FTP Accounts Leak
Dec 22, 2014
We have completed the investigation and found the source of the FTP username/password leak from last Friday.
Unfortunately, it originated from our website. One page on our site had a "SQL injection" vulnerability, which allowed the hacker to obtain many of the FTP account server, username, and passwords stored in the database via carefully constructed web page requests. They also obtained some user email addresses. Other bits of data they extracted included encrypted atensoftware.com account passwords and other technical data, but this data was either encrypted or of no use.
That vulnerability has been closed and we have run site scans that detect no other major holes in the website. We will be taking additional steps over the next few weeks to shore up the defenses of the website.
No source code was leaked. Personal information like names, mailing addresses, and phone numbers were also not leaked. We do not store any credit card information anywhere in our systems. Merchant account logins and passwords that we have on file are stored offsite and encrypted. Therefore, the scope of this leak was limited to the FTP logins and passwords only.
We recommend that you reset the FTP passwords for your merchant accounts where your feeds are being submitted. It is not urgent, and no other action is needed. We will send another email out with specific password reset instructions for each shopping engine.
We apologize for the inconvenience this has caused to you, especially at this busy time of the year.
- Feed issue today resolved (Jan 19, 2016)
- Bing Feed Upgrade (Aug 17, 2015)
- New Feeds and Platforms (Jul 16, 2015)
- TheFind has been shut down (Apr 2, 2015)
- FTP Password Reset Instructions (Dec 23, 2014)
- FTP Accounts Leak (Dec 22, 2014)
- Google Merchant Center problem with data feed file: "ftpchk3.txt" (Dec 20, 2014)
- Google Feed Character Length Limits (Sep 20, 2014)
- Bing Feed Upgrade (May 4, 2014)
- Google Feed Upgrade (Apr 13, 2014)
- New Pricing Announcement (Mar 31, 2014)