Just the Facts, Ma’am...

[ellenmillion]

The Very, Very Short Version

Some information from the customer-end databases at Ellen Million Graphics were compromised: if you have an account at EMG-Zine or at Portrait Adoption, your email and password have been publicized.



The Still Fairly Short Version

Ellen Million Graphics, and several of its various sub-sites, have been under near-constant spam/hack attacks for... well, for a very long time. The forums frequently receive 10-100 ‘spam’ join attempts daily. Recently, in the past three months, those attacks have stepped up in intensity and success, and spread out from the forums into SQL injection attacks throughout the sites.

The short version of the long and sordid battle I’ve been fighting with these attempts is that I have met each problem I've uncovered within a day of finding out about it. This week, however, I discovered that one of the early attempts (mid-April) was able to crack into the database and get all passwords and emails from the customer database. Not satisfied with harvesting this information, the perpetrators of this hack have posted this information (emails and passwords only) to several public forums, so that this information has been propagated pretty far.

The security changes I made (back in April, as soon as I discovered the problem) stopped all further leaks at the time, but I was not aware of the scope of the problem or the fact that the emails and passwords had already been harvested and spread until I found one of these forums - just this week - and started to snoop further.


What Should You Do About it?

Change your passwords – immediately, and not just at EMG-Zine or Portrait Adoption. Although there is no personal information stored in your EMG-Zine or Portrait Adoption account, if you use the same password for your email login, that account can be considered compromised! Go and change your passwords. Right now! Get in the habit of using individual passwords at different sites, and change them frequently. Chances are good that this can – and may have already – happened at other sites you use, too. Hackers do not leave polite calling cards letting webmasters know that they’ve been by, and if an alert customer had not let me know about this problem, I’d still be in the dark.

Artist accounts were not (to the best of my knowledge) affected - the only thing they got were the customer-end accounts (EMG-Zine readers and Portrait Adoption customers), where no personal information was stored. No credit card, address, phone, payment or order information was taken. Using the information that they stole, the only thing they could really do at my sites is change your menu preferences and submit descriptions. The major risk is the possibility of your email being hacked if you use the same password here and there. The most likely outcome is that you will see an increase in spam emails (or have, already).


What Am I Doing About it?

Additional security has been and is still being added throughout the site. Every page is being scrutinized for weaknesses and all SQL entries are being ‘sanitized.’ All out-of-the-box software is being updated promptly whenever updates are available. Database passwords are being changed regularly. I am keeping a close eye on my site statistics to stay on top of further attacks, and my hosting company is also watching out for spikes at the server that might indicate a problem. All of this will delay the release of the new Fantasy Art Shop, but clearly takes precedence.

The event has been reported to the authorities and I am attempting to have forums with the lists in circulation shut down.

Some of this, I did before, and I’m only stepping up my frequency and alertness. Some of this is learning a new set of programming skills, and I'm consulting with people who know much more than I do and I am learning everything I can about pro-active countermeasures.

I am deeply apologetic for this breach of your privacy. It is embarrassing and I feel wretched that it happened under my watch. I am angry that there are people out there who would do this, and will do everything in my power to keep it from happening again.

Please contact me if you have any concerns.






How Do I Feel About This?

You have no idea.

I have been through all five stages of grief since I found out a few days ago:

flat denial (I was sure that the problem could not possibly be as big as all this...)

anger (fury that used up my vocabulary for swearwords within moments)

bargaining (maybe it's not so bad if I look at it this way? *snort*)

depression (cried myself dry a few times and wondered why on earth I even bother with this...)

acceptance (it's done, I'm screwed, be transparent, fix what I can, and move on...).

I can't say I've entirely worked past all of the anger and depression, either. I have implemented more security - though most of the damage was done back in April and early May, and I had fixed all those problems at that time, even if I didn't know the full extent of what had happened. The first part of this post will be going out to all of my customers once I've got it polished a little better - I don't want to institute a panic, but it's important to be completely transparent about what happened. Even if it causes me deep shame and makes me feel like a fraud and a bad, bad person.

