I bought an Alipay module from them from them a few years ago, but never got around to installing it. Lucky me.
The hackers first sent an email from WHMCS Global Services with this content:
4 hours later, a second legitimate email from WHMCS Global Services:
I then ticketed to have my account permanently deleted, and they removed my ticket without removing my account
The next day, an e-mail was sent containing a link to the pastebin:
As promised here all information about the hack: https://pastebin.com/ZpNUBrG1
Oh well. Since it’s pretty unlikely that they were hacked through their WHMCS install, it’s pretty clear hackers got in to their site via them running one of their own insecure modules. Agreed with mikho to remove any ASAP.