To change the password for a customer ID, you have to go to the OVH website and request this change for the NIC handle concerned. An email containing a unique URL will be sent to the email address associated with that account. This URL will contain 21 randomly generated characters. The 21 characters are generated by 3 random algorithms, which each generate 7 characters. The recipient can then click on the link to obtain the new password. A confirmation email will then be sent, stating that the password has been changed. All of the emails that OVH sends will contain the IP address of the person who has taken the action.
This procedure has been in place for at least 7 months and has not been changed since.
On April 26th, we detected an internal problem with the generation of the 21 characters. 2 out of the 3 random functions that we use in the code were not generating an authentic random sequence. It was possible to request a password change for a customer ID,
and then find the "unique" URL emailed to the customer by brute force. The problem was found by an internal developer on April 26th at 11:03:14 and it was fixed at 12:54:13. The cause of the problem was linked to the rand function used in this part of the code. It was not patched to the same extent as the rest of the code at the time of activating the script execution cache. We have replaced the old function of 3 sequences to generate 21 characters with 2 authentic random functions to generate 64 characters.
We then ran searches on our databases to verify whether the loophole had been exploited and if so, when. We tracked the log of password changes for your IDs for the last 3 years. We actually have authorisation from the CNIL (the French data protection authority) to archive and exploit all our back office logs for the last 10 years, precisely for this type of situation.
We detected three password changes carried out by brute force on 3 customers IDs with active services. These 3 cases involved an attack aimed at the "bitcoin" community that uses OVH services. The hacker seems to have found the loophole on April 23rd at
22:00 and ran a significant number of tests to develop their tactics over a period of 1 hour. At 23:00 it had been perfected and the 1st ID was hacked, followed by the other 2 the next day (all from the "bitcoin" community). We were in contact with these customers, but the quality of the exchanges prevented us from obtaining sufficient information to identify this loophole. Thanks to our internal developers, we have fixed the problem in a totally independent manner. Only then did we begin to make the connection between the loophole that we had just fixed annd these 3 customers. We have certainly learnt a lesson on how to communicate with customers in this type of situation.
We took a while to communicate this as we quickly saw that the impact was very small (3 IDs only), and we wanted to take the time to check everything thoroughly and make sure that only 3 customers from "bitcoin" community had been affected. Today, we finished running the searches dating back 3 years and we can already conclude that no other customers have been affected. We will nonetheless continue running searches dating back 10 years, in order to find any potential brute force URL password
changes, although the likelihood of this is nil.
I think that despite the minimal impact on our customers, you must be informed of this security incident that we had to deal with last week. We have implemented a code-review on three of the very old parts of the OVH system, which had not been rewritten for several years, so as to thoroughly check that there is no other impact. We are in the process of looking at how we can improve communication between OVH and customers in such situations, bearing in mind that two out of 3 customers are from our subsidiaries.
Yes, we have had a security breach allowing customer ID password changes via a rather complex procedure which included brute force. We advise customers with sensitive services to limit manager access to certain IPs only.
Yes, three customers of the "bitcoin" community were affected by this vulnerability. It is important to read the emails that OVH sends automatically, including emails regarding password changes that were not requested by you, and emails confirming password changes. In this situation, do not hesitate to call our 24/7 incident team and they will block your account the temporarily while we investigate.
No, there has not been any breach of our client database.
No, other clients have not been affected.
We apologise sincerely to the 3 clients that have been affected and we invite them to make contact with our commercial teams (in French)