The TouringPlans.com website was unavailable from approximately midnight EDT on Friday, October 24, through approximately 10 pm EDT on Tuesday, October 28, a total of 3 days, 22 hours.
The cause of this outage was unauthorized access to the server which runs the website, and the installation of malicious software which ended up crashing the server. We believe that the unauthorized access to our server was obtained through stolen administrative credentials from our (now former) web hosting company, Layered Technologies, which affected many, many websites besides us. (See here for a more complete explanation of the issue and other websites it affected, written by another person whose website was impacted.) At this point, we think the goal of the people who accessed the server was to re-direct users to another site in China.
TouringPlans.com does not handle, store, maintain or otherwise process any credit card or payment information from our users. We use a third-party payment company (PayPal) in part to protect against exactly these kinds of things. In retrospect, that was a good decision that ended up protecting everyone’s personal information.
Anyone with administrative access to the server would have had access to TouringPlans usernames and passwords. We use a one-way hashing algorithm on passwords (MD5 with salt, if you’re interested), so passwords are never stored in clear text. (That is, if your password is “password,” we don’t store it internally as “password” – we store it as something like “ernie76e86y32i3ihgf78687″ and it’s very, very difficult – though technically not impossible – to get back to the original password from that.) We recommend changing your password on the site at your earliest convenience. In checking our database logs, we did not find any evidence of database access or data modification; the extent of the damage seemed to be entirely within the HTML pages on the site. No user data seems to have been lost.
Over the weekend, we switched hosting companies to Rackspace. While that process did not go as smoothly as we might have liked, and definitely contributed to the delay in getting the site back up, we were able to implement with Rackspace some additional security measures which will help prevent similar issues from happening in the future. Over time, we think the additional support we get from Rackspace will make the site more reliable and secure.
We still have some minor issues to work through as part of the transition, chief of which is that email access to us is still spotty. If you’re trying to get in touch with us on short notice, Len’s temporary email is LenTesta@gmail.com.
Throughout this past week, many of you sent in emails of encouragement and support, for which we’re all inexpressibly grateful. Frankly, given that the site has more than a hundred thousand users, we didn’t expect that. We were happy to help out those folks who were traveling, with faxes and emails of their touring plans, and hope that wasn’t too much of an inconvenience.
We’ll be providing full refunds to any user who subscribed on Thursday, October 23, and extending the subscription of other recent subscribers by at least a week, to make up for this lost time. Give us a couple of days to get that done. If you think that isn’t fair, drop us a line and let us know what you have in mind.
Thanks again for the support. We hope to have this behind us soon.