I was in the middle of an otherwise fantastic trip to Petersburg at the time - I was actually fairly successful (after a night spent crying and telling myself I was an awful, horrible person) in shunting it aside as something I simply didn't have the tools to deal with immediately, and enjoyed the gorgeous weather and sights of the area. We drove down Metkof highway and got to see dozens of eagles (including a golden that dwarfed the balds), porcupine, deer and more.

I did catch a cold - probably due at least in part to the depressed immune system thanks to a sleepless night of epic-level stress. It has settled in my sinuses and upper chest - I've got a solid, raspy cough and am regularly expunging major snots. Nothing major, but a decided dampener on my spirits. Which I did not need right now, but you roll with what you get, or you go under, and I'm not down yet.

Older, wiser, a tad bitter and more than a little depressed, but not defeated.

Comments

[norda.livejournal.com]

Ellen, I am so sorry.

[ellenmillion.livejournal.com]

Thanks! :)

[m0usegrrl.livejournal.com]

Oh crap. I wonder if this is how the lamer who hacked one of my Gmail accounts got the info...

*hugs!* It is not your fault! Where there's a will, there's a way, and any determined-enough spammer/hacker/JERKFACE will find some way to get what they are after eventually. And if I hear of anyone doing something like this, I'll punch 'em in the balls. <3

[ellenmillion.livejournal.com]

It *feels* like my fault. Surely, I should have known better and been prepared for this somehow! I will join you in the punching of balls, though - that picture does make me feel better.

[kittrel.livejournal.com]

I hope you feel better and don't get really sick! Take good care of yourself. I don't think anyone would blame you for what happened with the site, how could you know??? It's horrible these hackers are so persistent. :( I'll join the beat-em-up torch and pitchfork party!

[ellenmillion.livejournal.com]

I'm on the mend! Drinking my fluids and sleeping my sleep.

[octoberdreaming.livejournal.com]

*hugs* I'm so sorry, Ellen. Hackers suck. It's not your fault - you've been battling this since it started. UGH, I wish we could round all these people up and send them to a special hell where there is no electricity, much less access to computers or internet. :(

m0usegrrl, I was wondering the same thing, as the same happened to me around this timeframe. My gmail account was hacked - from Australia - but gmail is awesome and told me about it and I caught the bastard before he could do any damage. I hope your hacker didn't do too much damage in your account.

(and Ellen, don't you DARE feel bad about what I just said, because I was stupid enough to use my email password in several places at once!! It was my responsibility to make sure all my accounts were secure - if it hadn't happened through the nasty hackers on your site, it would have happened somewhere else. I call it a lesson learned. And it may not have been a result of this at all - I'll never know, because there were a couple of ways it could have happened. Because I was a password idiot.)

[ellenmillion.livejournal.com]

The only thing the hacker damaged of mine? My reputation. My confidence. I've been able to keep them from doing anything to my sites (and the password they got from me is useless), but that they got this information from my databases is deeply, deeply troubling and totally rattles me.

[phoenixelement3.livejournal.com]

Thank you so much for the alert. I'm so sorry this happened to you. It's just shocking what asshats people can be, and to people they've never met and have no business messing with. And now I think I have an explanation for the spam I suddenly started getting this spring. XD

It's not your fault, we don't blame you at all, and you're absolutely not bad! <3

[ellenmillion.livejournal.com]

It kills me a little that I can't un-post those emails. They're out there, and there's not a damn thing I can do about the spam people are going to get because of it. I may not BE bad, but oh boy do I FEEL bad about it. :/

But thanks - I'm glad the alert is useful.

[renatus.livejournal.com]

Oh Ellen, I'm so sorry. :( I wish I could kidney punch every godsbedamned immoral little arsedrip who was involved in this.

[ellenmillion.livejournal.com]

At least the picture of them being kidney punched cheers me up a little. :P

[wyld-dandelyon.livejournal.com]

*hugs* from me too.

