300,000 Affected by JoomDonation Hacker

I have your data - JoomDonation Hacker

When a hacker holds your small business for ransom, what would you do?

Late last week Tuan Pham Ngoc, developer of JoomDonation, a product of OS Solution, confirmed there was a security incident which ended up affecting over 300,000 Joomla users, most of them associated with JoomDonation.  A hacker broke into an OS Solution e-mail server, stole account information, and distributed a nastygram email to account holders (see the letter below, for context).

Threats contained in the email itself warned that all user details were exposed, including logins and passwords.  JoomDonation developer Tuan Pham Ngoc, stated otherwise, in his forum response, re-posted below without edits:

Dear all,

As you know, today, our hosting account was hacked. The hacker got a small part of our users information (only name and email) and emailed to these users that their sites were hacked.

In fact, these sites are not hacked at all.

We have been working hard on this issue. Here are something we found and would like to inform you about them:

1. The security issue is not related to our extensions at all. So all the sites which are using our extensions at the moment will still be safe.

2. The issue came from a security hole in the hosting server which we have used. We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software, so the hacker could get into the system and stole these information. We are working to move our website to a more secure server with a better hosting provider. However, it will take us one or two days for doing that.

3. The hacker just got a small part of our users information (contain name, email) and publish some of them. Few hours after the information was published (just name and a part of the email – the domain of the email is hidden), it was deleted and could not be viewable from public. So the information would be secure from now as well

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

5. We will continue analyzing the server logs and will inform more information about this issue ASAP.

We are really sorry about this issue and hope you will stay with us and do more business with us in the future. Our extensions are good and secure, it is just the hosting server insecure and causes us all these trouble.

Sincerely,

JoomDonation

The hacker seems to be contacting people who may have shown interest in, or purchased JoomDonation extensions. According to the developer, the hacker is also contacting non-customers as well. JoomDonation products include:

  • Events Booking
  • OS Property
  • EShop
  • Membership Pro
  • EDocman
  • CSV Advanced
  • OS Services Booking
  • Joom Donation
  • Documents Seller

Follow-up official statement from JoomDonation on November 29th, 2014:

As you might be noticed, on November 27, 2014, some joomdonation.com users received an email saying that their websites are hacked, there are 5 days for them to clean the site, otherwise, the hacker will put down these sites. You can see a full email as joomdonation.com/forum/events-booking-ge…g-message.html#53309

However, things are not really bad/serious like that. We had worked very hard to find out the root of the issue, understood what happened and quite confident that our customers websites are still safe. Following are the details:

1. How the hacker got into system:

That happened few months ago, when our website was still being hosted on a shared hosting environment. From a hacked site on the same server with our website, the hacker could get into our system. Because of a security hole in the infrastructure of the hosting provider, even after we moved our website to a VPS server (same provider), the hacker can still get into our system.

2. What did he do:

– He got a part of our users data (name and email), used Mandril to send emails to all these users, threaten them that their websites are hacked…

– Even users who not using our products / not using Joomla websites any more still received that email. We think he did that just to scare our users, make them fear and move away from using our products.

3. What did we do to resolve the problem:

– We scan our website files to make sure they are clean and safe.

– We also use website-antivirus service from Sucuri (sucuri.net/website-antivirus/) to make sure the site is clean and protected.

– Since the problem caused by the hosting security, we decided to move our website to rochen hosting (Joomla! offical host).

– Our team and Rochen’s system engineering team had worked together for two days to ensure the site is secure and protected before going live.

– We also checked all of our extensions again and we confirm that they are secure.

4. What should you do:

– Our extensions are secure, so you won’t have to worry if you are using them on your site.

– You should change super admin account/ FTP account of your site.

– Make a backup your site.

By the way, we would like to take this chance to say thank you to all of our customers who have been using our extensions and services. We hope that you will continue to do the business with us.

Best regards,

JoomDonation Team.

Below is the criminal’s email, sent out to 300,000+ users:

How the hell are you? No need to ask, I’m fine!

I’m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea :-)

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing :-)

..

Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon :-)

Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy :-) Try Indian quality.

This email was sent to all JoomDonation.com users. We’ll meet again if you have accounts registered to other Joomla developers :-)

‘corePHP’ will keep you updated on this and other web security issues.

Update on Wed, December 3rd, 2014:

Apparently, the same hacker is still at work on the JoomDonation site and business, maliciously calling out OS Solution and the developer, and using the developer’s own credentials to post his diatribe. Here’s the latest, on the JoomDonation Forum.

The Core Team
Editorial Staff Members at 'corePHP'
Editorial staff for the Core Technology Blog for 'corePHP' - news, views insights and advice for e-commerce, marketing technology , web design and development.