There has, in fact, been a security breach at lucyneatby.com.
The sole reason I am only very upset, instead of utterly panicked, is because of a decision made before we even started on this website: we would only ask for registration information we needed. This was: An email address (username) to identify you for access to your Notebook, a phone number to contact you in case your email did not work, and a country name. We would not store any credit card or other such financial information.
The phone number, by the way, can be anything (111-111-1111 for instance) if you do not wish us to be able to phone you!
The Dirty Stuff
As I was doing a look-through of the files on our webhosting server yesterday, I noticed a file I did not recognize. It turned out to be malware. I then checked all the files that run the website and found one that had malicious code inserted. I deleted the file and uploaded a clean copy. So far, so good.
The next thing to do was to look at how this breach could have been accomplished. There were two ways that seemed likely: firstly, our password had been leaked somehow; secondly, there was bigger trouble affecting the entire server (the machine on which websites are hosted–ours being one of many on that server). Just because of the kind of things done, the second scenario appears more likely.
A Good Thing Gone Bad
Our webhosting company was originally quite good, and responsive to our support requests. They were bought out last year by a larger outfit. Response times for service complaints and website function issues have become slower than anything one would consider reasonable. Their responses have often been downright unhelpful, as though nobody there understands how this stuff works!
Their current setup does not allow me to inspect the server security settings, and also does not allow me to tighten up how our files can be accessed. Right now, anyone who has legitimate or illegitimate access to the server can view and mess with ALL the websites on that server. This means that even though I have uploaded clean files to run the website, this person could again break in if they have not lost interest. The upshot of this is that I have begun to search for a new hosting service, one that will allow for better controls and will let us have a virtual machine, ideally at a price a very small business can afford.
I totally understand now why people open up Etsy shops, instead of dealing with the pain of an eCommerce website. There is no such thing as ‘totally secure’. ALL websites can be hacked, some more easily than others. The question is not one of if, but of when. (With a website, one must have a recovery plan and all the file backups.)
Possible Data Loss
As far as data loss is concerned, there is a possibility that the usernames (emails) and encrypted passwords were stolen. Unless your lucyneatby.com password was also used for other websites (gmail? bank? …), this should not cause you any concern. I suspect the actual objective of the intruder was to get some juicy credit card numbers.
Even though the only data that could have been accessed was fairly benign, and could be found in a phone book or other public directory, how the scoundrels would use this is to try all the passwords and all the email addresses (using hacking software to eliminate any drudge-work), and then see if any combinations will allow them access into other sites with more useful fruits than your cache of knitting patterns and videos.
If you have used your lucyneatby.com password on other sites, please go there and set a new password now.
Since I have no way of knowing whether our webhosting provider either knows or cares about what is going on (still no reply from them to my support ticket), there is always the possibility of other mischief.
So, be vigilant and do remember to check your credit card statements and watch out for phishing emails that pretend that an organization (that looks familiar to you) needs you to enter your password on their (faked) website! Those faked emails are getting so good that I have to look twice! In fact, this arrived just an hour ago in my mailbox—Subject:Confirmation of Credit Note of USD 500000.00 vide Credit Note ID 96423500—and the message text contains a link to a well-faked website login page. If the amount had been something normal (say $5.00), I might have fallen for it, as it looks really good and purports to come from a business I deal with.