Security alert at Hover leads to password reset

HoverWebsite domain name registrar Hover has emailed users warning of possible "unauthorised access" to one of its systems, and told them that they will not be able to log into the service until they reset their passwords.

In short - Hover, which is part of the Tucows empire, is worried that bad guys might have accessed account information.

Here is the email Hover sent out:

Hover email

We are writing to let you know that we reset your password today. If you are unable to log into your Hover account, you will need to use the “I forgot my password” option on the sign in page to change your password.

We did this as a precautionary measure because there appears to have been a brief period of time when unauthorized access to one of our systems could have occurred. We have no evidence at all that any Hover accounts have been accessed, but even the possibility that this could have happened moved us to err on the side of extreme caution.

There are no more clues that I could find on Hover's website. But if you visit its homepage you will find a link inviting you to reset your password if you have problems logging in.

Hover reset password

The dearth of information leaves a vacuum that observers will no doubt fill with their own guesswork.

  • Did a Hover employee have their account hacked, giving a third party access to the user database? We don't know.
  • Did Hover identify suspicious activity on its servers? We don't know.
  • If there was unauthorised access to one of Hover's systems, what kind of data might have been exposed? Email addresses, DNS records, passwords, payment information? We don't know.
  • How many Hover users might be affected? We don't know.

Frankly, I think Hover would do themselves a favour by being a little more transparent about what is going on - even if they don't have all the answers yet.

One thing I would suggest in the meantime, however, is that if you were using the same password on other websites as you were using on Hover, you would be wise to change it. Just for safety's sake.

You should always use different passwords for different sites - because if one gets hacked, you don't want to experience the domino effect of your other online accounts falling at the hands of hackers.

Oh, and if you have a Hover account, it's probably a good idea - once you have reset your password - to enable two-factor authentication as well.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

7 Responses

  1. Michael

    August 5, 2015 at 2:04 pm #

    Hi Graham, Michael from Hover here. Thanks for the article and updating your readers on what's going on. Believe me, we would love to tell people exactly what's going on. Openness and transparency is always our goal. We've been working round the clock to learn more about what happened and ensure that it won't happen again, so to publish detailed information now would potentially make our system vulnerable. If we are able to share more information I will be sure to personally send it your way.

    • Graham Cluley in reply to Michael.

      August 5, 2015 at 2:19 pm #

      Thanks Michael. I appreciate your response, and I'm sure Hover customers reading this will be grateful too.

      A company which responds poorly to a security incident can often find itself in deeper water than that caused by the security incident itself, so it's good to see you proactively post here, even if you don't have any further detailed information to share at this moment.

      Obviously it's important to verify and be sure that you have everything covered, but if there is any further insight you can share as to what you're certain *isn't* at risk (for instance, can payment card information be excluded at this point? Many companies don't store that kind of data themselves, and so it may be an easy thing to reassure folks about) then that would be great.

  2. Michael

    August 5, 2015 at 5:14 pm #

    We can’t go into much detail as this investigation is ongoing, but to your specific question, we store encrypted credit card numbers in our database for customers not using Paypal, and there is no evidence that credit card information was accessed.

  3. Paolo Klay

    August 24, 2015 at 9:00 pm #

    As a Hover customer, I would like to report the company has been unable to provide me with a working two factor authentication for THREE FULL WEEKS after they got hacked. The company seems to have completely dropped the ball. I've had a support person keep telling me they are working on it, but I still cannot receive a SMS notification from their system to set up authentication. I think Hover representatives are friendly, but I doubt I will renew my domains with this company when they cannot even address my basic need for security.

    • James in reply to Paolo Klay.

      August 24, 2015 at 11:10 pm #

      Hi Paolo,

      Not sure of the specifics of your situation, but we're not experiencing any issues with two factor auth, either by SMS or using an app. If you want, you can email me (james@hover.com) and I'll look into it for you.

      James

    • Paolo Klay in reply to Paolo Klay.

      August 29, 2015 at 10:39 am #

      UPDATE: Hover is Canadian (Tucows) and their international SMS was being blocked by my U.S. service which is an unlimited text plan, but some plans don't accept international texts.

      My fault was in not being more aggressive with their first level support that either did not consult their SMS logs or didn't bother to validate for me they were showing as having been delivered. Instead, they were hoping engineering would solve it and for three weeks kept telling me they were working on it. Their SMS was technically functioning, but this bottleneck could have been identified immediately and quite easily.

      As a business process, their messages may need to be routed to different countries from separate country or area codes to avoid some cell phone plans from blocking their authentication messages.

      Just following up to say what it was and that James did work with me to resolve the issue.

  4. Anonymous

    August 25, 2015 at 2:08 pm #

    That's a very poor email that Hover sent out to its users;

    "Dear Hover Customer"
    >URL to reset password embedded in the message.

    If it wasn't for the fact you said it was an official piece of correspondence I would have marked the message as spam from its appearance.

Leave a Reply