Dear Consumerist Readers,
We have completed another phase of our investigation into the recent attack on our pages. As you know, on September 20th, our pages were altered to redirect readers to outside websites. Our response was to take the site down and arrange to provide an interim site hosted with WordPress VIP. This message will be posted on that site, as well as Facebook. We also intend to notify registered users via email. This may take some time, as we have to set up new systems to process a large scale email.
We have been conducting a forensic analysis utilizing an independent firm that specializes in cyber security and forensics.
We now know that the vector of attack in this incident involved systems maintained by our former hosting provider. We have not seen evidence of misuse of our users’ personal data, but as of this time, we cannot say for certain what information was (or was not) accessed by the attacker(s). We have obtained copies of our data and requested that any remaining data containing Consumerist user information be deleted. Our former hosting provider has confirmed that it has complied with our requests.
In accordance with our high standards of transparency, we would like to inform you that this incident took place, and that registered users’ email addresses, username and salted and hashed (encrypted) passwords may have been available to unauthorized individuals. To repeat, all passwords were salted and hashed according to security best practices and were not available in plain text. However, we strongly recommend that you change your password at any other website at which you used the same password. We also recommend that you never, under any circumstances, reuse a password on Consumerist, or any other site.
We are deeply sorry about this incident and would like to assure you that only registered users’ accounts are potentially affected. No other systems related to Consumerist were hosted with this vendor. Donations to the Consumerist are not processed or collected on Consumerist.com. Absolutely no credit card or debit card information was available to this vendor. Those who simply visit the site, and do not comment or log in, are not affected.
Going forward, we plan to migrate the content archive to WordPress VIP. We hope to have that complete soon. We are also working on a solution that will allow us to reenable commenting while adhering to our own privacy standards, which do not allow the sharing of personally identifiable information with outside organizations who could use it for marketing or other commercial purposes. This means there is no quick and easy solution, and we apologize for the inconvenience while we rebuild.
Thank you for your continued patience and understanding, and again, we are deeply sorry. As an organization, our goal is to always to make certain that consumers come first, both internally and with any company that we choose to work with.
FAQ (Updated 10.2.2012)
Q: Does this mean that a hacker has accessed my user name, email address and password?
A: We now know that the vector of attack in this incident involved systems maintained by our former hosting provider. We have not seen evidence of misuse of our users’ personal data, but as of this time, we cannot say for certain what information was (or was not) accessed by the attacker(s). The passwords are secured in accordance with industry best practices. They are salted and hashed. We strongly recommend that you change your password at any other website at which you used the same password. As a matter of prudence and good practice we always recommend that you do not use the same password at more than one site, including Consumerist.
Q: Does this mean that if I visited Consumerist, my computer might have been infected?
A: We don’t know for sure, but if you are worried about a possible infection, you should use your anti-virus software to run a complete scan of your machine. If you don’t already have anti-virus protection on your computer, we strongly suggest you get some. And for additional suggestions on how to cleanse your machine, you can consult the StopBadware.org site.
Q: Why isn’t Consumerist back up and running?
A: Going forward, we plan to migrate the content archive to WordPress VIP. We hope to have that complete soon.
Q. Will this new site have all same the features and content as the old site?
A: As an organization, Consumerist feels really strongly about not sharing our user’s personal information with outside organizations who may want to use it for commercial interests. Because of that, there is no easy “out of the box” solution for commenting on our new hosting provider. While we build something that meets our needs (and yours) Consumerist will temporarily not feature commenting. We are sorry for the inconvenience, and hope to have commenting back soon.
Q. How can we help you?
A. Your patience, letters of support and criticism, as well as offers of assistance are all welcome and appreciated. You can reach us at firstname.lastname@example.org.