Just the Facts, Ma’am...

[ellenmillion]

The Very, Very Short Version

Some information from the customer-end databases at Ellen Million Graphics were compromised: if you have an account at EMG-Zine or at Portrait Adoption, your email and password have been publicized.



The Still Fairly Short Version

Ellen Million Graphics, and several of its various sub-sites, have been under near-constant spam/hack attacks for... well, for a very long time. The forums frequently receive 10-100 ‘spam’ join attempts daily. Recently, in the past three months, those attacks have stepped up in intensity and success, and spread out from the forums into SQL injection attacks throughout the sites.

The short version of the long and sordid battle I’ve been fighting with these attempts is that I have met each problem I've uncovered within a day of finding out about it. This week, however, I discovered that one of the early attempts (mid-April) was able to crack into the database and get all passwords and emails from the customer database. Not satisfied with harvesting this information, the perpetrators of this hack have posted this information (emails and passwords only) to several public forums, so that this information has been propagated pretty far.

The security changes I made (back in April, as soon as I discovered the problem) stopped all further leaks at the time, but I was not aware of the scope of the problem or the fact that the emails and passwords had already been harvested and spread until I found one of these forums - just this week - and started to snoop further.


What Should You Do About it?

Change your passwords – immediately, and not just at EMG-Zine or Portrait Adoption. Although there is no personal information stored in your EMG-Zine or Portrait Adoption account, if you use the same password for your email login, that account can be considered compromised! Go and change your passwords. Right now! Get in the habit of using individual passwords at different sites, and change them frequently. Chances are good that this can – and may have already – happened at other sites you use, too. Hackers do not leave polite calling cards letting webmasters know that they’ve been by, and if an alert customer had not let me know about this problem, I’d still be in the dark.

Artist accounts were not (to the best of my knowledge) affected - the only thing they got were the customer-end accounts (EMG-Zine readers and Portrait Adoption customers), where no personal information was stored. No credit card, address, phone, payment or order information was taken. Using the information that they stole, the only thing they could really do at my sites is change your menu preferences and submit descriptions. The major risk is the possibility of your email being hacked if you use the same password here and there. The most likely outcome is that you will see an increase in spam emails (or have, already).


What Am I Doing About it?

Additional security has been and is still being added throughout the site. Every page is being scrutinized for weaknesses and all SQL entries are being ‘sanitized.’ All out-of-the-box software is being updated promptly whenever updates are available. Database passwords are being changed regularly. I am keeping a close eye on my site statistics to stay on top of further attacks, and my hosting company is also watching out for spikes at the server that might indicate a problem. All of this will delay the release of the new Fantasy Art Shop, but clearly takes precedence.

The event has been reported to the authorities and I am attempting to have forums with the lists in circulation shut down.

Some of this, I did before, and I’m only stepping up my frequency and alertness. Some of this is learning a new set of programming skills, and I'm consulting with people who know much more than I do and I am learning everything I can about pro-active countermeasures.

I am deeply apologetic for this breach of your privacy. It is embarrassing and I feel wretched that it happened under my watch. I am angry that there are people out there who would do this, and will do everything in my power to keep it from happening again.

Please contact me if you have any concerns.






How Do I Feel About This?

You have no idea.

I have been through all five stages of grief since I found out a few days ago:

flat denial (I was sure that the problem could not possibly be as big as all this...)

anger (fury that used up my vocabulary for swearwords within moments)

bargaining (maybe it's not so bad if I look at it this way? *snort*)

depression (cried myself dry a few times and wondered why on earth I even bother with this...)

acceptance (it's done, I'm screwed, be transparent, fix what I can, and move on...).

I can't say I've entirely worked past all of the anger and depression, either. I have implemented more security - though most of the damage was done back in April and early May, and I had fixed all those problems at that time, even if I didn't know the full extent of what had happened. The first part of this post will be going out to all of my customers once I've got it polished a little better - I don't want to institute a panic, but it's important to be completely transparent about what happened. Even if it causes me deep shame and makes me feel like a fraud and a bad, bad person.

