Whoa - Media Temple is changing all mysql database passwords on its Grid-Service accounts

UPDATE: DEADLINE FOR CHANGING DATABASE PASSWORDS IS APRIL 16TH - if you use MediaTemple Grid Service for website hosting do not ignore the notifications you are getting from them! have not yet done so, and you are not using one of the web apps listed below, you need to take action to ensure the continued operation of your website. 

I enthusiastically recommend (mt) Grid-Service. So I am rather surprised to get news on Friday, explaining that they are changing database passwords for all (mt) Grid-Service accounts. If you host your website on (mt) Grid-Service, you will need to pay attention to the notifications and do what it takes to make sure that your sites continue operating normally. Even if you don't, this is another reminder that you need to keep your passwords in a safe place and not use easily guessed passwords. 

I am impressed by the scale and professionalism of the Media Temple response, and will continue to recommend (mt) Grid-Service to small African organizations that need low cost "traditional" website hosting. Nevertheless I am more than a little unsettled that such drastic, heavy handed action is needed. Media Temple say this is a step they took as a last resort to block hackers.

(mt) Grid-Server depends on a new generation of "cloud computing" that comes with new opportunities for tremendous cost savings, easy data redundancy/backup, and easy creation of new sites that can then be allocated additional disk space or server resources instantly as needed. It's a great service at a great price. 

But with this announcement I begin to wonder if these benefits of cloud computing do not come at too high a cost - to our own privacy (they can change all our passwords?) and our own security (we are vulnerable because somebody else's password has been hacked?). 

Below is the email I received from Media Temple. 

Dear Site Owner,

This is a preliminary notification about an impending change to the passwords for all database users on your (gs) Grid-Service. Due to recent developments regarding System Incident #1167, we have found that this action is a required safety precaution: http://weblog.mediatemple.net/weblog/category/system-incidents/gs-invest...

We will send you an additional email notification 24-hours prior to the actual change.

VERY IMPORTANT:

Please do not change your database user passwords back to their former value(s). Returning database passwords back to previous versions may allow malicious parties to gain future access to one or more of your databases. If you do choose to change one or more database passwords back, you will be notified by (mt) Media Temple and your site may be temporarily suspended.

In an attempt to make this a more seamless process, (mt) Engineers have developed custom scripts that automatically find and update the database configuration files used by most major CMS applications (if installed using standard methods). The scripts were designed to auto-update the following:

- Drupal
- Joomla
- Expression Engine
- Magento
- Miva
- phpBB3
- WordPress
- vBulletin
- ZenCart
- all standard Rails and Django applications

In other words: If you are using one of those applications, not only will we be automatically updating your database user passwords, we will also update your CMS/application configuration to include the new passwords. If you happen to use other database-oriented applications, the following article contains an FAQ regarding this email notification and also discusses how to update your database configuration files and/or reset database passwords: http://kb.mediatemple.net/questions/1807/

While closer investigation is still underway, we believe that certain database passwords were possibly obtained by hackers via trial-and-error methods. Unfortunately, these "brute forcing" techniques may have slipped passed our intrusion detection systems: http://en.wikipedia.org/wiki/Password_cracking

We understand that changing database passwords is not a preferred solution, but we have exhausted all other routes to try to avoid this specific action. Once the password change has been completed, you will be notified via email and our internal system will automatically open a new Support Request for your account within the AccountCenter. If you have any questions, please feel free to contact us at any time, and we thank you for your patience and understanding regarding this matter.

Regards,

(mt) Media Temple, Inc
Hosting Operations