Open Letter to Massage Heights: Security Matters
Hey there Massage Heights. You already know who I am, I'm the guy who's been calling you out for over a week about your lacklustre security practices.
Over a week ago now I let you know your website had been hacked, there's a group of links on your page that link to Russian language shoe sites. I included screenshots and everything. Imagine my shock when you responded that your 'team' had taken a look and there are no problems, especially when I go to check it out and the links are still there (And are still there today, 8 days later!).
While it's not apparent to everybody, especially if they have a small monitor, the links are there. I provided screenshots AND told you what lines of code to look at. My warnings have been ignored. Other people told you too. Silence.
Perhaps you are unaware about how important web security is these days. These hackers got in once (and are still in), so they can get in again. You don't seem to care. I'm sure your customers might, especially if their personal information ends up on Russian spam lists.
While it took a bit to figure out that this only effects your Canadian site, the fact that you didn't bother to check ALL your corporate sites goes to show how ineffective your security strategy is and how little time you invested in actually checking out this report. It's truly sad.
It would take mere moments to figure out I was talking about the Canadian site, after all, my Twitter profile (And Facebook profile) both say I'm in Canada. Yet you didn't check, at all. You didn't care enough about the security of your customers and website visitors to even look. If you have multiple websites under your umbrella and somebody reports that your site has been hacked, common sense would dictate that you check ALL of your sites, especially if they keep coming back to you. You are responsible for your website and you are responsible for the security of your website.
The Canadian website links to the Twitter and Facebook accounts that I was messaging, but you just kept ignoring me and assuming I was talking about your US site. In fact, you deleted my posts on Facebook. What's the matter, are you afraid your customers might find out how little you care?
I'm not trying to be a giant douche here, I'm just one of those rare people that actually care about others, even when it's something as small as ending up on spam lists. I take web security very seriously. If I have to be a bit of a douche to a company that won't listen and make them look bad in public to get them to wake up and smell the security breach, then so be it.
People need to be made aware of issues, especially if they have been hacked. I let you know and you ignored me. It took 3 Twitter messages to get you to even respond, and when you did you told me there were no problems. I reported it again, and again. Others reported it and what have you done? NOTHING. You have ignored everybody.
Here it goes again. Your Canadian website has been hacked. I noticed it on March 13 and notified you, who knows how long it was like that before I noticed (Certainly not your team). Today, the links remain. I have provided screenshots of the issue and the lines of code where you can find the links.
Somebody else did their research. The Russian shoe sites have been taken down. The links are dead, but that doesn't fix your website and how they got in. Hopefully this letter will make you actually look at your website and actually notice these links. More importantly, I hope you find how they got in and close the hole!
Keep this in mind. Target was informed about their security breach ahead of time. Sony was notified of their security issues ahead of time. Neither took immediate action. How much did those mistakes cost them? Will Massage Heights be next? For your customers sake, I sure hope not.
If you would like to view the Twitter Conversation:
Massage Heights says there are no issues!
Below you can see the screenshots I supplied to Massage Heights. There is a screenshot of the code generating the links, the Facebook post they deleted, the full website with links on the left and a closeup of the links.