Hetzner South Africa CEO Hans Wencke has apologised for the data breach that has taken place and he “will not let this breach define” the company.
“We have always prided ourselves on being Trusted in Hosting. We understand that we have let you down. Trust is built one step at a time: with every customer conversation, every decision, every system update, every security patch, every effort we put into ensuring the stability and scalability of our platform,” said Wencke in a letter sent to customers on Friday.
“We will not let this breach define us as a company. We will work to regain your confidence. I firmly believe we will continue to provide you with a hosting service you can trust.”
On Wednesday, Hetzner, which is based in Midrand in Johannesburg, advised its clients on its website that its konsoleH Database was compromised.
The following details have been exposed:
- Customer details (name, address, ID number (if provided), telephone numbers and email addresses)
- Domain names
- FTP passwords, and
- Bank account details (cheque/savings). No credit card details are stored.
“We are deeply distressed by the data breach that has taken place at Hetzner. Allow me to offer our sincere apologies,” Wencke said to customers on Friday.
He urged customers to update all passwords associated with their Hetzner account immediately.
“We realise this takes time and effort and we are sorry for the inconvenience required to recover from the breach. We offer our full support to assist you – our 24/7 team is standing by to help you shoulder this administrative burden.”
He further assured customers that Hetzner has addressed the breach and is working around the clock to identify other similar vulnerabilities.
“Due to the breach, we must, unfortunately, assume that our customers’ data has been compromised. While we are able to see where and how the data was accessed, there is no way for us to determine how the exposed data will be used,” Wencke explained.
Why is Hetzner storing FTP and database passwords in plaintext?
The company says: So that our support team could assist our customers by having this information on hand. We believed that the security measures we put in place were adequate to protect these passwords. We were wrong. We are making the necessary changes that will allow us to delete all plaintext versions of FTP and database passwords.