Cyber Attack Targets Valley Ministries

Early in February 2023, we found signs that hackers had targeted Valley Ministries, compromised one of our email accounts, and potentially gotten administrative access to our website.  So far as we know, no sensitive or confidential data were stolen.

We have taken a number of steps to secure our email and website since this attack.  Cyber attacks are now a regular part of day-to-day life.  If see anything that concerns you or seems suspicious, please let us know.  

Here are complete details about the attack and the actions we have taken to respond to it.

Issue #1:  Email Forwarder

When looking at our church’s email accounts, I found that someone had attached a forwarder to Rev. Terri’s church email account.  It was making a copy of all emails sent to revtlm@vmmcc.org and forwarding them to monaysmith13@gmail.com.  I consulted with Rev. Terri, the board, and other church leaders about this.  No one recognized the gmail address and no one was aware of the forwarder.  I worked with our hosting provider to research this further and found that the forwarder became active on November 9, 2022 and remained active until I deleted it on February 3, 2023.  In addition to emails, all voicemails to the church during this time were forwarded to revtlm@vmmcc.org and thus were forwarded to monaysmith13@gmail.com as well.  

The good news here is that revtlm@vmmcc.org was not Rev. Terri’s main email account and the forwarder was added several months after she retired.  With Rev. Terri’s permission, I reviewed all of the emails sent to her account while the forwarder was active and I also listened to all of the voicemails that came in during that time.  None of the emails or messages seemed sensitive or personal.  So if the forwarder was the result of a malicious hacker, it appears that they did not get any valuable data.  At the same time, it is possible that someone with enough access to add a forwarder could also have deleted messages from the account, so I would not have seen them during my review.  I did not review messages sent before the forwarder was installed.

There were no signs that any other accounts were affected.  It is possible to add a forwarder onto an account using only that account’s password, so my working theory is that a hacker had enough access to get into Rev. Terri’s account but not enough access to see any of our other accounts. 

Issue #2:  Website Password Compromised

When I started working with our church website, I installed some standard security software as a routine precaution.  On February 6, the security software informed me that the main administrative password for our website was on a list of known stolen passwords.  We do not know if anyone actually used this stolen password. If it was used, a hacker could have accessed our website and installed malware on it without our knowledge.  I have not seen any signs of such malware, but it can be very hard to detect.  

Our web hosting provider had also had three major security breaches in the last few years, including breaches where hackers were able to install malware on websites hosted by our service provider even without needing site-specific passwords.  

Actions Taken

To protect our email and website:

  • All of our email, web hosting, and website passwords have been changed.  Every account now has a unique password which is randomly generated.  Knowing the password for one of these accounts will not help you get into any of our other accounts.  
  • We have moved our web and email hosting to a new service provider which provides security features that our old service provider did not.  Our new service provider is also serves web pages much more quickly than our old service provider.  Our new plan also costs less than the old one.  
  • Voicemail is no longer being forwarded to Rev. Terri’s old email account.
  • We have left our old website behind and started a new one from scratch.  The files from the old website are still available to us if we should need them, but if there was any malware installed on the old website, it has not been migrated to our new website.  We were already planning to dramatically reduce our old website and then rebuild it, but the security issues with our old website caused us to do this much more quickly than we might have otherwise.  
  • Our website now uses HTTPS (TLS/SSL), which provides more security than HTTP.  HTTPS is a standard feature for modern websites.  Our new hosting provider includes it for free.  Our old hosting provider did not.  

What’s Next

The actions described above are a good start.  As time goes on, we will continue to upgrade the ways that we handle our passwords and security.  Our goal should be to make it easy for the people who should have access to get access, but hard for a malicious hacker to break into our systems.  This will be an on-going project.  

Cyber attacks are now a routine part of our modern lives.  If you see something that seems suspicious or raises concerns, please reach out to me and the board to let us know. 

— Rev. Michael Patrick Ellard