In the interest of disclosure, our frontend Craft CMS installation was hacked this morning. Unfortunately it's going around. The compromised version was up for around 6 hours. The Craft server is standalone and is downstream from our services. It doesn't have access to the database, the core rails app, or anything else. There doesn't appear to be any impact on anything that runs our podcast service or interacts with our apps. As a reminder, Castro has almost no data on our users, so in the worst case the theoretical damage is still fairly limited.

It's unfortunate because we'd been updating Craft on a separate server and simply hadn't swapped over yet. So it goes. The compromised server has been wiped and the blog is back up now. Thanks.