Summary of the Breach

On Tuesday, December 17th, our server that hosts our forum, wiki, and affiliate program was compromised. (Our application environment was not compromised. No customer data, credit card data, or any other data for your stores was impacted.) The attacker accessed user information (including emails and hashed passwords) for our forum and affiliate program. The vast bulk of these passwords were strongly hashed with unique salts.

As soon as we became aware of the breach, we removed access to all three sites and redirected them to http://status.foxycart.com/ while we worked to diagnose the full impact and patch the vulnerability. We restored access to all three sites once we were confident we had patched the hole and cleaned up all traces of the breach.

Recommended Action

Please review your passwords for any foxycart.com services you have logins for (forum.foxycart.com, admin.foxycart.com, wiki.foxycart.com, affiliate.foxycart.com). Even though the password hashes were securely hashed with unique salts, they (like any hash) is still vulnerable to a brute force attack. This is especially true if you use weak or short passwords.

If you ever reuse passwords, please make sure you change your passwords, especially to important accounts like your email account, your bank, PayPal, and others. Also, please don’t reuse passwords. Get an app like 1password or LastPass and easily use strong, unique passwords everywhere.

Full Details

At 7:45am PST yesterday morning, an attacker accessed our forum and exploited a vulnerability. Our forum is on a server running third party software including our affiliate website, our documentation wiki, and our user forum. The vulnerability in the forum software allowed the attacker to modify a forum config file, which ultimately allowed remote execution of PHP commands. From there, they installed a PHP shell client and were able to access the file system. Through this, the attacker was able to retrieve a copy of our forum database. Our forum database has 16,939 users’ account info (email, name if available, and a hash of their password). Our forum has used PHPass since 2008-12-02, so any user who has logged in the last 5 years has a strong hash with a unique salt. 205 users, however, hadn’t logged in since 2008-12-02 or prior, and their database records had unsalted MD5 hashes, and we’ve gone ahead and removed access for those users.

In addition to accessing the forum database, there’s also evidence they accessed various tables in our affiliate database. We are contacting these users separately.

The attacker was active for just over an hour, and used automated tools to explore the system. As soon as we became aware of the breach, we removed access to all three sites and redirected them to http://status.foxycart.com/ while we worked to diagnose the full impact and patch the vulnerability. We restored access to all three sites once we were confident we had patched the hole and cleaned up all traces of the breach. We have been working non-stop since then to explore the stolen data and to anticipate worst case scenarios.

At no time was credit card or store data at risk, as the breached server is completely isolated from our core infrastructure, as mandated by PCI and certified by our independent PCI auditors.

How We’re Improving

As with any data breach, we’re extremely frustrated we let this happen, but we’re also using this to improve our systems. At present, we are pledging to improve in the following ways:

  • We will isolate each of the 3 impacted systems from each other. They were all on a single server because that’s how they were set up way back in 2007, but each will be moving to its own isolated VM.

  • We will consider these systems as under relevant requirements of the PCI DSS. These systems don’t touch cardholder data, and thus aren’t under the scope of PCI, but if we’d treated these systems as seriously as we treat our application environment, this breach wouldn’t have happened. We dropped the ball by not focusing on the security of this server to the same degree as our application environment, and we’re frustrated with ourselves for that.

We are taking this very seriously, and are continuing to explore options to mitigate the impact of this data breach. Though it didn’t impact cardholder data or store data, and though the passwords were strongly hashed, it’s still been a stressful past 24 hours. We understand that this disclosure might affect your confidence in FoxyCart, being fully transparent is the best way towards security.

If you have any questions, please let us know by emailing hello@foxycart.com. We’re here to help.