TinyBox VPS - November 2025
On November 9, 2025, security researcher Antoni Mróz initially disclosed multiple security vulnerabilities in TinyBox VPS infrastructure. We immediately initiated remediation and completed critical fixes within 24 hours.
Security researcher discovered and responsibly disclosed multiple security vulnerabilities affecting TinyBox VPS infrastructure. Six customer data records (names, email addresses) from uczmnie.pl payment transactions were exposed through TinyBox logging, but the uczmnie.pl platform itself was not affected.
During rapid development phase, AI-assisted code generation (Cursor and Claude Code) proceeded without adequate human security review. Debug logging and development practices were incorrectly carried into production environment. Git repository hygiene was insufficient (.gitignore not configured properly, sensitive files committed).
Between June 12-13, 2025, webhook logs containing customer personal data were accidentally committed to a private git repository.
Several individuals from TinyBox and related platforms were affected. All affected individuals were notified privately via email with detailed information about the incident and recommended security measures.
Note: Specific counts and detailed breakdowns have been removed from this public disclosure to protect individual privacy. Affected parties received personalized notifications.
The unauthorized access potentially exposed various types of customer information including:
✓ Mitigation: All affected accounts were reviewed, credentials were reset, and enhanced security measures were implemented. Log analysis confirmed the extent of access, and no evidence of data exfiltration beyond source code repository access was found.
All times are in Central European Time (CET)
Attribution Note: Timeline entries reflect current status of the investigative correlation. Some scanning activity may represent automated reconnaissance not directly associated with the disclosure.
Individual GDPR-compliant notifications sent to all 8 affected customers (Article 34). Data breach notification filed with UODO (Polish Data Protection Authority) per Article 33 requirements (72-hour deadline). ✓ Completed: November 14, 2025
Implemented automated secret detection using GitHub Actions and Gitleaks across all three repositories. Scans for PII, credentials, API keys, and prevents commits containing sensitive data or incident directories. ✓ Completed: November 13, 2025
Redesigned webhook and application logging with GDPR-compliant PII protection. All customer emails and sensitive data now hashed in logs using SHA-256 (***[8-char hash]***). Enhanced sanitizeLogData() to protect 40+ sensitive fields. ✓ Completed: November 13, 2025
Enhanced Cross-Origin Resource Sharing (CORS) security for API endpoints with stricter preflight caching and proper HTTP status codes. Based on security audit recommendations. ✓ Completed: November 13, 2025
Added comprehensive security headers (X-Frame-Options, CSP, X-Content-Type-Options, HSTS) to API endpoints for defense-in-depth protection against clickjacking and XSS attacks. Based on security audit findings. ✓ Completed: November 13, 2025
Modified wiki .htaccess to return 404 instead of 403 for sensitive files, preventing attackers from enumerating which files exist on the server. Based on security audit recommendations. ✓ Completed: November 13, 2025
Implemented strict input validation and sanitization for newsletter API parameters with whitelisting, length limits, and character filtering to prevent injection attacks. Based on security audit findings. ✓ Completed: November 13, 2025
Implemented dual-layer session timeout protection: 24-hour absolute timeout and 30-minute idle timeout. Sessions now automatically expire to prevent unauthorized access from abandoned sessions. ✓ Completed: November 13, 2025
Deployed complete audit logging infrastructure tracking all security-relevant events (authentication, session management, server actions, domain operations) with GDPR-compliant PII sanitization. Enables forensic analysis and compliance reporting. ✓ Completed: November 13, 2025
Implemented rate limiting for magic link requests to prevent abuse and brute force attacks. Uses fail-open design to maintain availability during database outages. ✓ Completed: November 13, 2025
Implemented centralized error handling that prevents sensitive information leakage. User-facing error messages are now generic and safe, while detailed errors are logged server-side with unique tracking IDs. ✓ Completed: November 13, 2025
Added field-level sanitization to all API endpoints using whitelist/blacklist approach. Prevents accidental exposure of internal IDs, authentication tokens, infrastructure details, and sensitive metadata. ✓ Completed: November 13, 2025
Updated error monitoring dependencies for security and performance improvements. Ensures continued security monitoring with latest patches and enhancements. ✓ Completed: November 13, 2025
You will receive an individual email notification with specific details about what data of yours was affected and recommended actions. If you believe you were affected but have not received notification, please contact us.
Good news: TinyBox VPS customer data (VPS credentials, SSH keys, server data) was NOT exposed in this incident.
Recommendation: As a precaution, consider rotating SSH keys on your VPS instances. (Note: TinyBox panel uses magic link authentication, so there is no panel password to change.)
Under GDPR, you have the right to:
This incident exposed critical weaknesses in our development and security practices. We take full responsibility and are committed to learning from these mistakes.
We extend our sincere thanks to Antoni Mróz for his responsible disclosure of these vulnerabilities.
His ethical approach—privately notifying us before publishing, allowing time for remediation, and providing detailed technical information—exemplifies responsible security research. Thanks to his professionalism, we were able to address these issues before any malicious exploitation occurred.
We welcome security research. If you discover a security vulnerability in our systems, please report it to [email protected]. We are committed to working with security researchers to protect our customers.
We are committed to transparency and open communication during this incident response. If you have questions or concerns, please reach out:
For security-related inquiries, vulnerability reports, or technical questions about this incident.
For general customer support, account questions, or service inquiries.
We welcome responsible disclosure from the security community. If you discover a security issue, please email [email protected] with details. We commit to:
File post.log containing customer webhook data:
# Verify .git not accessible
curl -I https://tinybox.sh/.git/
# Expected: 403 Forbidden
# Verify post.log not in current repo
git log --all --full-history -- post.log
# Expected: (empty)
# Verify old commit not accessible
git show 0b3e28e:post.log
# Expected: fatal: invalid object name
Incident Reference: INC-2025-11-12-PII-GIT-EXPOSURE
Last Updated: 2025-11-14 01:15 CET | Version: 1.1.5
Status: Critical issues resolved, ongoing improvements in progress