Domain contact information changed, not by me

Hi,

First post.

On one of my domains the contact information was changed to user@gmail.com

I got a email alert and went in and changed it back and reset passwords etc...

My host said this first -

------------
user@gmail.com is specified as an 'access token for Pushbullet' in your contact information on cPanel account domaininquestion.co.uk and I believe that causes the issue. Please remove it if you no longer use it.
It's actually a security token that you add to your account through the webmail interface. You can leave it blank and not use it. It is a new feature of the paper lantern theme that's being implemented with cPanel. You will receive notifications about problems when you put in a list of Access Tokens for the Pushbullet™ accounts separated by commas.
------------

I have explained why would I do that, I don't even know who's that gmail account is and I have no idea what PushBullet is.

Then they replied with this -

------------
In cPanel under "contact information" there is a option named "An access token for Pushbullet" there you have specified the emial ID as "user@gmail.com".
------------

I once again explained that I haven't but they won't tell me (if they even know) how it happened.

I am just trying to find out how the contact information can be changed apart from the obvious of logging into cPanel and changing it. I know it can also be done from the WHM interface as. that's where I changed it back.

Any ideas of what could have happened?

Thanks,

Dave

 

Hi,

Thanks for that.

They have said they found this

Code:

<IPREMOVED> - wwwliverpoolstud [06/30/2018:00:29:27 -0000] "POST /cpsess9695886817/execute/Notifications/get_notifications_count HTTP/1.1" 200 0 "https://domainname.co.uk:2083/cpsess9695886817/frontend/paper_lantern/contact/saveemail.html?email=cvv.vbv3%40gmail.com&second_email=cvv.vbv3%40gmail.com&pushbullet_access_token=cvv.vbv3%40gmail.com&notify_contact_address_change=1&notify_contact_address_change_notification_disabled=1&notify_disk_limit=1&notify_ssl_expiry=1&notify_password_change=1&notify_password_change_notification_disabled=1&notify_account_authn_link=1&notify_account_authn_link_notification_disabled=1&notify_twofactorauth_change=1&notify_twofactorauth_change_notification_disabled=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" "s" "-" 2083

Dave

 

Hi,

This has happened again to the same domain, this time the email used is - Removed -

I reset the cPanel password to a random password and haven't logged in using that password. So no idea how they are getting in.

Time I moved host I think.

Thanks,

Dave