homeautomationnet.com compromised

[electron]

This is the email I got from the site, I never got the fraudulent email they are talking about, so in case you have bought from them in the past, but never received the notification about this incident, here it is:

Dear Valued Customers,

At 4:15 the morning of Dec 31st a hacker gained access to our site.  He was able to send all customers a fraudulent email.   

I can assure you that we do not keep any credit card information in our database, so there is no way this can be compromised.  We can not even get to your credit card information, this is protected under the strictest of new card handling guidelines.  The hacker appears only to have used a bulk mailing program in our admin panel to send out his advertisement.  There is no trace that anything else was accessed or any info was downloaded. Unfortunately he used an alias IP so we can not track his actual origin.

We have implemented several new steps to protect our site and your purchase information and assure you will continue to look for all available methods to stop this from ever happening again.

As a token for putting up with this inconvenience we have set up a coupon, “email†good for 10% off of all orders all items this is good until Jan 11, 2004.

I pray for your understanding, have a great New Year.

Bill Erskine
President
www.homeautomationnet.com

 

[BraveSirRobbin]

Isn't this the same guy who swore up and down that no hacker could gain access to their email listing so others may use it to spam people?

Oh well :lol:

 

[electron]

yep same person! I feel bad for him, but it shows that I wasn't crazy :lol:

 

[jwilson56]

What I don't understand about these types of hacks is that the people hacked say they can't figure out who does it. Would not the place that was advertised have something to do with it? After all is that not the purpose of sending the email out, to gain customers (like anyone would even try their products considering how they got you to see the add). I guess I don't see the point. If its a third party thats paid based on the number of emails they do then the place that is advertised still should be responsible.

John

 

[BraveSirRobbin]

John:

I agree with what you are saying. Don't really know if we can apply logical reasoning with these types of hackers.

Dan:

I feel really bad for him also. I always knew you knew what you were talking about in "that" HS posting. This proves it.

Bill seems like a guy who would go to the ends of the earth to please his customers as was shown by some of his customer's replies. I don't think he is a "bad" guy. Just a victim. Maybe this could have been avoided, maybe not. I certainly hope this does not affect his buisness (i.e. livelihood), and wish him the best of luck to get things resolved!!!

(Oh, BTW, I received this EMail also)

 

[electron]

well, I was hoping he would check his system security big time after I posted on the HS forums about this. The sad part is that I got this bulk email many months ago, so who knows how long this database has been compromised.

jwilson56: I agree, I do this stuff for living, there is always a way of tracking these kind of break in's, I can understand they are proxying their connection thru other compromised hosts, but if you ask those other hosts nicely who was connected to their host, you can track down who the intruder is (in most cases at least). I also agree that the company that is selling their products to the people listed in that stolen database should be held accountable or at least be investigated (you try driving a stolen car someone sold to you, won't be for long).

 

[AutomatedOutlet]

I feel bad that he had a break-in but what I don't understand is why this information was in a database on his website? He should keep all customer information off of his website.

 

[justonemore]

That's good to hear Martin

 

[AutomatedOutlet]

Yes, if someone broke into my website, all they could really do is mess up my website listings. It would be a nuisance but I could just republish it and it's fixed. The on stuff that's there is the listings & product information. There is absolutely NO customer data at all stored within the website. Even my mailing list is on a different system.

 

[electron]

Martin:

sssssh!

People might adapt your security model, and I would be out of a job

I am glad to hear that this is how your site is setup. I would guess that Bill got one of those store package deals, where the hosting company takes care of the backend (ordering,payment, etc...), and the hosting company put it all on 1 server (maybe there was an issue with the administrative interface, or he had an easy to guess password). However, you can't just tell people what the intruder did NOT download (which he did), since not everything is logged, and an intruder that knows what he is doing (since they can't catch him I assume he does) would be able to hide his tracks anyways.

 

[AutomatedOutlet]

Yea, I gues it's a good thing to keep stuff on separate systems. When I first started out I used on of those packge storefront things. I found that it was was too inflexible and they really get you hooked and the fees start adding up fast. It was certainly a ramp-up for a non-programmer like me to put together that website but I think I have it pretty much in control now. It's 125 pages and growing about 10-20 pages a week at this point. I don't want to know HTML so I'm just doing it in Netobjects Fusion. It's a lot easier for someone like me.

 

[electron]

Well your site seems to have a great uptime, and I am able to find anything, not a bad job for someone that doesn't know HTML. If you ever do need help, let us know, plenty of us know HTML.

 

[AutomatedOutlet]

Ha! HTML is a four letter word to me. Yea, the hosting is with Godaddy and they have been really pretty good. I've never seen downtime that I know of. I have other site hosted with Verio that don't do as well and cost a lot more.