Are you Internet Marketer or involved in any affiliate marketing programs? If you are or intend to be in the future, you need to read this and learn how to protect your information because affiliate programs need vital tax information or even PayPal information to both pay you and send you tax documents at the end of the year. Recently Joomlart was hacked and upon further digging, Joomla may also have been hacked and the information shared is sensitive.
This blog post is a public account of the issue along with advice on how to protect your information.
On Friday December 5th, 2014 at approximately 4:11 PM an email was dispatched from a hacker which stated the following:
Hi, We wanted to tell you about your details from Joomlart.com Affiliate program all your password are not decoded and they can see your password. You can see all your details in attached file Many of you , use this password for your paypal or your administrator or emails , If you need more details contact us firstname.lastname@example.org We have 360000 Joomlart’s forum users email that you can use for ads If you have any queries, please don’t hesitate to ask and we’ll be happy to assist. SOSHKT@GMAIL.COM
Immediately I hit ‘ctrl f‘ and did a search for my name and indeed it was in there. Along with my PayPal email address and a password I commonly used several years ago in forums. This 84 page PDF was publicly displayed as a link on a site called JoomlaCheap.com.
Just to make sure this wasn’t a hoax and before I started calling PayPal I chose a random user that had a numeric password and was able to login to their PayPal account with this public information. Immediately I called PayPal and posted in the Joomlart forums. I also reached out to the user who’s account I was able to login to.
Contacting Paypal About the Breach
My first of 3 different phone calls to PayPal, explaining the information and the breach was basically unsuccessful. The security agent explained that someone from their executive team would contact me within the next 24-48 hours. I explained that this needs to be escalated immediately and that I was able to login to a PayPal users account but I didn’t tell him which account. He assured me it would be handled promptly.
An hour or so went by and I hadn’t heard anything and during that hour I tried to contact the owner of Joomlart, Tucows (to disable the domain) and worked with another gentlemen on Facebook to get the word out to Joomlart members that their information was out there in the public.
Meanwhile I hadn’t heard anything from PayPal so I called again. This time I was put in touch with the limitations department and was assured that I would not be prosecuted for merely logging into someone’s account and he wanted the users email address so he could change it. He also instructed me to forward that email I had received to email@example.com which is a common email that takes a while for folks to get to. I gave him the users email that I was able to login to and he assured me this would be escalated and dealt with promptly.
Several hours later I thought… Hmm… I wonder if that PayPal account is still accessible? I wonder if PayPal has done anything at all? So I checked, I was able to login successfully. That’s when I called PayPal again, this time demanding action. The nice lady in security said firstname.lastname@example.org is a busy email and that might not be addressed for 24-48 hours so she contacted someone else in security and gave me a private email address with an ATTN: to name. She also wanted the email account of the user I was able to access so I gave it… Never tried again.
Within the hour I received an email from PayPal, pictured to the right and I assume it went out to everyone on that publicly displayed list. It basically disabled my PayPal account until I took action to re-verify and change my password. Thank you PayPal for finally taking appropriate action. I’d like to add that PayPal is indeed safe and I wrote a blog post about this a while back.
Affiliate Information on Joomlart.com – Breach of Security
When you sign up for an affiliate program there’s some information they need. Whether it be Amazon, Ebay, Joomlart, Commission Junction or many others, they need to first be able to pay their affiliates and when they pay their affiliates, they have to report the total of these payments at the end of the tax year. In order to do that they need certain, sensitive information from you. This information will often include your Full legal name, PayPal email address, your Tax ID, Social Security Number or VAT ID. Some vendors pay by check so they’d also need your full address.
Information Vendors Need from Affiliates:
- Full Name
- PayPal email address
- Member email address
- Physical address
- Social Security Number, Tax ID, VAT
That’s a lot of information and much of it is very sensitive information that must be stored in a database. These databases contain tables in which these data fields are stored. A company as old as Joomlart, with all their developers, should have encrypted private and sensitive data belonging to their customers and partners. It’s not usually a question of if, it’s a question of when a database will be hacked or back-doored.
