Some information from the customer-end databases at Ellen Million Graphics were compromised: if you have an account at EMG-Zine or at Portrait Adoption, your email and password have been publicized.
The Still Fairly Short Version
Ellen Million Graphics, and several of its various sub-sites, have been under near-constant spam/hack attacks for... well, for a very long time. The forums frequently receive 10-100 ‘spam’ join attempts daily. Recently, in the past three months, those attacks have stepped up in intensity and success, and spread out from the forums into SQL injection attacks throughout the sites.
The short version of the long and sordid battle I’ve been fighting with these attempts is that I have met each problem I've uncovered within a day of finding out about it. This week, however, I discovered that one of the early attempts (mid-April) was able to crack into the database and get all passwords and emails from the customer database. Not satisfied with harvesting this information, the perpetrators of this hack have posted this information (emails and passwords only) to several public forums, so that this information has been propagated pretty far.
The security changes I made (back in April, as soon as I discovered the problem) stopped all further leaks at the time, but I was not aware of the scope of the problem or the fact that the emails and passwords had already been harvested and spread until I found one of these forums - just this week - and started to snoop further.
What Should You Do About it?
Change your passwords – immediately, and not just at EMG-Zine or Portrait Adoption. Although there is no personal information stored in your EMG-Zine or Portrait Adoption account, if you use the same password for your email login, that account can be considered compromised! Go and change your passwords. Right now! Get in the habit of using individual passwords at different sites, and change them frequently. Chances are good that this can – and may have already – happened at other sites you use, too. Hackers do not leave polite calling cards letting webmasters know that they’ve been by, and if an alert customer had not let me know about this problem, I’d still be in the dark.
Artist accounts were not (to the best of my knowledge) affected - the only thing they got were the customer-end accounts (EMG-Zine readers and Portrait Adoption customers), where no personal information was stored. No credit card, address, phone, payment or order information was taken. Using the information that they stole, the only thing they could really do at my sites is change your menu preferences and submit descriptions. The major risk is the possibility of your email being hacked if you use the same password here and there. The most likely outcome is that you will see an increase in spam emails (or have, already).
What Am I Doing About it?
Additional security has been and is still being added throughout the site. Every page is being scrutinized for weaknesses and all SQL entries are being ‘sanitized.’ All out-of-the-box software is being updated promptly whenever updates are available. Database passwords are being changed regularly. I am keeping a close eye on my site statistics to stay on top of further attacks, and my hosting company is also watching out for spikes at the server that might indicate a problem. All of this will delay the release of the new Fantasy Art Shop, but clearly takes precedence.
The event has been reported to the authorities and I am attempting to have forums with the lists in circulation shut down.
Some of this, I did before, and I’m only stepping up my frequency and alertness. Some of this is learning a new set of programming skills, and I'm consulting with people who know much more than I do and I am learning everything I can about pro-active countermeasures.
I am deeply apologetic for this breach of your privacy. It is embarrassing and I feel wretched that it happened under my watch. I am angry that there are people out there who would do this, and will do everything in my power to keep it from happening again.
Please contact me if you have any concerns.
How Do I Feel About This?
You have no idea.
I have been through all five stages of grief since I found out a few days ago:
I can't say I've entirely worked past all of the anger and depression, either. I have implemented more security - though most of the damage was done back in April and early May, and I had fixed all those problems at that time, even if I didn't know the full extent of what had happened. The first part of this post will be going out to all of my customers once I've got it polished a little better - I don't want to institute a panic, but it's important to be completely transparent about what happened. Even if it causes me deep shame and makes me feel like a fraud and a bad, bad person.
I was in the middle of an otherwise fantastic trip to Petersburg at the time - I was actually fairly successful (after a night spent crying and telling myself I was an awful, horrible person) in shunting it aside as something I simply didn't have the tools to deal with immediately, and enjoyed the gorgeous weather and sights of the area. We drove down Metkof highway and got to see dozens of eagles (including a golden that dwarfed the balds), porcupine, deer and more.
I did catch a cold - probably due at least in part to the depressed immune system thanks to a sleepless night of epic-level stress. It has settled in my sinuses and upper chest - I've got a solid, raspy cough and am regularly expunging major snots. Nothing major, but a decided dampener on my spirits. Which I did not need right now, but you roll with what you get, or you go under, and I'm not down yet.
Older, wiser, a tad bitter and more than a little depressed, but not defeated.