DreamHost 's official post about their 3,500 account security breach. I can't really say "I told you so" because I haven't actually said anything public, but I've always been bothered by the way Dreamhost exposes passwords in their admin interface—and more alarmingly, in e-mail. This attack involved gaining access to the admin interface (with a method not yet announced) to glean password data and modify files. If Dreamhost used the more secure method of never displaying passwords and only offering password recovery through resets via registered e-mail addresses, access to the admin interface would not be enough to gain access to files.
Of course, this would require similar protections against changing the registered e-mail addresses, and since DH is an e-mail hosting provider, this might be difficult, and maybe DH worked backwards from that and decided it wasn't worth it. I can imagine that a category of customers would be willing to exchange that level of security for a more convenient interface, having everything depend on the security of the admin account.
Sending passwords by e-mail is especially tricky because most e-mail set-ups don't use secure connections between the client and the mail server. DH offers secure mail server connections, but (last I checked) does not offer security certificates for the server, so though you can encrypt the data (and, importantly, your e-mail password used when making the connection), you can't defend against man-in-the-middle attacks. I mostly want e-mail security at public wireless Internet spots, where MitM attacks are relatively likely.
Exposed passwords do more than provide temporary access to the account. Depending on how you pick passwords, an exposed password may compromise other accounts for which you use the same password, or provide a clue to what method you use to pick passwords for this and other accounts.
DH claims to know of 3,500 accounts that were compromised, and claims to have contacted all of those account owners. Since we've gone a day or so without further confirmation of these facts, it's probably safest for all DH account owners to change their passwords—all of them.
Update: DH is updating the web page linked above as they investigate. They now suspect that the FTP account attack is unrelated to a security problem they found and fixed in their admin panel. They're requiring all customers to reset their FTP passwords.
Yup. Mine was one that was exposed. All 20+ of my DH domains were hacked. Nothing major as far as I can tell; the idiot hacker just added a broken IFRAME tag to the index page of each domain. Took me about 30 min to fix. What concerns me is that how do I know this guy didn't get anything *else* of mine that's up on DH?
Annoying, to say the least.