Security Breach at EMG-Zine and Portrait Adoption
The Very, Very Short Version
Some information from the customer-end databases at Ellen Million Graphics were compromised: if you have an account at EMG-Zine or at Portrait Adoption, your email and password have been publicized.
The Still Fairly Short Version
Ellen Million Graphics, and several of its various sub-sites, have been under near-constant spam/hack attacks for... well, for a very long time. The forums frequently receive 10-100 ‘spam’ join attempts daily. Recently, in the past three months, those attacks have stepped up in intensity and success, and spread out from the forums into SQL injection attacks throughout the sites.
The short version of the long and sordid battle I’ve been fighting with these attempts is that I have met each problem I've uncovered within a day of finding out about it. This week, however, I discovered that one of the early attempts (mid-April) was able to crack into the database and get all passwords and emails from the customer database. Not satisfied with harvesting this information, the perpetrators of this hack have posted this information (emails and passwords only) to several public forums, so that this information has been propagated pretty far.
The security changes I made (back in April, as soon as I discovered the problem) stopped all further leaks at the time, but I was not aware of the scope of the problem or the fact that the emails and passwords had already been harvested and spread until I found one of these forums - just this week - and started to snoop further.
What Should You Do About it?
Change your passwords - immediately, and not just at EMG-Zine or Portrait Adoption. Although there is no personal information stored in your EMG-Zine or Portrait Adoption account, if you use the same password for your email login, that account can be considered compromised! Go and change your passwords. Right now! Get in the habit of using individual passwords at different sites, and change them frequently. Chances are good that this can - and may have already - happened at other sites you use, too. Hackers do not leave polite calling cards letting webmasters know that they’ve been by, and if an alert customer had not let me know about this problem, I’d still be in the dark.
Artist accounts were not (to the best of my knowledge) affected - the only thing they got were the customer-end accounts (EMG-Zine readers and Portrait Adoption customers), where no personal information was stored. No credit card, address, phone, payment or order information was taken. Using the information that they stole, the only thing they could really do at my sites is change your menu preferences and submit descriptions. The major risk is the possibility of your email being hacked if you use the same password here and there. The most likely outcome is that you will see an increase in spam emails (or have, already).
What Am I Doing About it?
Additional security has been and is still being added throughout the site. Every page is being scrutinized for weaknesses and all SQL entries are being ‘sanitized.’ All out-of-the-box software is being updated promptly whenever updates are available. Database passwords are being changed regularly. I am keeping a close eye on my site statistics to stay on top of further attacks, and my hosting company is also watching out for spikes at the server that might indicate a problem. All of this will delay the release of the new Fantasy Art Shop, but clearly takes precedence.
The event has been reported to the authorities and I am attempting to have forums with the lists in circulation shut down.
Some of this, I did before, and I’m only stepping up my frequency and alertness. Some of this is learning a new set of programming skills, and I'm consulting with people who know much more than I do and I am learning everything I can about pro-active countermeasures.
I am deeply apologetic for this breach of your privacy. It is embarrassing and I feel wretched that it happened under my watch. I am angry that there are people out there who would do this, and will do everything in my power to keep it from happening again.
Please contact me if you have any concerns.
In happier news - there is a Sketch Fest scheduled for this Friday and Saturday. It will run 24 hours, from noon on Friday to noon on Saturday, and you are welcome to join us with pencils or prompts!
Some information from the customer-end databases at Ellen Million Graphics were compromised: if you have an account at EMG-Zine or at Portrait Adoption, your email and password have been publicized.
The Still Fairly Short Version
Ellen Million Graphics, and several of its various sub-sites, have been under near-constant spam/hack attacks for... well, for a very long time. The forums frequently receive 10-100 ‘spam’ join attempts daily. Recently, in the past three months, those attacks have stepped up in intensity and success, and spread out from the forums into SQL injection attacks throughout the sites.
The short version of the long and sordid battle I’ve been fighting with these attempts is that I have met each problem I've uncovered within a day of finding out about it. This week, however, I discovered that one of the early attempts (mid-April) was able to crack into the database and get all passwords and emails from the customer database. Not satisfied with harvesting this information, the perpetrators of this hack have posted this information (emails and passwords only) to several public forums, so that this information has been propagated pretty far.
The security changes I made (back in April, as soon as I discovered the problem) stopped all further leaks at the time, but I was not aware of the scope of the problem or the fact that the emails and passwords had already been harvested and spread until I found one of these forums - just this week - and started to snoop further.
What Should You Do About it?
Change your passwords - immediately, and not just at EMG-Zine or Portrait Adoption. Although there is no personal information stored in your EMG-Zine or Portrait Adoption account, if you use the same password for your email login, that account can be considered compromised! Go and change your passwords. Right now! Get in the habit of using individual passwords at different sites, and change them frequently. Chances are good that this can - and may have already - happened at other sites you use, too. Hackers do not leave polite calling cards letting webmasters know that they’ve been by, and if an alert customer had not let me know about this problem, I’d still be in the dark.
Artist accounts were not (to the best of my knowledge) affected - the only thing they got were the customer-end accounts (EMG-Zine readers and Portrait Adoption customers), where no personal information was stored. No credit card, address, phone, payment or order information was taken. Using the information that they stole, the only thing they could really do at my sites is change your menu preferences and submit descriptions. The major risk is the possibility of your email being hacked if you use the same password here and there. The most likely outcome is that you will see an increase in spam emails (or have, already).
What Am I Doing About it?
Additional security has been and is still being added throughout the site. Every page is being scrutinized for weaknesses and all SQL entries are being ‘sanitized.’ All out-of-the-box software is being updated promptly whenever updates are available. Database passwords are being changed regularly. I am keeping a close eye on my site statistics to stay on top of further attacks, and my hosting company is also watching out for spikes at the server that might indicate a problem. All of this will delay the release of the new Fantasy Art Shop, but clearly takes precedence.
The event has been reported to the authorities and I am attempting to have forums with the lists in circulation shut down.
Some of this, I did before, and I’m only stepping up my frequency and alertness. Some of this is learning a new set of programming skills, and I'm consulting with people who know much more than I do and I am learning everything I can about pro-active countermeasures.
I am deeply apologetic for this breach of your privacy. It is embarrassing and I feel wretched that it happened under my watch. I am angry that there are people out there who would do this, and will do everything in my power to keep it from happening again.
Please contact me if you have any concerns.
In happier news - there is a Sketch Fest scheduled for this Friday and Saturday. It will run 24 hours, from noon on Friday to noon on Saturday, and you are welcome to join us with pencils or prompts!