified in the source material. The company’s direct admission of the breach and proactive customer notification represented an atypical approach compared to industry norms at the time, where silence or delayed disclosures were more common. No additional technical details about the attack vector, such as how the WHMCS installation was initially compromised, were provided in the cited article.