We regret to inform our users that as of Sunday evening, October 16, 2016, an attacker gained unauthorized access to our primary administrative e-mail accounts.
The attacker was able to reset passwords on a number of services and export user information such as e-mail addresses, last 4 digits of credit cards, addresses, and support ticket history. We have also identified that this attacker was able to gain access to a repository manager and had access to several of our git repositories.
The attacker then contacted us on Slack and demanded a 10 BTC ransom, which we as of yet have declined. While we would greatly appreciate that this person does not release the information publicly, there is no guarantee of this whether we submit to his extortion demands or not.
As of this writing, there is no evidence that the attacker gained access to sensitive user data or database access, however we are continuing to investigate every possible attack vector.
We felt it prudent to notify the community as soon as we learned of these developments.
We are continuing to investigate the situation and will keep everyone updated as we progress.