FAQ about recent malware issues and host change for Hyena Cart

Hi everyone,

I know it’s been an upsetting, confusing and frustrating month on Hyena Cart for many of you. There have been a lot of questions and I’ve tried to answer most of them via blog, emails and facebook posts. At this point, I thought it would be a good idea to post an FAQ so we have all of the questions and answers in one place. OK? So here we go:

What the heck has been going on on Hyena Cart lately?

On Monday, July 16th, and part of the weekend before, a hacker caused Hyena Cart to redirect peoples’ browsers to a site that installs the malware program Live Security Platinum on Windows computers. Our host put several ‘band-aids’ in place but ultimately could not find the source of the breach. Two more attacks occurred, one on July 18th, and the next on August 8. By the third attack, on Aug 8, the host was able to find the source of the breach (they had installed monitoring software earlier, but had to wait for an attack in order to find the entry point). The breach was patched and we have been running without issue since then.

Why couldn’t you fix the issue between July and Aug? There were several weeks in there — should be plenty of time.

We took that time to harden and patch different areas of the site. However, since the host had been unable to detect the exact weakness being exploited, it was impossible to tell if the issue had definitely been fixed. It wasn’t until the most recent attack (Aug 8) that the host was able to tell exactly how the hackers were redirecting users away from the site. As mentioned previously, this weakness has now been patched.

Was any information on Hyena Cart (passwords, addresses, etc.) breached?

No, the hacker was interfering with the server, not the actual Hyena Cart code and databases, so there was no information breach.

Why were sellers not notified by email in every instance?

When every seller signs up, they have an opt-in option into the Hyena Cart blog. This has been the main conduit for communicating all code updates, news and any issues on the site. Our Privacy policy states that: “Hyena Cart will not send promotional, service-related or information emails of any kind. If you wish to stay abreast of the latest Hyena Cart news, you may request email notification from the HC Blog. You can also request to be removed from this mailing list at any time.” It is extremely important to us that no Hyena Cart users, whether they are shoppers or sellers, receive unwanted email from HC.

That said, there has been one time (this past spring) when we did notify each and every seller about a password change initiated to enhance security.

And today, we are sending this note to every seller with an active account (past 2 months) to let you know a few specific things:

  1. We have sunsetted the Hyena Cart blog, which was ultimately not the most efficient way to reach you (it wasn’t available if the server was crashed or had issues, and it wasn’t possible to read posts if the site was blocked for malware)
  2. We have started a Google group, which will be the new way to keep in touch with Hyena Cart updates and issues. To join, please send an email to hyena-cart+subscribe@googlegroups.com
  3. We are switching hosts (more on that later) and this will entail some downtime for the site. We are currently estimating that this will happen Tues / Wed this week, but we will use the Google group and our Facebook page to give everyone notice: http://www.facebook.com/hyenacart

Is Hyena Cart safe now?

It is safe at the moment. We have consistently had over 10,000 unique users on the site every day and have had no recent reports of issues. As mentioned, the root cause of the recent attacks has been found and patched. However, hackers are constantly looking for new ways in, so there’s no 100% guarantee of future safety.

If our server is safe now, why are we switching hosts?

It simply took too long for our current host to isolate and fix the issue. The problem was at the operating system level — this is a service I pay for, not a job I manage myself. I depend on the host to manage the server and the operating system, come to me proactively if they find security weaknesses or breaches, and fix them. As you all pay me to provide a service — a safe, dependable, functional website to sell your items, I depend on them to provide to me a safe, dependable server from which to host my site. They failed in their job, causing me to fail in mine. I had to escalate issues multiple times before the source of the breach was found. Not only that, but it took three breaches of the site, over the course of nearly a month, to find it. One other point — multiple servers on the current host were attacked, which makes it seem that 1) that host is being targeted for some reason, 2) the attacks have not been targeted specifically at Hyena Cart (we’re just a site that happens to be hosted on their servers). So moving away from that host makes a lot sense at this point.

Why didn’t we just switch hosts back in July?

At that time, I didn’t know whether the breach was because of the server, or because of the Hyena Cart application code. If it has been the application code, then switching hosts would have made no difference whatsoever. The hacker could have just continued breaching the site, regardless of where the site was hosted. Without knowing the source of the breach, there was no way to know whether switching hosts would fix the issue or not, so I did not choose to move us at that time. It wasn’t until last week, when the host finally found the root cause, and I realized it was not related to the application code, that I decided we needed to switch (for the reasons given in the answer to the previous question.)

Will we be 100% safe on the new host?

Unfortunately, there are simply no guarantees of safety. Just like, no matter how sophisticated and up-to-date your security system is, your home may still be robbed. What I can say is that the new host offers specific site security and monitoring which we aren’t getting at our current host. At this point, we are certainly much more educated, aware, and defended against these types of attacks than we ever were before.

What is the process for switching to a new host? Will any of my information be lost?

No information should be lost. Here is the order of events:

  • Migrate all files and database information to new server <– this is currently in progress
  • Test site functionality on new server – this may be quick, or it might take longer, depending on how many things we need to fix in the application code and the server configuration to make sure things are working properly

The two previous things can happen while the site is live and running off of the old server

  • Freeze the site – once everything’s up and working on the new server, we’ll be ready to do a final sync with the old server, However, we’ll need to take the site offline at that point, to ensure no more updates are made in the database (so no information is lost). This will be the beginning of the downtime, and we will do our best to give at least 24 hours notice before this happens.
  • Final sync of old server to new server
  • Change DNS settings so hyenacart.com runs off of the new server
  • Site will now be live and running off the new server, but DNS settings take ~24 hours to propagate across the web, so it will become available to shoppers and sellers in waves, depending on their geography

So the site will be unavailable to you for somewhere around 12-24 hours, depending on how long the final sync takes, and how long the DNS settings take to update in your area. I will use the google group and the facebook page to let people know when the downtime will begin.

How are you letting all the shoppers and Spots’ Corner users know about the downtime?

Once we know exactly when the downtime will be, we’ll post an announcement on the the site and on Spots’ Corner, letting everyone know. We’ll also post to the Facebook page and Google group.

What happens to our paid time with this downtime?

Once we’re up and running on the new server, I will ensure that all sellers (store and Spots’ Corner) are comp’ed for the downtime (i.e. I will extend everyone’s paid time at least 24 hours, but probably more, just to be absolutely fair). I’ll do it as quickly as possible after we’re up and running, but please give me at least 24 hours.

What if I want a refund for time I’ve already paid for?

Please contact us at support@hyenacart.com for a refund if you feel it’s needed.

Leave a Reply

Your email address will not be published. Required fields are marked *