Planet Rational’s Amazon Web Services credentials have been inadvertently exposed, potentially leaking Site44 user data. We’ve sent the following email to all of our customers:
Planet Rational’s Amazon Web Services credentials have been inadvertently exposed, potentially leaking Site44 user data. (Planet Rational is the company behind Site44.) While we don’t know that any data was accessed, we do know that it was possible.
What you need to do
To minimize any risk to users, we have revoked Site44’s access to users’ Dropbox accounts, effective immediately. To restore access, you will need to click the following link: https://www.site44.com/admin/login and reauthorize Site44. This will create a new folder called something like “Apps/site44 (1).” You will need to move all your existing websites to this new directory. (If this folder name bothers you, you might consider renaming your existing Apps/site44 to something else, like Apps/site44.bak, before you reauthorize.)
Until you do that, Site44 will be unable to synchronize with your Dropbox account. Your websites will remain online, but changes you make won’t be picked up.
Note that your Dropbox password was not at risk, and the only folder that may have been compromised is your Apps/site44 folder, as this is the only folder that Site44 has access to.
For users who have password-protected websites, we further recommend that you change those passwords. To do this, log in to https://www.site44.com/admin and click the lock icon next to your password-protected website.
We made a human error despite a review process meant to catch such errors. On our other service, Webscript.io, we published an example that showed customers how to use Amazon’s S3 service from Webscript. In building that script, we made use of our Amazon credentials, and we inadvertently published those credentials in the example code. These credentials have already been changed, but there was a window in which the credentials were visible and active.
In the future, we will never use Planet Rational’s AWS credentials in any examples, and we are adopting a more rigorous checklist-based process to make sure we don’t leak any secrets in code examples.
We are very sorry for this. We take security seriously but made a mistake.
In addition to this email, we will be writing a post on the Site44 blog (http://blog.site44.com) about what happened.
If you have any questions or concerns, please simply reply to this email.
Steve Marx and Todd Proebsting (Planet Rational founders)
We take security seriously. We can be reached at any time at firstname.lastname@example.org.