While WHMCS did not provide the total number of breached records, that number was reported by The Register as 500,000, citing Pastebin posts by UGNazi.
The company admitted that credit card information was stolen as the result of a social engineering attack in which the hackers impersonated Matt Pugh, a WHMCS developer.
“The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details….This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself”, wrote Pugh in a blog entry on Monday.
In addition, the hackers launched DDoS attacks against the company and hacked into its Twitter account. On Wednesday, Pugh appealed for help in regaining access to the company’s Twitter account.
“Our Twitter Account remains out of our control. Does anybody know of any way to contact them or get any assistance from their side to regain control? We have got no response to our requests to them in over 36 hours now”, Pugh wrote.
“As soon as we have things completely back under control, we will be reviewing all our systems and operating procedures, and making changes as and where appropriate. Steps are already in progress to migrate to a new hosting infrastructure as a first priority. This will likely mean some brief downtime in the coming hours”, he said.