FAQs

On Friday, December 2, Rackspace detected suspicious activity in its Hosted Exchange email environment. As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm, CrowdStrike and other cybersecurity experts, to assist us with the forensic investigation which is now complete.

This was a ransomware attack.

As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm CrowdStrike and other cybersecurity experts to assist us with the forensic investigation. Due to the swift action to disconnect our network – and because of the way that the Hosted Exchange email environment was designed and segmented – the incident was quickly contained and limited solely to the Hosted Exchange email environment.

No other Rackspace products, platforms, solutions or businesses were affected or are experiencing downtime due to this incident.

Yes.

Yes, Rackspace notified the FBI and continues to support their forensic investigation.

As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm CrowdStrike and other cybersecurity experts to assist us with the forensic investigation. Due to the swift action to disconnect our network – and because of the way that the Hosted Exchange email environment was designed and segmented – the incident was quickly contained and limited solely to the Hosted Exchange email environment. Thanks to work by our external and internal experts, we have increased visibility throughout the Hosted Exchange environment. Importantly, there have been no signs of attacker activity in the environment since December 2nd – and there is no evidence that the attackers were able to move laterally beyond the Hosted Exchange email environment. No other Rackspace products, platforms, solutions or businesses were affected or are experiencing downtime due to this incident. Out of an abundance of caution, Rackspace has put additional security measures in place and will continue to actively monitor for any suspicious activity.

The forensic investigation is now complete, and we are now in a position to share more information about the full scope of the incident. Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined that the threat actor accessed a Personal Storage Table (“PST”) of 27 Hosted Exchange customers. We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated any of the 27 Hosted Exchange customers’ emails or data in the PSTs in any way. Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.

As part of our commitment to transparency and in effort to help our customers and other companies protect themselves, we are also sharing the root cause of this incident. The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to Rackspace’s Hosted Exchange email environment. We urge all organizations and security teams to read the blog CrowdStrike recently published on their website about this exploit and learn how to take action to protect your own organization. To help address additional questions customers might have, we will be making CrowdStrike’s forensic report available to any customer upon request.

Our Racker technical team is working diligently to recover mailboxes for our Hosted Exchange email environment customers. In order to expedite the process of your mailbox recovery, customers can now select the “Prioritize Recovery” option available in the Customer Portal. To begin the process of selecting a mailbox for priority recovery, please log into your Hosted Exchange customer portal and click on the ‘mailboxes’ tab.

Selecting the "Prioritize Recovery" button will prioritize the recovery of the given mailbox ahead of non-prioritized mailboxes on your domain. Mailbox recovery does not require prioritization but helps us know which mailboxes are highest priority for you to have recovered.

To check if your historical email data is available and ready to download, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources). If your data is available and you are having trouble downloading it, please contact our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). We will be happy to assist you.
 

We have already been in touch with the affected 27 customers to communicate these findings. Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.

We have already been in touch with the affected 27 customers to communicate these findings, including additional information pertaining to their impacted data and providing them with the appropriate guidance and support.

Out of an abundance of caution, Rackspace has been monitoring the dark web and has found no data associated with this incident to date.

Since learning of this incident in early December, Rackspace has been focusing on restoring historical email data to impacted customers, while simultaneously conducting a thorough forensic investigation with the assistance of third-party cybersecurity experts to understand what happened. Investigations of this nature take time, and we are pleased to be in a position to share what we have learned.

We will be making CrowdStrike’s forensic report available to any customer upon request.

The Hosted Exchange email environment will not be rebuilt as a go-forward service offering, and as a result, Hosted Exchange email customers will need to migrate to a new email solution. Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionalities. As a reminder, there will be no price increase for Hosted Exchange customers if you choose to move to Exchange Online Plan 1. This plan has similar capabilities as your current plan and will cost you less. Additionally, Rackspace email continues to be unaffected and is an alternative option for customers who do not wish to migrate to Microsoft Office 365. Rackspace will continue to assist customers with choosing the best plan to meet their needs depending on the capabilities required for their businesses. Please contact our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). We will be happy to assist you.

Rackspace is providing credit for the months of December 2022 and January 2023 to Hosted Exchange email environment customers. Additionally, for those Hosted Exchange email environment customers that have created a tenant and migrated to Microsoft Office 365, Rackspace is issuing a goodwill credit for December 2022, January 2023, and February 1 through February 14, 2023 for the value of Exchange Online Plan 1. Customers who have already chosen or choose to upgrade to Exchange Online Plan 2 will only be responsible for the prorated difference in cost between Exchange Online Plan 1 and Exchange Online Plan 2 during this time. Standard billing for all Microsoft Office 365 plans (without the credits described above) will resume in full starting February 15, 2023. For customers whose automatic billing date is scheduled after February 15, please note you will only be charged for those days falling in between February 15 and your automatic billing date.