I wonder if the attacks (and extra security) are why I keep getting timed-out messages when trying to access any of your sites? I'm not getting that with other sites.

I don't have a customer account, but do have an artist account...and Torn World, of course.

Botheration. This just isn't fair! I'd rather have you doing creative stuff!!!!!

[ellenmillion.livejournal.com]

Hmm. The extra security should speed things up, actually, because it should short-circuit any attacks. The attacks themselves may have been slowing things up, though.

I'd rather be doing creative stuff, too!!!

[jolantru.livejournal.com]

*hugs*

[ellenmillion.livejournal.com]

*hugs back* Thanks!

[ursulav.livejournal.com]

Thank goodness it didn't attack artists! I'm so sorry to hear about this, Ellen--that's awful, and totally not your fault. It's like having your house robbed--bad people did it, and I know that doesn't make you feel any better, but...it's not your fault!

[ellenmillion.livejournal.com]

It's a lot like being robbed - and only finding out you were robbed three months later and wondering what the hell they took and how many times they stopped by in that time and how am I ever going to sleep again...


*le sigh* I AM glad they didn't get in on the artist-end of thing - that's always been more secure, and I guess that paid off!

[uminomamori.livejournal.com]

Ugh :(

how does one change a password from lilypad? I can't find it anywhere.

[deannadavoli.livejournal.com]

Ellen....I am so sorry this happened. I seriously will never understand why people/hackers are so evil to the core...seriously, why do they have nothing else better to do??

Meredith - I was wondering the same thing about the lilypad, but this is how you can change your password on there...just login to your account & the on the left side under "FAQ", "entrance" etc. there is a link called "reset your password". you are good to go from there.

[thrivis.livejournal.com]

I can't figure out how to change a password on PA.

I can't imagine how you must have felt finding out about this so long after the fact. :( *hug* Thank you for letting us know so we can take our own precautions! I think folks should have several different passwords for things anyway... And hacks can happen to anyone, be exploited by anyone. Even AT&T was abused by that wacky group recently. :(

[ellenmillion.livejournal.com]

Yeah, it looks like there *wasn't* a page to change your password at PA until I built one on Saturday (THAT'S another rant). Should be there now, in lights, so to speak. Though, changing it at EMG-Zine should change it both places.

Somehow, it's comforting that the Big Guys suffer through this too. Though at least for them, they have a hundred IT guys to share the blame... :P

[kelkyag]

This is so very much not your fault. Network connectivity -- and running a site you're trying to make more visible even more so -- subjects you to the world's supply of criminal and/or obnoxious jackasses. Sadly, it's someone everyone on the 'net needs to be aware of and defend themselves against.

[ellenmillion.livejournal.com]

*chuckles* Yeah, it's ironic that trying to get more attention gets me attention that makes me not want any more attention... :P

Jenny

[(Anonymous)]

*HUGS* You are doing the best you can, it isn't your fault there is low-life scum in the world, what is up with these jerks anyways?

*does a search on her e-mail address* first thing that pops up some HHfun security team page, stupid a-hole hackers. *goes to change PA lily pad password Thwarting the evil hacker monkeys!* I need to change all my passwords anyways, I've been putting it off because I have to write them all down. I need a little black book.

*HUGS again*

[(Anonymous)]

S Heidewald

Hey Ellen, you have a great site, keep up the good work. As for the hackers, I'd like to send out a big wormhole to suck them all up and deposit them in a black hole!

Nothing was compromised here as Jenny is the one who did my PA registry and the password she used doesn't match anything else. I also did a search on Google and came up with two sites that have this e-mail address with the PA password. Both sites are for hackers, one from Brazil.

I'm with Jenny on that black book thing, sticky notes just seem to get lost and trying to access the correct password files in my brain.......right out !

Hugs from here too!

