Sorry to intrude on your inbox twice in 1 week, but we need to announce a major security issue "HeartBleed" that has happened on the internet, and we also were affected.
It is a minor issue for us, as there is very little private content within our websites that any hackers could make use off. eg we don't store credit card numbers, and accessing our back end does not allow anyone to initiate financial transactions. The worst someone could do would be to post content onto your website. However, we feel the biggest issue for our customers is that they may share the same password across multiple systems, and so we would encourage all users to change their passwords on all services they currently use, not just us.
You should urgently change all passwords everywhere
- on all services, (not just website builder)
- also on your email accounts.
- do not use a password you have ever used before, and definitely not one you have used in the last 2 years.
- do not use links in emails to login, please go to the last known web address you trust for the provider.
HeartBleed: aka OpenSSL, is widely used by many website providers, and that includes Yahoo, Amazon and many other big players.
Read more about the security issue here:
Limited Helpdesk Support on This Issue
We cannot provide 1 on 1 support for this issue. Our help desk will not engage in 1 on 1 conversations about security. Anyone requiring help from our support desk for changing passwords or reconfiguring email accounts related to this security issue will be chargable. You can update your passwords yourself for free via our CMS control panel. You can change your login password under the Security or Accounts tabs in the top right. You can change your mailbox passwords in the domains/emails tab (you will also need to use the same password in your desktop/phone/ipad). It's no fun for anyone dealing with security issues, so we encourage all our DIY customers to deal with security in the same DIY way. Many Thanks.
Install a Virus Checker on your computer
We use Eset Nod32 Antivirus ourselves. We like it because our computers still run fast, and we barely notice it's there. We have teamed up with Eset to offer you a free trial of that. Get a free trial of Eset No32 Antivirus
Importance of Not Following Links to Login
Please note you should login to the CMS using a URL you trust, we will not paste the URL here as that is a common technique to trick people known as a phishing scam. We realise there is a login link on the right of our standard email template, but that is part of our template and provided for courtesy only. To be safe, you should generally never use a login link from an email unless that same email is telling you your password, or is clearly providing information that no 3rd party would know (like your account number or similar). Every day you might get an email from a bank or other business telling you about a security issue and asking you to login, then they provide a link to a false site. Just to clarify, we won't be doing that so the message is clear.
If you do follow links from emails to a website, just make sure you pay attention to the address that shows in your browser address bar, not what was visible as the link in the email, as they can be obscured.
General Tips About Staying Safe on the Internet
- There is no free money coming to you from a nigerian bank, nor long lost uncle. Email or post or whatever, it's not happening. If you know the uncle, might be a good idea to chat to a relative or your laywer... Please don't send these emails to our support desk.
- Emails from 3rd party domain registry companies trying to get you to register a domain that is similar to yours is a silly idea. There are hundreds of domain suffixes, and we sell most of them. If you want it, just buy it from us, but please do not get tricked into paying for services you don't need from other companies just because the piece of paper looks like an invoice.. Please also don't bring these to our attention, we already know that people are always trying to trick our customers, and there is nothing we can do about it. The only exception to this rule, is you might get an email from TuCows, OpenSRS, SRSPlus, or ICANN asking you to confirm your contact details for any itld domains. These providers are our upstream providers. Please follow the links in those emails to confirm your details, but do not enter any passwords during the process that were not provided to you in the email received.
- Emails from Asian Intellectual Property companies are a scam. You don't need those domain suffixes and if you do, just buy them from us. There is no real consideration happening at their IP firm. It is a general scam message they say to all domain holders all over the world.
- Do not open attachments from customers via email related to moneys desposted into your account. The only place to check for money deposited into your account is your bank.
- If paid money into your bank account was from overseas, they can reverse the transaction from the senders bank. Never refund people overseas until the money has been in your account for at least 1 month.
- Generally if you think something is a scam, it probably is, please do not send it to our help desk, as we are not a human anti virus service.
- Generally if you think an attachment is suspicious, it probably is, don't open it.
- https or SSL is not enough reason to trust a website with your credit card. Either you trust the site/brand or you don't.
- Facebook shops, paypal links, etc, is it not enough to trust a shop just because it was linked within facebook or uses paypal as a payment method. Facebook/Paypal/Amazon/eBay/Trademe etc do not endorse the shops or links. The moment you enter your cart details or passwords into a website, you should do so with the same consideration for security as you would at a restaurant. By that notion, you should always pay at the counter.
General Notes About Our Security
- We don't store credit cards. Credit card details are processed via your choice of a 3rd party payment gateway
- The biggest risk to your website being hacked is viruses installed on your computer, if your website gets hacked, the very first thing you should do is to install better virus software then change all your passwords. You should also let us know just for us to monitor how widespread an issue might be.
Pick Better Passwords
- Please take care with good passwords, with at least 8 letters of mixed case and include a digit, and a special char if you can.
- The biggest risk to your email being hacked is you selected a password which is easy to guess. This happens on a weekly basis that we need to reset somones email password due to the account being compromised. Everytime you select a poor password, you can potentially cause our bulk mail service to be blocked for a short time, and our team to spend hours clean up after you. .
Ok everyone, stay safe out there !
ps. We have not reset anyones passwords. You can request password reminder as part of the login process. If you have forgotten your login, then try a couple of your common email addresses, then contact us if you don't know still.
The Website Builder Team.