"A few days ago," the company announced, in what could serve as a model breach disclosure notice, "we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators." From here the hacker got access to the company VPN, and through the VPN he was "able to compromise the access of one of the system administrators who handles the internal backoffice."
What is remarkable in the OVH announcement is the level of detail and clarity about the incident described by the company. "I want to applaud them for being so frank and honest with their summary of the incident," Greg Day, FireEye's VP & CTO EMEA told Infosecurity. "It is clear and concise explanation of what happened and what they have done about it. Too many companies," he continued, "try to cover up such incidents that can leave both end customers' data exposed and very importantly shield businesses from the reality of what is happening today."
What happened was a concerted and persistent attack until the hacker achieved the specific administrator access he sought. We don't know how the initial compromise happened – and possibly OVH still doesn't know – but it could have been a direct phishing attack on the initial employee, or that employee's re-use of a password that had been stolen from a completely different password heist.
But OVH has come clean on the security it had been using (a combination of password and geography – that is access only either from within its offices or via the company VPN). "In short," admits OVH, "we were not paranoid enough so now we're switching to a higher level of paranoia." The additional paranoia is the inclusion of a third factor for staff login: a YubiKey USB security token.
The purpose of the hack, suggests OVH, was to recover the database of European customers, and to gain access to an installation server in Canada. The European database included names, addresses, contact details and passwords. The passwords are hashed with SHA-512 and salted. "It takes a lot of technical means to find the [cleartext] password clearly," said OVH. "But it is possible. This is why we advise you to change the password for your user name."
“This latest compromise shines a light on a fundamental flaw in our systems," warns Sol Cates, CSO at Vormetric. "Privileged users are a target because of their access to data, and systems. By taking over the access rights of someone already on the system, hackers are able to easily circumvent the traditional perimeter defenses that would have once foiled their efforts, and gain access to the corporate network."
John Worrall, CMO at Cyber-Ark, agrees. "The critical part of this attack, and what every organization should take away from it," he warned, "is the fact that the attacker specifically targeted the system administrator to gain their privileged access. Once successful, the attacker was effectively able to move from system to system undetected until they reached the information they were looking for. In the case of OVH, this was personal information, such as names, addresses, cities, telephone records and account passwords."