From there, company founder Octave Klaba wrote, the hacker was able to access another employee’s internal VPN, which they then used to compromise the account of another system administrator who handles the company’s back office.
The company says the hacker successfully accessed OVH’s Canadian installation server system, along with its European customer database, which includes customers’ full names, addresses, phone numbers, fax numbers and salted and hashed passwords.
“No credit card information is stored at OVH,” Klaba wrote. “Credit card information was not viewed or copied.”
Following the incident, the company says it reset all employee passwords, set up a new VPN with highly restricted access, and added a YubiKey USB security token as a requirement for all critical access.
“Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases,” Klava added. “In short, we were not paranoid enough so now we’re switching to a higher level of paranoia.”