The Gandi Community

Correction of a Simple Hosting security breach via Git

A security breach impacting Simple Hosting instances using Git was corrected last night. It came to our attention that there was an authentication problem that allowed read access to the git repository directory on the web-based access panel. A notification of the incident was sent to customers with instances having at least one Git repository (or about 5% of Simple Hosting instances). If you have never used Git, then you are not concerned by this message.

Incident timeline (in UTC):

  • 6:10 PM on May 31st: our technical teams were made aware of an authentication problem concerning access to the web-based Git repository interface.
  • 6:15 PM: our teams blocked access to the web-based access panel (cgit) of Simple Hosting instances in all of our datacenters.
  • 6:44 PM: a fix was put in place on all instances impacted in the FR-SD3, FR-SD5, and FR-SD6 datacenters.
  • 7:25 PM: the fix was applied to instances impacted in our LU-BI1 datacenter.
  • 9:40 PM: access to the web-based access panel was re-established.

After investigation, we found that this security flaw has existed since the migration of instances from FR-SD2 to our new datacenters, and for all instances created since October 4th, 2017.

Current situation:

Authentication has been re-established for the git repository’s web-based access panel.

We did not find any evidence of any intrusion yet and – as the issue concerned a read-only access panel – there is no way that your data could have been modified. Unfortunately, we can not guarantee that the data was not read by a third party. Therefore, we recommand that you change all the passwords of all the services which were stored in the Git repository.

If you want to check the access logs of your instance, they are available from the Control Panel of each instance in the “Apache Logs” section.

If we find any problematic entries during our investigation, we will update this post and contact each of the impacted customers by email.

If you have any question about the impact of the incident on your Simple Hosting instance, feel free to contact our Customer Care team.