Quick Translate (I'm French and a big customer of OVH) :
Quote
Hi, to change your OVH password, you need to go to the backoffice. An email is sent to the email adresse with an unique URL.
This URL is formed by 21 chars using 3 differents RAND algorythm, which every algorythim create 7 chars (7x3 = 21). After this, the client receive an email with this unique URL
[snip]
This is a procedure used since 7 years who didn't change.
[snip]
The 26th april, we (OVH) saw this problem. 2 of the 3 functions who generate the RAND number where "not really rand" (quick translate). So this "unique" URL can be bruteforced (only 1/3 of the string was RAND).
This problem has been discovered the 26th of April, at 11:03:14 (Maybe French hours, GMT +1?) and has been fixed at 12:54:13.
A patch have been developped to use a corrected RAND functions.
Some change has been made to use 2 reals new RAND functions/algo.
[snip]
After, we made a big search in our database to find if other clients have been compromised, during the last 3 years. (OVH is allowed to keep 10 years of logs, according to CNIL Agreement (Wikipedia CNIL : http://en.wikipedia.org/wiki/CNIL )). Now we (OVH) are going back to 10 years to be sure...
[snip]
(personal note) : More about the hack & Bitcoin cumminity
We found 3 ID who has been hacked, in this 3 cases, the "bitcoin" cummunity was targeted who was using OVH services. The hacker found the exploit the 23th of April, at 22h, testing during an hour. At 23h, the exploit method was working and the first OVH ID has been hacked. The day after, 2 others Bitcoin OVH ID has been hack.
We have been in contact with this clients, but the quality of the exchanges didn't help us to find the problem/security hole. One of our internal dev finally found the hole and fixed it. We certainly must find some lessons to learn in the way to speak with our customers in this kind of problems.
[snip] (Line 72 on pastebin)
It took a long time to communicate about this, because we seen it was a really "small" effect (not sure about my translation in this) but "only 3 clients", and we wanted to check completly if there was only 3 clients affected or more, before speaking about this issue...
[snip] Since Line 86, more "commercial" speaking, I'll not translate it.
This URL is formed by 21 chars using 3 differents RAND algorythm, which every algorythim create 7 chars (7x3 = 21). After this, the client receive an email with this unique URL
[snip]
This is a procedure used since 7 years who didn't change.
[snip]
The 26th april, we (OVH) saw this problem. 2 of the 3 functions who generate the RAND number where "not really rand" (quick translate). So this "unique" URL can be bruteforced (only 1/3 of the string was RAND).
This problem has been discovered the 26th of April, at 11:03:14 (Maybe French hours, GMT +1?) and has been fixed at 12:54:13.
A patch have been developped to use a corrected RAND functions.
Some change has been made to use 2 reals new RAND functions/algo.
[snip]
After, we made a big search in our database to find if other clients have been compromised, during the last 3 years. (OVH is allowed to keep 10 years of logs, according to CNIL Agreement (Wikipedia CNIL : http://en.wikipedia.org/wiki/CNIL )). Now we (OVH) are going back to 10 years to be sure...
[snip]
(personal note) : More about the hack & Bitcoin cumminity
We found 3 ID who has been hacked, in this 3 cases, the "bitcoin" cummunity was targeted who was using OVH services. The hacker found the exploit the 23th of April, at 22h, testing during an hour. At 23h, the exploit method was working and the first OVH ID has been hacked. The day after, 2 others Bitcoin OVH ID has been hack.
We have been in contact with this clients, but the quality of the exchanges didn't help us to find the problem/security hole. One of our internal dev finally found the hole and fixed it. We certainly must find some lessons to learn in the way to speak with our customers in this kind of problems.
[snip] (Line 72 on pastebin)
It took a long time to communicate about this, because we seen it was a really "small" effect (not sure about my translation in this) but "only 3 clients", and we wanted to check completly if there was only 3 clients affected or more, before speaking about this issue...
[snip] Since Line 86, more "commercial" speaking, I'll not translate it.
Please note, I'm not working at OVH, I'm just a bitcoin user, and an OVH customer working on dedicated servers.
Edit: my translation can be "really bad", I tried to do my best as quickly as I can to share the information, this email was from the OVH Mailing List called "hosting".
