I wanted to circle back and provide an update to my earlier post about the spam emails that some people have received. In total, we received 19 reports from users (including employees here at onOne) who received an email (click here and here for examples of what the emails looked like – warning: I would not recommend going to any URL that you see in these graphics) to an email address that had only been supplied to onOne Software for the purpose or requesting a trial download or registering a product purchased at a retail store. Just to reiterate, we did not sell or knowingly make available any email address to a third-party.
Since this was brought to our attention, we have spent over 240 hours collectively between 3 employees of onOne Software and 2 external contractors that we have worked with for over 4 years looking into this incident. Clearly, some of you received these spam emails to addresses that were only made available to us, and since we didn’t send them (the original emails were sent via exploiting the Share This feature at Flickr as discussed here) that would imply some sort of breach of our database. During our investigation, we found that a php file that we did not create was somehow copied into a temporary directory that was used by a php-based site search engine that we had been using for over a year. In that php file were many links pointing to another site that in turn had a set of links formatted in the same way that pointed to yet another web site based in Russia. It appeared to us that this Russian-based web site had done this in an attempt to increase their Google search ranking as there were very specific calls in the php file to try to get picked up by Google search engines.
However, just writing a file to that temporary search directory would not have given anybody access to our database. Additionally, we realized that this file had been placed in this directory within 24 hours and removed it and the search engine immediately. We have since replaced that search engine with one that we have licensed from Google.
Aside from this temp directory being written to, we could find no other evidence of a server or database breach. This is frustrating, but I can’t provide a concrete evidence of how any email address could have been stolen from us. I could speculate, but it would be just that. Regardless, here is what we’ve done to try to prevent anything like this from happening again.
- We’ve updated all of our servers with the most recent security patches available and have double-checked our existing plan to have updates applied on a regular basis.
- We’ve contracted with two separate consultants to perform a security audit of our site and have implemented their recommendations.
- We have recently renewed our Verisign SSL Certificate using their 256-bit encryption to meet their Extended Validation requirements which is their highest level of SSL Certificate they provide ensuring a secure environment for any e-commerce transaction.
I’d like to thank everybody who sent the emails they received to us to help us try to figure out what happened. I’ll be following up with each of you individually after this blog post. Further, I’d like to thank Kevin C. from Yahoo! who helped clear up some confusion of mine about how the spammers had taken advantage (ever so briefly) of Flickr’s Share This feature. If you have any questions or comments you can share them with me using our Contact form.
I just wanted to say, thank you for providing this update. It’s a tough situation for a sysadmin and a company (this type of thing has happened to a ton of companies), and you handled it pretty well.
Ed
November 19, 2009 at 3:32 pm
Yes, many thanks for taking this seriously.
It’s quite interesting how companies respond to situations like this. Too many of them take a cavalier “it must be our customers’ fault” approach.
A pity you can’t find the source. (Most often, customer email addresses are stolen by a virus sitting on a production, test or development machine, so presumably this is covered in the audit you are undertaking.)
And thanks for communicating with us individually AND publically through the blog. Both are necessary and valued channels.
You have responded thoroughly, courteously and promptly, and this says a lot about how you treat your customers.
Anonymouse
November 19, 2009 at 5:09 pm
I agree completely with Anonymouse. I was one of the people to contact onOne Software when I noticed spam coming to a unique email address that I had used with them. The other times that this happened to me, the companies involved (MacMall, Netbank) didn’t even bother to reply to me. Thanks, onOne for taking your customers’ privacy seriously.
P.S., MacMall and Netbank, I have never and will never do business with you again since you chose to ignore me regarding my email getting spammed. These things matter.
Gene
November 19, 2009 at 5:26 pm
OnOne found themselves in a very difficult and hard to defend position. A position I would hate to find my own company in and OnOne did all of the right things, one of which was transparency, and as a result I will remain a loyal customer.
What everyone has said above and more. Bravo OnOne, for going beyond expectations and really taking this issue on board and dedicating so much time and energy into finding the source of the intrusion.
I am one of the persons with a unique email address. I chose to keep the email address unblocked out of curiosity to find out how hard the email address would be hammered with new spam. To my surprise I only received a total of 3 spam messages! I am sure that your diligent efforts have made the difference in the amount of spam coming to my inbox and I have been able to continue to use the unique email address originally supplied to your company.
Once again, Bravo OnOne. Keep up the good work!
Zoe
Zoe Simpson
November 20, 2009 at 4:58 pm