By now you’ve surely heard about the breach of Hetzner’s South African database.
The data centre operator and website host disclosed this week that its database had been compromised by a SQL injection.
Hetzner chief executive officer Hans Wencke has penned a letter to customers apologising for the breach.
Within that letter however is a statement regarding the storage of passwords in plain text that will send shivers down your spine.
“Why have we been storing FTP and database passwords in plaintext? So that our support team could assist our customers by having this information on hand,” wrote Wencke.
The C-suite exec goes on to say that Hetzner believed that it had adequate security in place to protect these passwords but it was wrong.
“We are making the necessary changes that will allow us to delete all plaintext versions of FTP and database passwords,” added the CEO.
This is simply not good enough. We’re not sure how many folks would be comfortable with a member of a support team being able to see your password but we most certainly are not.
Looking beyond the risk of storing passwords in plain text with zero encryption in the event of a hack – what if a Hetzner support team member felt they needed to take a site they didn’t agree with offline?
For all the measures a firm might have in place to protect a client’s data people are unpredictable, Twitter learned this today.
Our hope is that this incident inspires change at Hetzner because the reasoning given by Wencke for storing passwords in plaintext is deeply concerning.
You can find the full text of Wencke’s letter over on the Hetzner website.[Image – CC 0 Pixabay]