Topic-icon JoomDonation, hacked

5 years 10 months ago - 5 years 10 months ago #790 by Jose
JoomDonation, hacked was created by Jose
Yesterday, JoomDonation users received the following email:

How the hell are you? No need to ask, I’m fine!

I’m the one who has hacked all of your sites, emails, accounts etc. that has been using site/components. Scaring? Hell Yea :-)

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing :-)


Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon :-)

Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy :-) Try Indian quality.

This email was sent to all users. We’ll meet again if you have accounts registered to other Joomla developers :-)

The JoomDonation developer has confirmed their environment has been compromised, and has published the following statement:

Dear all,

As you know, today, our hosting account was hacked. The hacker got a small part of our users information (only name and email) and emailed to these users that their sites were hacked. Infact, these sites are not hacked at all.
We have been working hard on this issue. Here are something we found and would like to inform you about them:

1. The security issue is not related to our extensions at all. So all the sites which are using our extensions at the moment will still be safe.

2. The issue came from a security hole in the hosting server which we have used. We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software, so the hacker could get into the system and stole these information. We are working to move our website to a more secure server with a better hosting provider. However, it will take us one or two days for doing that.

3. The hacker just got a small part of our users information (contain name, email) and publish some of them. Few hours after the information was published (just name and a part of the email – the domain of the email is hidden), it was deleted and could not be viewable from public. So the information would be secure from now as well

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

5. We will continue analyzing the server logs and will inform more information about this issue ASAP.

We are really sorry about this issue and hope you will stay with us and do more business with us in the future. Our extensions are good and secure, it is just the hosting server insecure and causes us all these trouble.

Sincerely, JoomDonation

Updated 01/12/2014

As you might be noticed, on November 27, 2014, some users received an email saying that their websites are hacked, there are 5 days for them to clean the site, otherwise, the hacker will put down these sites. You can see a full email as

However, things are not really bad/serious like that. We had worked very hard to find out the root of the issue, understood what happened and quite confident that our customers websites are still safe. Following are the details:

1. How the hacker got into system:

That happened few months ago, when our website was still being hosted on a shared hosting environment. From a hacked site on the same server with our website, the hacker could get into our system. Because of a security hole in the infrastructure of the hosting provider, even after we moved our website to a VPS server (same provider), the hacker can still get into our system.

2. What did he do:

- He got a part of our users data (name and email), used Mandril to send emails to all these users, threaten them that their websites are hacked...

- Even users who not using our products / not using Joomla websites any more still received that email. We think he did that just to scare our users, make them fear and move away from using our products.

3. What did we do to resolve the problem:

- We scan our website files to make sure they are clean and safe.
- Since the problem caused by the hosting security, we decided to move our website to rochen hosting (Joomla! offical host).
- Our team and Rochen's system engineering team had worked together for two days to ensure the site is secure and protected before going live.
- We also checked all of our extensions again and we confirm that they are secure.

4. What should you do:

- Our extensions are secure, so you won't have to worry if you are using them on your site.
- You should change super admin account/ FTP account of your site.
- Make a backup your site.

Last edit: 5 years 10 months ago by Jose.

Please Log in or Create an account to join the conversation.

Time to create page: 0.088 seconds
Powered by Kunena Forum

Login or Sign In