I was in the middle of an otherwise fantastic trip to Petersburg at the time - I was actually fairly successful (after a night spent crying and telling myself I was an awful, horrible person) in shunting it aside as something I simply didn't have the tools to deal with immediately, and enjoyed the gorgeous weather and sights of the area. We drove down Metkof highway and got to see dozens of eagles (including a golden that dwarfed the balds), porcupine, deer and more.

I did catch a cold - probably due at least in part to the depressed immune system thanks to a sleepless night of epic-level stress. It has settled in my sinuses and upper chest - I've got a solid, raspy cough and am regularly expunging major snots. Nothing major, but a decided dampener on my spirits. Which I did not need right now, but you roll with what you get, or you go under, and I'm not down yet.

Older, wiser, a tad bitter and more than a little depressed, but not defeated.

Comments

[norda.livejournal.com]

Ellen, I am so sorry.

[m0usegrrl.livejournal.com]

Oh crap. I wonder if this is how the lamer who hacked one of my Gmail accounts got the info...

*hugs!* It is not your fault! Where there's a will, there's a way, and any determined-enough spammer/hacker/JERKFACE will find some way to get what they are after eventually. And if I hear of anyone doing something like this, I'll punch 'em in the balls. <3

[ellenmillion.livejournal.com]

It *feels* like my fault. Surely, I should have known better and been prepared for this somehow! I will join you in the punching of balls, though - that picture does make me feel better.

[kittrel.livejournal.com]

I hope you feel better and don't get really sick! Take good care of yourself. I don't think anyone would blame you for what happened with the site, how could you know??? It's horrible these hackers are so persistent. :( I'll join the beat-em-up torch and pitchfork party!

[octoberdreaming.livejournal.com]

*hugs* I'm so sorry, Ellen. Hackers suck. It's not your fault - you've been battling this since it started. UGH, I wish we could round all these people up and send them to a special hell where there is no electricity, much less access to computers or internet. :(

m0usegrrl, I was wondering the same thing, as the same happened to me around this timeframe. My gmail account was hacked - from Australia - but gmail is awesome and told me about it and I caught the bastard before he could do any damage. I hope your hacker didn't do too much damage in your account.

(and Ellen, don't you DARE feel bad about what I just said, because I was stupid enough to use my email password in several places at once!! It was my responsibility to make sure all my accounts were secure - if it hadn't happened through the nasty hackers on your site, it would have happened somewhere else. I call it a lesson learned. And it may not have been a result of this at all - I'll never know, because there were a couple of ways it could have happened. Because I was a password idiot.)

[phoenixelement3.livejournal.com]

Thank you so much for the alert. I'm so sorry this happened to you. It's just shocking what asshats people can be, and to people they've never met and have no business messing with. And now I think I have an explanation for the spam I suddenly started getting this spring. XD

It's not your fault, we don't blame you at all, and you're absolutely not bad! <3

[ellenmillion.livejournal.com]

The only thing the hacker damaged of mine? My reputation. My confidence. I've been able to keep them from doing anything to my sites (and the password they got from me is useless), but that they got this information from my databases is deeply, deeply troubling and totally rattles me.

[octoberdreaming.livejournal.com]

It would rattle me, too. I totally, totally understand the confidence-shaking event this has been for you, and how you must feel. :( *hugs*

[renatus.livejournal.com]

Oh Ellen, I'm so sorry. :( I wish I could kidney punch every godsbedamned immoral little arsedrip who was involved in this.

[wyld-dandelyon.livejournal.com]

*hugs* from me too.

I wonder if the attacks (and extra security) are why I keep getting timed-out messages when trying to access any of your sites? I'm not getting that with other sites.

I don't have a customer account, but do have an artist account...and Torn World, of course.

Botheration. This just isn't fair! I'd rather have you doing creative stuff!!!!!

[jolantru.livejournal.com]

*hugs*

[ursulav.livejournal.com]

Thank goodness it didn't attack artists! I'm so sorry to hear about this, Ellen--that's awful, and totally not your fault. It's like having your house robbed--bad people did it, and I know that doesn't make you feel any better, but...it's not your fault!

[uminomamori.livejournal.com]

Ugh :(

how does one change a password from lilypad? I can't find it anywhere.

