Click here to close this tab and return to the app.

FTP Accounts Leak

Dec 22, 2014

We have completed the investigation and found the source of the FTP username/password leak from last Friday.

Unfortunately, it originated from our website. One page on our site had a "SQL injection" vulnerability, which allowed the hacker to obtain many of the FTP account server, username, and passwords stored in the database via carefully constructed web page requests. They also obtained some user email addresses. Other bits of data they extracted included encrypted account passwords and other technical data, but this data was either encrypted or of no use.

That vulnerability has been closed and we have run site scans that detect no other major holes in the website. We will be taking additional steps over the next few weeks to shore up the defenses of the website.

No source code was leaked. Personal information like names, mailing addresses, and phone numbers were also not leaked. We do not store any credit card information anywhere in our systems. Merchant account logins and passwords that we have on file are stored offsite and encrypted. Therefore, the scope of this leak was limited to the FTP logins and passwords only.

We recommend that you reset the FTP passwords for your merchant accounts where your feeds are being submitted. It is not urgent, and no other action is needed. We will send another email out with specific password reset instructions for each shopping engine.

We apologize for the inconvenience this has caused to you, especially at this busy time of the year.

Next Steps

More Blog Posts