Following our founding principles of transparency and honesty, we need to let you know about a security incident that occurred on the 18th December 2024.

Quick summary: A third party obtained access to an internal system, was able to generate cPanel login tokens and uploaded a back door to a small number of cPanel accounts (including one of yours). No customer or website data was accessed or compromised. The back door was identified and removed within a few hours and was not used by the third party. The original vulnerability in our internal system has been fixed.

So, what happened?

Our staff identified a potential ongoing security compromise within our internal systems and immediately commenced an investigation to determine the impact and worked to ensure all accounts were safe.

Our investigation quickly determined an unauthorised third party had been able to use this vulnerability to upload malicious files to a small number of cPanel accounts (less than 0.5% across our platform) belonging to our customers. Unfortunately, this included one or more accounts that are owned by you.

These files introduced a back door which would have allowed this third party, under specific circumstances, to execute their own code within your account. As soon as this was discovered, we were able to remove these files before they could be used for nefarious purposes. Upon examining logs, we have no evidence that any activities took place to utilise these 'back doors' and we're confident that our other security measures would have prevented their use too.

Is my data safe?

Yes - we examined logs to determine the impact on your account and can confirm that no personal information, website data or password were accessed or compromised during this incident.

What actions were taken

Here’s how we responded to keep your accounts and our systems secure:

1. Issue detected:

• At 19:55 on 18th December, an incident was raised internally when a Technical Support Agent noticed some suspicious activity in the helpdesk.

• This incident gathered together key people from our infrastructure, software engineering and senior management teams and an investigation was launched.

2. Investigation:

• The investigation showed that a cross-site-scripting vulnerability within our internal systems had allowed a malicious third party to run some JavaScript within the browser of one of our technical support agents.

• Using this, they were able to generate cPanel single sign on tokens and then use these to gain access to the cPanel accounts themselves.
• Once authenticated to cPanel, a malicious file was uploaded using the file manager API

3. Precautionary steps taken:

• During the investigation, we disabled access to cPanel across our entire fleet in order to protect systems until we could determine our exposure. This access was subsequently restored later in the night.

4. Resolution deployed:

• A dedicated incident team made up of system administrators, software engineers and senior management worked throughout the evening to resolve the issue.

• While the investigation was ongoing, our development team had resolved the original vulnerability in our internal systems to ensure such an exploit could not be repeated in the same manner.

Moving forward

No system is 100% secure, but we try extremely hard to make sure ours are as secure as we possibly can. Following this incident, we have already implemented a number of improvements to our systems and have more to implement in the coming weeks. 

If you have any questions or concerns, please feel free to contact me directly at ben.oates@krystal.io. 

Thank you for your understanding and continued support.

Kind regards,

Ben Oates
Head of Support,
Krystal Hosting