Dittos. I found out on HN. Checked to see if it had gone to some stray account / folder, but I never received any notification that I can find. Anyone?

nothing. I've discovered I had the same pwd for the panel and for the ssh access, although I almost never use the ssh one. Time to check every password, it seems ...

It would also be very, very, very cool if Dreamhost (since they have a list of old passwords) would, say, make that list all invalid for future use.

We're doing some tough client love right now on security practices, and having a nice hard wall to push off of, namely, Dreamhost being assholes, in a good way, would be a very Good Thing[tm].

We, well, I, have been using sshkeys for access. We actually had one of our accounts request sshkey access as well, which was freaking wonderful. Most are so technically backward that this can't be rolled out globally, though I'd love for it to be.

We're not quite done investigating the issue and resetting passwords; once that's done, though, we will have a mass email going out.

Well, I was using the same password for gmail and dreamhost, because I figured both were secure. Yeah, I know that's bad practice, and I don't do it anymore (I use a password manager for new sites), but I'd set up my dreamhost account a while back, and forgotten I was using my "secure" password.

I won't be the only person doing this.

I'm confused by the directions. If I have 20 usernames did you reset all 20 passwords for these names to random strings and now I just need to pick new passwords of my liking on my own time?

Or do I need to go through all 20 right this moment and change them from their old value to a new value?

Basically do the hackers possibly have access to my ftp accounts or have you already switched my passwords to random strings?

A mass email going out this morning so I could have got on the ball with this and coordinated response with our client management folks would have been a Really Good Thing[tm].

As it was I found out about 4 hours after your first blog post via HN.

We're still hashing out what we're going to do with folks who, last time we instituted a password/process change, wanted a 3-weeks heads-up.

FML.

FYI: The forgot password feature does not seem to be working at this time.

If you log in with your Web Panel password, you can change an accounts' password without needing to know the old one.

The DreamHost engineer who's been commenting here says the web panel passwords haven't been compromised (I changed ours anyhow).

Same. Almost 24 hours ago and this is the first I've heard about the breach.

Also, the fact that you can see your user passwords in the panel has always irked me, and that has gone unchanged even after past breaches. I have been quite happy with their service, but maybe this my queue to leave... :(

EDIT: To their credit, I see this when logging in to the panel: "Due to some unauthorized activity we detected within one of our databases, we have forced a reset of all FTP/SFTP and shell passwords as a precaution."

We've got a mass email going out now.

Neither. And ironically I was just logging in to grab everything I had there to move it to a new server, and couldn't log in, emailed them with no response in the last 2 hours then see this here..