So a few minutes ago I received an e-mail claiming that the website was hacked, and the hackers were going to destroy my reputation by selling all the customer’s information and so on and so forth unless I paid them. At this time, I have zero reason to believe the e-mail is truthful; I see no signs of tampering, the passwords are all the same (although I have changed them just to be super-safe), no unusual activity etc. As a result, I have a high confidence that it’s one of those scam e-mails that says “we have damaging information, give us money or we’ll release it” when they don’t have actual information. If that changes, I will let you know as soon as I do, of course, but at this point I see no cause for worry.
However, it prompted me to mention here that I do take your information seriously, so I have a couple of ways to protect your information.
First, I keep all software on the site up to date, and make sure all of it is vetted and secure.
Second, all accounts are protected with both strong, unique, random passwords generated using a well-respected password manager, and 2FA, so cracking any of those passwords is difficult, and even if they do somehow they need to then crack the 2FA. Also, passwords are changed periodically, so they’d need to re-start from scratch after some time if they did somehow manage that.
Third, I delete user information from orders after I’ve sent them out. So if the site does somehow get compromised, all the hackers will see is 1) my information and 2) a whole bunch of “deleted” in every field like name, address, etc. All they will be able to see is that someone bought some uniconvex yunzi stones and bamboo bowls, and how much shipping was. I can’t tell you your threat model, but honestly I’m not that uncomfortable with that information being public, at least if it were me. That said, there is a potential window between an order coming in and me marking it as “done” (up to a few days if I’m really busy) where the information is still visible, so there is a small chance this step might fail if your order has come in very recently.
Fourth, I periodically go over the site trying to identify potential security weaknesses and shore them up. I’m obviously not an expert on this, but I read a lot and talk to people I know who know more than I do, and occasionally they’re kind enough to do a basic scan to rule out any obvious or easily-fixable problems, which are most often the ones that hackers exploit. My current setup is partially the result of those conversations.
I hope knowing these protocols helps you have confidence that I am, at minimum, doing my best to protect your information. Partially for my own reputation, of course, but also because I do genuinely care about people’s privacy, and this is a small thing I can do to help you out with that.