Importantly, the Hosted Exchange email environment will not be rebuilt as a go-forward service offering, and as a result, Hosted Exchange email customers will need to migrate to a new email solution. Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionalities. As a reminder, there will be no price increase for Hosted Exchange customers if you choose to move to Exchange Online Plan 1. This plan has similar capabilities as your current plan and will cost you less. Our customer support Rackers will continue to assist you with choosing a plan that best meets the needs of your business. Also, Rackspace email continues to be unaffected and is an alternative option for customers who do not wish to migrate to Microsoft 365. Rackspace will continue to assist customers with choosing the best plan to meet their needs depending on the capabilities required for their businesses.

If you have not yet initiated or completed transition to Microsoft Office 365 and wish to do so, then please leverage our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). You will not be charged until you have successfully been migrated.

Our customer support Rackers are available to assist you with choosing a plan that best meets the needs of your business. If you would like to upgrade your plan to unlock additional Microsoft Office 365 features (which you can read more about here), you will need to log into your Microsoft Office 365 Control Panel and follow the simple steps detailed here: How to Upgrade an Office 365 User from an Exchange Online Plan 1 License to an Exchange Online Plan 2 License in the Cloud Office Control Panel.

Please note that Rackspace is crediting back the value of Exchange Online Plan 1 to our Hosted Exchange email environment customers for December 2022, January 2023, and February 1, 2023 through February 14, 2023. Customers who choose to upgrade to Exchange Online Plan 2 will only be responsible for the difference in cost between Exchange Online Plan 1 and Exchange Online Plan 2 (prorated for the applicable period of time) during this time.

Exchange Online Plan 1 costs less than customer’s prior subscription with Hosted Exchange email, but will provide similar functionality and quality of service.

On the other hand, Exchange Online Plan 2 offers services equivalent to those received as a Hosted Exchange email environment customer, as well as additional functionalities such as eDiscovery Center, Litigation Hold features, voicemail, and data loss prevention services. Exchange Online Plan 2 also offers up to 100 GB of storage per mailbox. 

Consistent with our prior communications following the ransomware incident, we are also issuing you a goodwill credit for December 2022, January 2023, and February 1 through February 14, 2023 for the value of Exchange Online Plan 1. Customers who have already chosen or choose to upgrade to Exchange Online Plan 2 will only be responsible for the prorated difference in cost between Exchange Online Plan 1 and Exchange Online Plan 2 during this time. Standard billing for all Microsoft Office 365 plans (without the credits described above) will resume in full starting February 15, 2023. For customers whose automatic billing date is scheduled after February 15, please note you will only be charged for those days falling in between February 15, 2023 and your automatic billing date.

If you would like to upgrade your Exchange Online plan to unlock additional Microsoft Office 365 features (which you can read more about here), you will need to log into your Microsoft Office 365 Control Panel and follow the simple steps detailed here: How to Upgrade an Office 365 User from an Exchange Online Plan 1 License to an Exchange Online Plan 2 License in the Cloud Office Control Panel.

We have become aware of a system issue that inadvertently resulted in applying an incorrect amount of credits to your account for the Hosted Exchange email environment services. We apologize for this inconvenience and will be correcting the amount of credits issued to your account so your account reflects the full amount of credits for the months of December 2022 and January 2023 for the Hosted Exchange email environment services. Rackspace will not be issuing credit for services outside of the Hosted Exchange email environment services for December 2022 and January 2023 since other Rackspace services, products, and solutions were not impacted by the ransomware incident.

The temporary forwarding option will be discontinued on February 28, 2023. We recommend that you migrate to Microsoft Office 365 in advance of this date in order to maintain use of your inbox.

Standard billing for all Microsoft Office 365 plans (without the credits described below) will resume in full starting February 15, 2023. For customers whose automatic billing date is scheduled after February 15, please note you will only be charged for those days falling in between February 15, 2023 and your automatic billing date.

We are issuing you a goodwill credit for December 2022, January 2023, and February 1 through February 14, 2023 for the value of Exchange Online Plan 1. Customers who have already chosen or choose to upgrade to Exchange Online Plan 2 will only be responsible for the prorated difference in cost between Exchange Online Plan 1 and Exchange Online Plan 2 during this time.