[thrivis.livejournal.com]

I can't figure out how to change a password on PA.

I can't imagine how you must have felt finding out about this so long after the fact. :( *hug* Thank you for letting us know so we can take our own precautions! I think folks should have several different passwords for things anyway... And hacks can happen to anyone, be exploited by anyone. Even AT&T was abused by that wacky group recently. :(

[m0usegrrl.livejournal.com]

Aha! The guy who hacked mine was also from Australia. Unfortunately, I was out of town and not paying as much attention to my Gmail as I should have been -- they got into my Amazon account and bought about $600 worth of World of Warcraft codes on my dime before I figured out what was going on. Luckily, Amazon determined it was indeed fraud, and my bank have investigated and charged back the money I lost (and thank ghu I could afford a $600 hit!). But I closed that Gmail account, and changed all my other passwords, and I had to open a new Amazon account too, since they closed the one that had been hacked.

(And Ellen, I second what dreamingoctober said! I too was stupid enough to use the same password in several places -- DEFINITELY a lesson learned on my part!)

[octoberdreaming.livejournal.com]

It WAS the same guy! Because he was trying to buy WoW codes on my Amazon account as well - but because he was asking that the codes be emailed (he can't hack the postal service!), the merchants he was soliciting asked him for confirming information, which stalled him and allowed me to catch him. Also, no money in the "credit card" stored in my account, so he wouldn't have been able to pay for them anyway.

I'm so glad he didn't get your money. I'm also reassured to know that my gmail account was not brute-force hacked. I've been paranoid since it happened, and knowing where the attack came from helps me to know that my account is secure.

[deannadavoli.livejournal.com]

Ellen....I am so sorry this happened. I seriously will never understand why people/hackers are so evil to the core...seriously, why do they have nothing else better to do??

Meredith - I was wondering the same thing about the lilypad, but this is how you can change your password on there...just login to your account & the on the left side under "FAQ", "entrance" etc. there is a link called "reset your password". you are good to go from there.

[wyld-dandelyon.livejournal.com]

I asked that earlier (privately). Ellen replied that the link had apparently been accidentally deleted from the page and she was fixing it. So you really couldn't find it for a while.

So it wasn't just you who couldn't find the link!

[kelkyag]

This is so very much not your fault. Network connectivity -- and running a site you're trying to make more visible even more so -- subjects you to the world's supply of criminal and/or obnoxious jackasses. Sadly, it's someone everyone on the 'net needs to be aware of and defend themselves against.

Jenny

[(Anonymous)]

*HUGS* You are doing the best you can, it isn't your fault there is low-life scum in the world, what is up with these jerks anyways?

*does a search on her e-mail address* first thing that pops up some HHfun security team page, stupid a-hole hackers. *goes to change PA lily pad password Thwarting the evil hacker monkeys!* I need to change all my passwords anyways, I've been putting it off because I have to write them all down. I need a little black book.

*HUGS again*

[uneide.livejournal.com]

UGH. *hugs* Thank you for the warning m'dear. I can imagine how you feel right now, but this WAS NOT YOUR DOING. In fact you've been trying to prevent these sobs from prevailing. *hugs*

[marina-bonomi.livejournal.com]

How could it be your fault, Ellen, since you fought like a lion to keep those hackers at bay?

Let's get things straight, dear and put blame were it belongs: it's their fault, not yours.

Passwords changed everywhere where it matters already a few months ago.

Big hugs from both of us.

[(Anonymous)]

S Heidewald

Hey Ellen, you have a great site, keep up the good work. As for the hackers, I'd like to send out a big wormhole to suck them all up and deposit them in a black hole!

Nothing was compromised here as Jenny is the one who did my PA registry and the password she used doesn't match anything else. I also did a search on Google and came up with two sites that have this e-mail address with the PA password. Both sites are for hackers, one from Brazil.

I'm with Jenny on that black book thing, sticky notes just seem to get lost and trying to access the correct password files in my brain.......right out !

Hugs from here too!

[pixiewildflower.livejournal.com]

I am so sorry this happened to you.

[selinafenech.livejournal.com]

Don't feel bad. I know it sucks, but it's on the bad guys, not on you. You've done everything you can!