I got a message from DreamHost tonight which both confused and disturbed me.

Telling me there's evidence that I have been intruded upon is scary -- but what was the evidence?? Without more information, this is upsetting but not helpful.

I only access this account from fully patched Macs under my direct control. None of them were running Windows spyware, and I know there hasn't been a hardware keylogger in operation on my equipment recently (I don't believe every, but I've been doing lots of work on my equipment lately, so I know not recently). It's certainly possible I got hacked by some brand-new Mac OS X exploit, but (especially given my understanding of DreamHost's security model, which entails emailing plaintext passwords at the drop of a hat) I consider it considerably more likely this is a false alarm or miscommunication.

Especially given that, despite "we have reset your password", the affected account's password was NOT changed. I logged in normally and changed it myself. This makes me very glad that I created a brand-new password only for DreamHost last time they got hacked. On the other hand, I could have been sniffed logging in over the Internet (most of their access is unprotected); I only set up SSL for administration of Extra Pepperoni a month ago...

We'll see how they respond to my request for clarification.

In the meantime, I am worried and aggravated.

It's also somewhat suspicious that the timezone is UTC, considering that DreamHost is in Los Angeles. If it wasn't the right panel.dreamhost.com hostname, I'd think this was an attempt to get me to submit my DH account information to a spammer, but that information isn't worth much.

To: "Chris Pepper" <---->
From: DreamHost Support <support@---->
Subject: [reppep ----] Account Concerns...
Date: Fri,  7 Mar 2008 02:20:34 +0000 (UTC)

Dear DreamHost customer,

We have found evidence indicating that your 'reppep' web server account
may have been subject to intrusion by a malicious 3rd party. As a
precautionary measure, we have reset your password and ask that you
change it, here:

https://panel.dreamhost.com/index.cgi?tab=users&subtab=users&
current_step=Index&next_step=Edit&usid=1532237

At this time we have found no evidence to suggest that there has been a
breach of our internal security. We believe that the passwords in
question were likely obtained through the use of
spyware/keyloggers/malware, possibly installed on your personal
computer.

In order to secure your account, we ask that you immediately follow the
recommendations provided in the DreamHost AbuseCenter - particularly
those involving the removal of malware. You may visit the AbuseCenter,
here:

    http://abuse.dreamhost.com/cracking/#exploits

If you have any questions or concerns, please let us know.

- DreamHost Abuse/Security Team