Around 11:30 PM last night, the Only at Tech team became aware of malicious code that was being served through our website. It does NOT appear that this code downloaded any sort of malware to our users’ computers (our virus scans have turned up negative), but we have reason for concern because one of the affected files contained the login information for the site’s database. This means the attacker(s) could have gained access to a list of our registered users’ email addresses and hashed passwords.
The offending code has been removed. We believe this was an automated attack, and in most cases the attackers do not do anything with the users’ data. It was likely targeted at multiple sites running the same backend as Only at Tech. That doesn’t mean you should be careless if you use your Only at Tech password on other sites with sensitive data. To be on the safe side, we would recommend you change your passwords on Only at Tech and any other sites where you use the same email/password combination.
We apologize for our failure to secure your information on our side, and for any inconvenience this causes you. We’re currently in the process of upgrading to a more secure backend as part of a major site update, but in the meantime, we’ve taken some precautions to prevent this from happening again.
Technical details on the attack are below for those of you who are interested. This is Tech, after all.
Around 11:30 PM, routine social media monitoring of the “Only at Tech” phrase revealed an oddity in the Google search results page. Instead of the usual Google snippet of the homepage, we encountered a link to a spammy pdf file. Further research revealed that our site returned an HTTP 302 redirect to a randomly generated URL, but only when accessing the site with a Google user agent string.
Investigating the IP address using standard online DNS tools and WHOIS queries, we found that the server was registered to a user located in Luxembourg and hosted in the same country.
Though finding traces of the attack spread across the world may seem particularly frightening, this is no different than any other malicious break-in. It is common practice among the hacker community to spread traces across the Internet, because it provides redundancy and makes tracking down the original source more difficult.
We are continuing to investigate the origins of the attack and taking appropriate precautions. These are the steps we have taken to prevent this from occurring again:
- permanently disabled FTP access to our webspace
- replaced all passwords with 32+ character passwords containing over 176 bits of entropy and all character classes
- set all files to read-only with minimal permissions
- ensured all software is fully patched
By 1 AM, malicious code was identified and removed, and the above precautions had been taken. The Only at Tech team is doing their best to continue to handle the situation appropriately. If you have any concerns, suggestions, or questions please contact us at email@example.com.
– Andrew Ash, Programmer
– Holden Link, Designer