Joomlart.com failed to do this. The hacker was able to grab all the data from the unencrypted tables and send out an email to everyone offering to sell them more information. Additionally I did a search for the email which showed up that the user posted on the Joomla forum, claiming to have all the Joomla users information and emails from their database. See image below, apparently the thread was removed but I hadn’t seen where the breach had been addressed by Joomla.
How to Protect Your Information Online
Remembering different passwords for different websites can be daunting to say the least. However, they are needed. You never want to use a forum or any other website with the same password as your PayPal account. Never ever. Too many of us use one password for everything and that’s simply no good.
I use a password manager called 1Password by AgileBits but there are many others, LastPass being a very popular one as well. You might find this article helpful: http://lifehacker.com/tag/password-managers
Use the Tax ID of an LLC
Register for an LLC if you’re doing any kind of business on the Internet. It costs an average of $100 and you can do it yourself. Once you have an LLC, you’ll want to apply for a federal tax ID number for that LLC. This is the number you’ll want to use in place of your Social Security number. Never give out your Social Security Number, not even to the most secure sites, as they too will eventually be breached.
With an LLC not only are you protecting and isolating your personal and private information, you are also able to take advantage of corporate tax benefits and loopholes that so many people think are for the big players and big corporations. Explaining of this would be an entirely different article all together.
Best of luck to all you and keep your information secure. Don’t rely on other websites to do it because many times they don’t, as in the case of Joomlart.com.
Shame on Joomlart.com
Joomlart is dealing with this breach and I’d imagine the owner of this thriving community is probably sick to his stomach. While having this data breach may not have been intentional, it’s certainly an oversight on the part of Joomlart. Joomlart was one of the first and early Joomla template providers after Joomla split off Mambo back in the early days.
You’d think, based on the length of time Joomlart has been around that encrypting customer data would have been an important part of this website, but it wasn’t. I know I paid quite a bit for yearly membership fees to Joomlart, you’d think a part of that would go into protecting my sensitive data, but it didn’t.
Here’s a link to Joomlart’s blog Post on the issue: http://www.joomlart.com/blog/news-updates/emergency-we-are-hacked-and-database-compromised
Lesson to Be Learned about Security
If nothing else, let’s hope we can all learn a valuable lesson in security from all this. Always protect your own data and webmaster’s are obligated to protect their clients data. If you can’t do that much, you shouldn’t be offering affiliate services on the web and keeping private data. Period.
Another consideration is… how many other companies do we do business with daily that may have similar vulnerabilities.
Kevin Michael Norman says
I want to thank you Justin for spearheading the responsible and proper information dissemination to our Joomla community regarding this careless oversight by Joomlart. You my friend are a Security Warrior and I commend you for putting together this comprehensive account of the truth in the face of its absence from Joomlart’s clear attempt to conceal the gravity of this situation.
I know from taking part in many affiliate programs and also from being a United States Citizen that to be paid for affiliate commissions in this country a Social Security Number or Tax ID is a fundamental requirement for payment unless you want to be investigated by the Internal Revenue Service. I think it is terrible that it is still quite unclear from Joomlart whether or not Social Security Numbers were compromised. I question the extent of this breach and our actual knowledge of it based on Joomlart response and notable attempt to downplay the seriousness of what has occurred.
Please continue to be an advocate on this. I assure you as people begin to experience the fallout from the potential Identity theft and Fraud that may occur in this instance your post will garner many thankful comments and provide a light for Joomlart customers to use to see their way out of this terrible situation.
Anna Robinson says
Just wanted to say thank you Justin for all the effort and care you put into this. To have people like you in the Joomla community (or anywhere for that matter) is priceless. Thank you!
Kevin Michael Norman says
here here!!! much agreed.