Recovering from a Hack

Last week we have recovered from a website hack that lasted for 6 days.

Before I get into the details I want to make it clear – the hack is completely gone and the website is perfectly ok. Our platform is more secure than it has ever been, and in this post I’ll explain what happened, what it means to you, and what we did to prevent it from happening again.

Sow what happened?

I woke up one morning to see the site defaced and broken. I contacted the hosting company and worked with them (as well with a third party security company) for 6 days until the hack was removed.

Throughout the hack the website was partially unavailable. Most pages were still showing, but with an unpleasant message on the header of the page, and all user-based pages didn’t work at all.

That made buying a course impossible, as well as accessing any of the courses people already owned.

Why and how did it happen?

I can’t really tell how the hack happened, nor why were we targeted. I wasn’t contacted by anyone, no money was stolen, nothing was even deleted. All they did was put an incomprehensible message (with a few bad words) at the top of the site. Not really sure why.

As for my security measurements, I suppose they could have been better, obviously. I did use a CDN with a firewall, but my hosting solution wasn’t the best. It’s fine for an average website user, but for a site that gets thousands of visitors a day I should have transitioned to a more dedicated solution.

I knew I should have migrated for a while (especially after seeing how my site couldn’t handle the traffic we got when we launched our free course Making an Animated Movie), but moving our whole website is something that easily gets pushed aside. It just felt like a scary and daunting process.

Of course after you get hacked, you suddenly do all the important things that you should have done a while ago. It’s kind of like getting renters insurance after getting robbed.

What now?

First, if you are concerned about compromised information, you don’t need to worry. Our payment system is operated through a third party (Paypal and Stripe) and I have absolutely no access to any of it, as it is done through their platforms.

After completely removing the hack, we made the big transition to a dedicated premium hosting solution, and it was the best thing I could have done. And much simpler than I thought it would be.

The new hosting is much more secure, and not to mention fast. Like, 4 times faster. Seriously, I’m still shocked at how the site is preforming now.

We also kept our CDN firewall, and our new security company who’s monitoring the site and its files every single day. We also have daily backups now, which allows us to roll back the site with a click of a button.

Nothing is 100% secured, but this is as close as we could get.

As for you, our readers and students

I know that some of you have gone through a less than ideal experience during those 6 days. A lot of you wanted to buy our courses and couldn’t, and worse – some of you couldn’t access courses you paid for.

That is not the experience I want our students to have.

I try to keep Bloop a consumer-focused platform.

That is why I don’t discount the products randomly, making early-buyers feel ripped-off.

That is why I don’t run ads on my site, or push sponsored products to our readers.

That is why we have a super-flexible refund policy.

Needless to say, having you guys subjected to a bad experience with our platform was the worst part of this hack for me, and I’m sorry for that.

I hope this incident didn’t sour you on our learning platform, especially now that it is so much faster and more secured.

Through the hack I manually answered each and every concerned email that was sent to me, and I was touched by your kind and warm responses, almost all of them incredibly understanding and patient. That showed me again what a great audience I have, and I truly appreciate it.

To my current students I’ve offered as compensation a one-time $30 coupon to our products, so if you’ve bought from us in the past look for an email with the code.

Moving on

I try to look at these unpleasant events as learning experiences. It sucked, but it could have been worse, and it pushed us to improve. Thank you for understanding.