[uneide.livejournal.com]

UGH. *hugs* Thank you for the warning m'dear. I can imagine how you feel right now, but this WAS NOT YOUR DOING. In fact you've been trying to prevent these sobs from prevailing. *hugs*

[ellenmillion.livejournal.com]

*hugs* UGH pretty much sums it up. :)

[marina-bonomi.livejournal.com]

How could it be your fault, Ellen, since you fought like a lion to keep those hackers at bay?

Let's get things straight, dear and put blame were it belongs: it's their fault, not yours.

Passwords changed everywhere where it matters already a few months ago.

Big hugs from both of us.

[ellenmillion.livejournal.com]

I still feel like I ought to know more, have been better prepared or something. *sighs!*

*big hugs back* and thanks!

[pixiewildflower.livejournal.com]

I am so sorry this happened to you.

[ellenmillion.livejournal.com]

Thanks!

[selinafenech.livejournal.com]

Don't feel bad. I know it sucks, but it's on the bad guys, not on you. You've done everything you can!

[ellenmillion.livejournal.com]

I feel so helpless - that's part of the problem, I think. Thanks, though!

[curvature.livejournal.com]

I think once you get past the initial shock and upset, that you'll be able to look back and be proud of the lengths you've gone to, to locate the problem and prevent it from happening again.

I think you've done very well, and I admire your ability to identify a problem and then learn the skills you need to address it quickly and efficiently - that's not something that everyone is able to do.

Instead of sitting back and wringing your hands or sticking your head in the sand while someone else works on it, you stick up for yourself and get on with making it better.

You're a good egg, Ellen :)

[ellenmillion.livejournal.com]

I haven't got enough distance yet to be proud - I think I'm still pretty rattled by it all. But thank you. I wish I could do more.

[eregyrn.livejournal.com]

Dude, I'm really sorry to hear about this. :( Just reiterating what others have said -- I know you feel responsible, but I think everybody understands that you're not. It's like a bolt of lightning hitting. The only thing on you is how you respond -- and you're responding in a very responsible manner.

I wish there was anything we could do to help. :( (I take it that the rth mb wasn't affected? I certainly have experienced no problems with anyone using my gmail account that I know of within this time period.)

[ellenmillion.livejournal.com]

I feel a bit like I got hit by lightning. My hair is still all standing on end.

The RTH MB wasn't - to my knowledge - affected, but I didn't find out about this for three months. God knows what's happened elsewhere that I don't know about. I'm pretty sure it's due for an update, however, I don't have the admin keys to check anymore... I'll talk to Ron and Heidi about that.

[redrevvy.livejournal.com]

Ellen, you are amazing. PLEASE do not let this get to you. You have done absolutely NOTHING negative!

These people that are doing this to you are vicious, careless, coldblooded #$%(&#@$(&@(%^@'s, and if you can go into starting any sort of investigation on this and see about taking legal action against them, maybe it would help prevent them from doing this to other people too.

I'm so sorry you are having to go through this trouble. Some people, agh!

But please hang in there, chin up! Don't let it get you down. You are far better than those good-for-nothings.

[ellenmillion.livejournal.com]

*hugs* Thanks! I wish there was some legal action to take - I don't even know where to start. Most people are just saying 'oh, it happens all the time, nothing anyone can do...'

[arslongu.livejournal.com]

It is in no way, shape or form your fault. The blame resides soley on the hackers.
Big supportive hug coming your way! You WILL get though this I know you will, and you are not a failure or a bad person either. Things like this happen, and I am sure most will be very understanding, and like me will appreciate your honesty about what happened.

[ellenmillion.livejournal.com]

*hugs back* Thank you!

[kerstitch.livejournal.com]

Big Hugs Ellen! I hate it that people do this and make is so stressful for others. By now, people should really know not to use the same password as their e-mail account on anything else.

[ellenmillion.livejournal.com]

*hugs* Thanks!

[vestaka.livejournal.com]

Love you bebe *hugs* I'm pretty pissed at whoever did this to you, but *my* faith in you isn't the least bit compromised.

[ellenmillion.livejournal.com]

*hugs* I'm glad YOUR faith isn't compromised! Mine is, a bit! :P