On the afternoon of Sunday 24 May 2020, we became aware that a stolen copy of a database backup containing some of our customers’ personal data dating from 30 October 2018 had been posted online. We regret to inform you that your account was included in this breach. Even if you are no longer a customer and your account has since been deleted, it was in our database on 30 October 2018 when the data was taken.
The compromised data includes the names and contact details for everyone who was or had been a customer on 30 October 2018, including their email addresses, postal addresses and phone numbers. It also holds cryptographically hashed copies of control panel passwords, some details of payments made, and the content of every support ticket they had filed. Details of your services, including hostnames and IP addresses, were also leaked.
While this is clearly a very serious data breach, the database does not have any credentials for accessing servers, unless they were disclosed in support tickets and not changed in the following 18 months. Nor do
the payment details contain any credit card or bank account numbers, and as all payments are received via PayPal, we could not access that information if we wanted to. No filesystem snapshots are included in the
compromised data, so we are completely confident that any data on your server remains secure.Cryptographically hashed passwords are the industry standard for storing login details to websites, and they provide a reasonable degree of security in the event that the database is compromised. However, when
insecure passwords have been used, such as dictionary words, common names or dates of birth, they can be cracked fairly easily offline. Mindful of this, we have disabled any accounts that have not since been
removed and whose password has not been changed since 30 October 2018. If this applies you will need to do a password reset before you can log in. There is a link to do this on the login page:If you use the same password on other systems, please reset those passwords too. It is best practice to use a separate, randomly generated password for each site, and store these in a password manager or other
secure location, than to memorise a single password which you use on everywhere.We have clear and compelling evidence that this data was posted online by a former director of VMHaus Ltd named Wai Hoe Au Yong, who also uses the online name Auriga. We believe that he illegally took a copy of this data shortly before his access to VMHaus systems was revoked as part of the acquisition by Mythic Beasts. This was not the result of a security vulnerability, but the illegal actions of an individual who had legitimate access to the server at the time. Nevertheless, the breach is of course deeply unfortunate and we are very sorry for the inconvenience and confusion it has caused. We believe openness is the best policy in responding to this incident, and have published a full statement on our
website:VMHaus will never email you asking for payment details, server credentials or passwords. All payments are taken by Paypal which is accessed through our control panel:
If you have any questions or concerns, please contact us by email to [email protected], submit a ticket in our control panel, or use the @VMHausOfficial twitter account.
We are, once again, extremely sorry this has happened.
VMHaus Ltd
I got the same email, sucks cause I haven’t even used their services. It’d be nice if they had an automatic way to close and delete your account.
I haven’t ether… How did they get my email?
Most likely explanation seems like it’d be that you’ve forgotten about it. Seems like an odd thing for someone to scrape extra emails to notify people who were never customers about.
Got the mail as well. Looks like I signed up with VMHaus January 9th 2018.
Is it just me or is the fact they’re including the name of the former director slander? It’s highly unprofessional at the very best.
Perhaps a bit but I can’t say I wouldn’t do the same in such an extreme scenario. The amount of anger felt would be difficult to measure. I’d be on a war path in their shoes.
Yeah I hear ya, can’t deny I’d probably to the same thing. Just don’t think it will be beneficial to their legal case.
That was on my birthday, then. Looks like you were at the wrong party, mate 
The name is public info anyway.
And if that’s true then it’s not slander anyway
Slander is not about making one’s name public but about making false / damaging statements in relation to one’s name.
Well it would have to be false to be considered slander, that’s the literal definition. As far as I know, none of it is.
While I do agree that mentioning the person in question by name is probably not the best idea, even if they just said “former director”, it would be immediately obvious who it was anyway.
Innocent until proven guilty 
Aye, but one also has to defend their name in light of tweets saying the business is closing down incorrectly so I can understand why it went down that way.