OVH Security Incident

OVH has come a long way. They used to be cheap and bad at service and totally incommunicado about any issues. Then a few years back something changed and they started to work on their image. Their still cheap, but their service is good and getting better and they seem to have nailed the communications angle. Good for them. Between OVH, Hetzner and Leaseweb the EU hosting space is doing fine.

The level of transparency in this report is great. Especially compared to things like the Linode incidents.

This is how you do a security incident disclosure.<p>I hope Apple is taking notes.

<i>&quot;The encryption password is &quot;Salted&quot; and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly&quot;</i><p>&quot;clearly?&quot; OVH is wrong. Based on this information alone, it is not sufficient to say how costly it is to recover the password. SHA-512 needs to be <i>iterated</i> to make it costly to brute force.<p>For example, a raw SHA-512 hash, even salted, is not iterated and is easy to brute force. But multiple passes, as in crypt-SHA-512, are iterated and very costly to brute force.

Hacked again?<p><a href="https://bitcointalk.org/index.php?topic=186902.msg1936161#msg1936161" rel="nofollow">https:&#x2F;&#x2F;bitcointalk.org&#x2F;index.php?topic=186902.msg1936161#ms...</a>

If I was a customers, I&#x27;d be asking if &quot;based on SHA-512&quot; means some kind of iterated algorithm, or if have they lost my password?

&quot;After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators.&quot;<p>That translates to password reuse, or an insecure password.

<p><pre><code> An email will be sent today with the new password </code></pre> Password in plain-text? I understand the convenience factor but doesn&#x27;t sound very secure...