READ THIS FIRST: If you created an account at The Yaoi 911 Store at https://store.yaoi911.com or to comment on this blog, please read the rest of this blog post. If you didn’t, no one else was affected by this and you do not need to worry. (To be clear, that means if you just have an account for The Yaoi 911 News & Downloads mailing list, the Yaoi 911 Zazzle Store or any of my other logins or simply downloaded comics from one of my newsletter emails, you do not need to worry, this does not affect you. It only affects people who created an account at https:/store.yaoi911.com.)
UPDATE 5/5/11: OK, having reviewed all the files on the FTP, I also found some suspicious files in this blog and in my webcomic. Based on reviewing those files, it looks like the ultimate goal of this attack was to turn my sites into zombie spam sites. I caught it before the malware could really do much and now all the files have been cleaned. But in light of the fact that I noticed some strange files on this blog, then I’d say if you are a registered user here, you should also read below. Again, if you’re a mailing list subscriber or used any of my other stores, this still doesn’t affect you. And even if you did create an account here or at the Store, the chances of someone capturing your password are pretty remote. (The real damage seems to be wasting a couple days of my time triple-checking that there weren’t any more hidden files lurking anywhere. Grrr.) But because I want to make sure all my readers are safe, I still think it’s wisest to change your passwords if you reused them here or at the Store.
Well, this sucks. The Yaoi 911 Store (at https://store.yaoi911.com) was hacked today. I caught it in less than 24 hours and I’ve locked it down with a password, but it still happened.
After a reader left a comment saying she was having difficulty accessing the Tough chapters, I went to my store to see what was going on and there was a lovely little hacker program running that allowed anyone on the Internet to see every file on my store and, I assume, its database contents as well. I’ve thrown up a password barrier so no other jerks can get at that information and I know that not a huge number of people took advantage of my store to get my comics, but if you did create an account at https://store.yaoi911.com, there are some steps I think you should take to protect yourself.
What You Should Do If You Created An Account At The Yaoi 911 Store or this blog
Ideally, you used a unique password for The Yaoi 911 Store or this blog. That’s a very good idea and I strongly, strongly, strongly recommend it for every account you create on the Internet (and I recommend using a password locker program like 1Password, which I use myself, to make the process of creating unique super-strong passwords really easy and painless.)
But I know not everyone does that.
So… if you used the same password on The Yaoi 911 Store (which was at https://store.yaoi911.com) or as a commenter on this blog anywhere else, stop what you are doing right now and change that password on those sites!
I don’t know if this jerk was able to download the passwords, but they might have. The passwords weren’t stored in plaintext, of courseâ€”your password would have been encrypted in the database using a “hash algorithm”â€”but if you used a dictionary word under 15 characters or so, there are programs on the Internet that make unencrypting password hashes possible for the determined hacker. So, please, change those passwords!
Also, even though not many people included their postal address information or full names when creating an account, some did. I doubt this hacker could find any real use for that information, but I just want to remind you that it’s possible that they might have downloaded it. It also seems possible they could access the email address you used. So please be extra aware of phishing scams attempts and remember that no one reputable will ever ask you for your password to any of your accounts over email.
And just to be very clear: I will never ask you for any of your passwords through email ever. So if you get a message claiming to be from me or “Yaoi 911″ or yaoi-anything asking you for personal information of any kind, it’s a hoaxâ€”don’t do it! (A phishing scam is a very, very unlikely risk, I’m hardly Chase bank after all, but I really, really care about your safety and so I’m wanting to cover all the bases.)
So, the main thing you should do is change your password on other sites if you used the same password on The Yaoi 911 Store or on this blog. And if someone contacts you by email and pretends to be me asking you for personal information of any kind, tell them to go jump in the lake.
I made a PayPal payment to you through The Yaoi 911 Store. Is my PayPal account at risk?
No. You had to leave the Store and actually go to the secure PayPal site to make a PayPal payment and thus none of your PayPal passwords or credit card information were ever stored in my databases (which is one reason I went with PayPal; I didn’t want to store your private payment details). So long as no-one hacks PayPal, you should be fine.
What if I never created an account at the store or this blog? Are any of the other Yaoi 911 logins at risk?
No. There are a number of reasons I’ve kept this blog, my mailing list, my blog subscription list, The Yaoi 911 Zazzle Store, Yaoi 911 Prints and The Yaoi 911 Store as separate accounts and this is one of them. I use a different password for every single account, so even if the evil jerk was able to figure out MY password for The Yaoi 911 Store and its database, they couldn’t use it to get access to any of the database information anywhere else. If you are a Yaoi 911 News subscriber, a Feedburner blog subscriber or someone who’s bought from one of my other stores and your password is different than what you used for this blog/The Yaoi 911 Store (meaning at https://store.yaoi911.com, which is just used for downloading my comics) or you never signed up with this blog/The Yaoi 911 Store, then your information is safe.
(If you did create an account at The Yaoi 911 Store and used the same password on this blog, then change that password here now by logging in and changing the password on the bottom of your profile page!)
What’s going to happen next?
For the time being, I’ll be taking down The Yaoi 911 Store Web site. But I know there are some of you that found it a convenient way to download my comics, so I will start working on a replacementâ€”ideally a very secure replacementâ€”in the near future. This blog and the webcomic use much more secure software, so now that they are cleaned, they should be fine.
And in the meantime, all I can say is I’m sorry. And that I’ll do everything in my power to make sure this won’t happen again. (And remind you, to yes, please change those passwords if you used the same one on other sites!)
Filed Under: Yaoi 911