June 28, 2015
[PSA] SECURITY BREACH UPDATE – AROMALEIGH WEBSITE IS BACK UP!
I am happy to report that the website has been given a clean bill of health from SiteLock, and has been outfitted with SiteLock Infinity enterprise level security, as well as SiteLock TrueShield Web Application Firewall. At this time, all orders that were in the queue have been printed out, and will be shipping out tomorrow morning. You may resume shopping on the site, or on the clearance site.
The site was protected by SiteLock security when the hack occurred, which is what fortunately provided very fast notification, so that the site could be disabled.
The hack specifically was a “drive by download” attack, which is a very sophisticated attack which attempts to place malware on the computers of users who download and install the download file. We’ve determined that the malware was only present on the site for a few hours, so this hack could only have affected you if you visited aromaleighcosmetics.com during that time frame. You would have seen a completely white screen, and been prompted to download an updated version of Flash. The malware file was an .exe file, so it was targeted towards Windows users- not Apple users. I accidentally downloaded the file about ten times to my Mac’s download folder, while testing the site in different browsers. I deleted the file and securely emptied my trash. Windows users who have tight security on their machines should have been alerted to the file, and had it deleted. The file was designed to only affect Windows desktop machines (no mobile devices), and could only have infected the host computer if it had been installed. This type of hack is not used to obtain customer information or payment details, and Aromaleigh has been using PayPal and PayPal Pro Merchant Services for credit card payments, so no customer payment data was stored on the site. As a precaution, I suggested on the 23rd that concerned customers may wish to change their PayPal password, or be more vigilant in checking your online accounts for any unusual activity. At this time, we know only of two customers who could have been affected by the malware, and they were both using Apple computers. We’ve received no reports of any customers having their PayPal accounts compromised.
I have tested the site in various browsers, and at present, Google is still showing a bright red warning screen. SiteLock has assured me that Google has been notified that the site is fine, and this warning should drop off shortly.
You can verify that the site is safe by clicking on this SiteLock verification graphic, below. Warning messages do not appear in Safari, or Firefox.
I have also tested the site at SSL Labs/TrustworthyInternet.org. You can view the report or run reports on other sites you shop with, here. (Indie owners- you can also use this to test your own sites security and vulnerability to attacks. This site grades harshly, so don’t be alarmed if a shop comes back with a B or C grade (out of curiosity, I ran a report for Sephora- their grade is a B).
Even with all the recent costly security upgrades I’ve made, I still receive a B as my grade, which is what my grade was prior to the attack. If you run a report on your site and it comes back as an F, then you’ll probably want to take some fast action to shore up your site security. If you are running your site on Big Commerce or other turnkey e-commerce solution, you’ll most likely get a result that says “certificate mismatch”. All this means is that the SSL certificate for your site, usally provided by your turnkey host- doesn’t match your store’s url. It typically won’t. You can still run reports for other aspects of your site and see any vulnerabilities.
This whole experience has been terrible, but eye opening. I would hate to see any other indie owners have to go through this, or customers- for that matter! Be safe, everyone!
In light of this recent security breach, I’ve begun the process of migrating the website over to a brand new platform and provider, Big Commerce. Big Commerce is a turnkey e-commerce solution which is similar in principle to Yahoo Store, which Aromaleigh was with for over 16 years (and where our clearance site is currently hosted). With Yahoo store, I never experienced any hacks, security breaches, or down time (I switched from Yahoo to Woo Commerce because Yahoo is about 15 years behind the times in terms of store design and customer features). With Big Commerce, there is a high level of vigilance in security, as well as a dedicated support team- but it has all the great customer features that you’d expect out of a modern and up to date online shop. Woo Commerce is a stand-alone, open-source product, which users install onto their own server space, making it very different from Yahoo/Big Commerce/ Shopify/ 3D Cart and others. While I could continue on Woo Commerce using the SiteLock Infinity product and their firewall, this level of security is prohibitively expensive for a small business such as Aromaleigh- it’s the type of security that enterprise shops, such as big name brands, are able to afford to use.
I will not be able to migrate customer data, profiles or orders with the switch, due to PCI compliance laws. So I’m reminding customers to go into their accounts and save/copy/paste/screencap their shopping histories. You’ll need to create a new login on the Big Commerce platform shop, when it opens. I look forward to the move to Big Commerce. They’ve shown a lot of forward-thinking in relation to online commerce in the past few years and I feel that it will be a great place for Aromaleigh to call home. I am estimating that the migration will be completed in about two weeks. There will be a period of a week or so where both sites will be open, while we make the transition. Facebook, Twitter or the Aromaleigh blog are the best places to get the most up to date information about the whole process.
As always, thank you for your patience through this situation. I really appreciate all of your notes and messages- they have helped me turn lemons into lemonade! I don’t know how I would have made it through the past week without your support. I am so grateful to have such amazing customers.
Kristen Leigh Bell
Owner, Aromaleigh Cosmetics