Reading this thread has popped up a question I have to ask? How long have you all been in business? The ranting of WHMCS isnt going to go on anywhere. This stuff happens, welcome to the internet. First day here?
I can remember around 2000 that really nothing was safe. Exploit here, exploit there, etc. The only safe way is to store everything in something like Quickbooks on a computer that doesnt even connect to the internet. But then you wouldnt have 90% of the features that WHMCS does for you would you?
ClientExec. v2.x This was our first major "web based" system. We have a few RackShack servers and a couple scattered around. Then our data in this kept screwing up. For days we couldnt figure out why things were disappearing and changing. Then finally it was known..
With that, plus other bugs, we decided to move on.
ModernBill v4.x It was great but some serious exploits were coming out. Cross scripting, remote exploits, etc were a big fad. Our ModernBill system got hacked while waiting for those guys to come out with a patch. Not only did they get our data, but they took full control of that server. I would say we had a couple dozen dedicated servers with RackShack (before ThePlanet) and maybe another dozen scattered around at other datacenters back then. So we have quite a few customers we have to contact with the "Sorry, but our software has been hacked and now the internet has your credit card info" emails. We lost about 40% of our customers from that. Then ModernBill 5 came out. Some of you might know how much that version was.
Shortly after this, then we were having customer sites getting hacked with an exploit through the control panel we were using... Ensim. Lost more customers.
So we migrated to LXAdmin's control panel. Major exploit comes out. The main dev of it commits suicide. Yeah, no fixes and everyone is confused if LXAdmin is even going to get updated, by who, etc.
Guess what? You guessed it. More customers calling and emailing and leaving.
Yeah, its time to move on. Now we're a DirectAdmin and CPanel shop. Both been great since then. After posting on several forums about what is good, there's WHMCS that people are recommending over and over. I check their site, they support everything I need (payment, control panels, etc) and they've been great. I havent had any problems in 3+ years with their product (well maybe some minor upgrade hickups) and right now their web site got hacked, but not by an exploit or bug in their software. By this and the ignorance of HostGator (still not confirmed?), they were able to access WHMCS's main database, site, cpanel, etc.
Then they put it on the internet. I found out when I get a call from an admin asking if I've logged into WHMCS yet that morning. I told him no, and he said when I do, check out the news feed inside. Yes, the feed from Twitter. Right away I assumed my WHMCS setup was hacked. After 2 - 3 minutes of extremely high blood pressure, I finally realize that it's not me, but WHMCS's site. So, I read the twitter feeds which several feeds besides the hacker is releasing news about WHMCS being hacked just scrolling by. You have thousands of people on the internet that is now the reporters of the world. Blogs, news sites, forums, etc all posting about WHMCS being hacked and linking screen shots of the defaced site, links to the files, etc.
So yeah, I did download the files. I am so sorry that I wanted to see what they got and is it any way going to concern me and my business. For anyone ranting "Shame on you people downloading...", why are you not concerned if your info is inside? At the time I couldnt log into WHMCS to see EVERY ticket I've made over the years to see what info I supplied them. Do they have my admin password? I know I make temp accounts and when the job is done, delete the accounts, but did I ever have to give them a MySQL username and password? Root's password? I'm 99.9% sure I didnt, but.. damn right I am going to download these and see what data is now freely available to thousands or millions of people that would do something dishonest with either my credit card or any ticket information.
Now it's when I have to see the bottom line. Yes, I may have to call and get a new card. I have others. I can wait a couple weeks for a replacement. I would hope you would too. But I would also hope you are smart to change passwords often. I would hope you are smart enough to make temp accounts for WHMCS to use and deleted them when they finished whatever they needed to do. If you did, any ticket info is invalid since passwords have changed, accounts are gone, etc. Yeah, I now have a text file/database full of credit card numbers, names, addresses, phone numbers, etc. Am I stupid enough to risk the rest of my life and use any of this information illegally? No. Just like I would hope all of us wouldnt and just wanted to see if any information would effect them. We're the ones effected, we're not the ones that have never even used WHMCS, never heard of it, dont care what WHMCS is, just get the credit card numbers and roll! So shame on me? Whatever. I did what was best for me and my family and my business and that was to see if all 3 of those are safe. Actually now I'm not even sure why I downloaded the other 2 files (whmcs site files and whmcs cpanel files) since I could really give a s**t about those 2. I have WHMCS and CPanel, except the DB link wasnt working for a while so I thought maybe the DB was included in one of the other two.
Is this going to effect me? Wow, I spent a couple minutes changing my WHMCS.com password and changing passwords for anything that had to do with my WHMCS setup. Did I need to change my WHMCS passwords? No, but it just made me feel a little better inside with everything going on.
Is this going to effect my business? I doubt it. My customers data is still safe. I dont have to send another "Oh no. I been hacked again. Your credit card isnt just yours any more." emails to my customers. Im not going to lose a bunch and have financial problems for the next several months because of this. I can still use WHMCS.
You pissed off? You want to leave WHMCS? Fine. Go ahead, really. Now I'm wondering how many of you are even stable enough to run a business. Do you only have 1 credit card or debit card running your whole business? What if you lost your wallet? This crap is only effecting you. Not your customers. Not your business.