Frequently Asked Questions

On Friday, December 2, Rackspace detected suspicious activity in its Hosted Exchange email environment. As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm, CrowdStrike and other cybersecurity experts, to assist us with the forensic investigation which is now complete.

This was a ransomware attack.

As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm CrowdStrike and other cybersecurity experts to assist us with the forensic investigation. Due to the swift action to disconnect our network – and because of the way that the Hosted Exchange email environment was designed and segmented – the incident was quickly contained and limited solely to the Hosted Exchange email environment.

No other Rackspace products, platforms, solutions or businesses were affected or are experiencing downtime due to this incident.

Yes, Rackspace notified the FBI and continues to support their forensic investigation.

As soon as we detected the suspicious activity, we followed our incident response plans and acted immediately to contain the threat. This included pulling all of our servers in the Hosted Exchange email environment offline, out of an abundance of caution. We also engaged industry-leading global cybersecurity firm CrowdStrike and other cybersecurity experts to assist us with the forensic investigation. Due to the swift action to disconnect our network – and because of the way that the Hosted Exchange email environment was designed and segmented – the incident was quickly contained and limited solely to the Hosted Exchange email environment. Thanks to work by our external and internal experts, we have increased visibility throughout the Hosted Exchange environment. Importantly, there have been no signs of attacker activity in the environment since December 2nd – and there is no evidence that the attackers were able to move laterally beyond the Hosted Exchange email environment. No other Rackspace products, platforms, solutions or businesses were affected or are experiencing downtime due to this incident. Out of an abundance of caution, Rackspace has put additional security measures in place and will continue to actively monitor for any suspicious activity.

The forensic investigation is now complete, and we are now in a position to share more information about the full scope of the incident. Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined that the threat actor accessed a Personal Storage Table (“PST”) of 27 Hosted Exchange customers. We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated any of the 27 Hosted Exchange customers’ emails or data in the PSTs in any way. Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.

As part of our commitment to transparency and in effort to help our customers and other companies protect themselves, we are also sharing the root cause of this incident. The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to Rackspace’s Hosted Exchange email environment. We urge all organizations and security teams to read the blog CrowdStrike recently published on their website about this exploit and learn how to take action to protect your own organization. To help address additional questions customers might have, we will be making CrowdStrike’s forensic report available to any customer upon request.

As of January 5, 2023, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data. We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.

As a reminder, we are proactively notifying customers for whom we have recovered greater than 50% of their mailboxes. Those PST files are now available through the customer portal. To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download. As a reminder, we have prepared additional support resources that are available on our landing page (https://www.rackspace.com/hosted-exchange-incident), but if your data is available and you are having trouble downloading it, please contact our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). and we will be happy to assist you.

We have already been in touch with the affected 27 customers to communicate these findings. Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.

We have already been in touch with the affected 27 customers to communicate these findings, including additional information pertaining to their impacted data and providing them with the appropriate guidance and support.

Out of an abundance of caution, Rackspace has been monitoring the dark web and has found no data associated with this incident to date.

Since learning of this incident in early December, Rackspace has been focusing on restoring historical email data to impacted customers, while simultaneously conducting a thorough forensic investigation with the assistance of third-party cybersecurity experts to understand what happened. Investigations of this nature take time, and we are pleased to be in a position to share what we have learned.

We will be making CrowdStrike’s forensic report available to any customer upon request.

The Hosted Exchange email environment will not be rebuilt as a go-forward service offering. Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model as well as more modern features and functionality. There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have. Every Hosted Exchange customer has the option to migrate and pay exactly what they are paying today or even slightly lower costs and have the same capabilities. If Hosted Exchange email customers have not yet initiated or completed transition to Microsoft Office 365 and wish to do so, then please leverage our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743).

Rackspace is providing credit for the months of December 2022 and January 2023 to Hosted Exchange email environment customers. Additionally, for those Hosted Exchange email environment customers that have created a tenant and migrated to Microsoft Office 365, Rackspace is providing these customers a credit for the months of December 2022 and January 2023. Therefore, Hosted Exchange environment customers will receive an invoice of $0.00 to their account to show that Rackspace is providing the credit for the months of December 2022 and January 2023. Rackspace will not be issuing credit for services outside of the previously mentioned Hosted Exchange email environment services for December 2022 and January 2023 as other Rackspace services, products, and solutions were not impacted by the ransomware incident.

Importantly, the Hosted Exchange email environment will not be rebuilt as a go-forward service offering. Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model as well as more modern features and functionality. There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have. Every Hosted Exchange customer has the option to migrate and pay exactly what they are paying today or even slightly lower costs and have the same capabilities.

If you have not yet initiated or completed transition to Microsoft Office 365 and wish to do so, then please leverage our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). You will not be charged until you have successfully been migrated.

Read more about the Hosted Exchange Incident