Forgot to Update Livewire. Got Hacked

Sign in<br>Subscribe

The short version: Someone exploited an outdated Livewire version on a dormant side project of mine. They stole my .env file, used the Mailcoach API keys to send 50,000 spam emails, and I spent a panicked night tearing through every project I own trying to find the source.<br>Here is the full story, what I learned, and why Docker saved me from a much worse outcome.<br>It was Wednesday, May 20. I was in class when my phone buzzed with an email from Mailcoach:<br>Your submissions have been blocked due to a high bounce rate or spam reports.<br>I read it. Felt that cold drop in my stomach. And then I had to put my phone away and finish class.<br>There is a special kind of dread that comes from knowing something is wrong but not being able to look at it. I sat through the rest of my Japanese lesson with half my brain running through worst-case scenarios.<br>Around 18:00, I finally opened my laptop.<br>The moment of terror<br>I logged into Mailcoach and my heart stopped. Over 50,000 emails had been sent from my account. All of them spam. Phishing links. Going out under my name.<br>I had never experienced anything like this before. I was shocked. My immediate reaction was to delete every single API token in Mailcoach and my GitHub API tokens. Then I wrote to their support team asking for help figuring out how this happened.<br>The long night<br>I spent the next nine hours reviewing every project I own.<br>danielpetrica.com. laraplugins.io. adventcalendar.tech. And some other smaller, unused projects. Every small demo site, every experiment, every dormant project sitting on my server. I checked logs, checked file permissions, checked for anything unusual. Nothing.<br>To make things worse, that same day Symfony announced 19 CVEs across their projects. My brain went there immediately. Was it Symfony? Was one of my sites running an affected version? I went down that rabbit hole for a while.<br>Nothing.<br>At 3 AM, I had to make a call. I secured what I could, changed what I could, and went to sleep. I was frustrated. I was tired. And I still had no idea what happened.<br>Finding the source<br>The next day I kept digging. Project by project. And then I found it.<br>A small side project. One of those things you build, launch, and forget about. It was running an outdated version of Livewire with a public CVE. I had not updated it. That was my fault.<br>The attacker found it through automated scanning. These bots crawl the web looking for known vulnerabilities in exposed applications. They found Livewire, found the CVE, and were inside within hours. They uploaded a web admin script that let them read anything the Apache user had access to inside that Docker container.<br>Including my .env file. Which held my Mailcoach API keys.<br>The Docker blessing<br>Here is where things could have been much worse.<br>That side project was running inside a Docker container. The attacker had access to that container, but they could not escape it. They could not reach my other projects, my other databases, or the host system itself. The blast radius was limited to that one service.<br>I originally set up Docker Compose just as a convenience for myself. I never thought of it as a security measure in the beginning. But it ended up being the wall that stopped the attack from spreading.<br>The evidence I lost<br>This part still stings.<br>When I finally identified the compromised container, I did the natural thing. I took it down: docker compose down -v. Volumes included.<br>And just like that, the attacker's files were gone. The web shell, the logs of what they did, any clues about their entry point,all of it erased.<br>I realized my mistake later. I should have copied the container's storage before killing it. I should have preserved the evidence. But in the moment, my only thought was, "Shut it down now."<br>I spent the next few hours going through my reverse proxy logs instead. Those survived. They showed the attacker's pattern clearly. Automated scanners hit the site repeatedly. Once they confirmed the Livewire vulnerability, the actual compromise happened within hours. This was not a targeted attack on me. I was just another domain on a list.<br>What scared me most was how fast everything happened. The scan, the exploit, the credential harvest, the spam campaign. It felt automated end-to-end. If AI is making these attacks faster and more efficient, we are all going to need to be much more proactive about monitoring and maintenance. Myself included.<br>The silver lining<br>Mailcoach handled this better than I could have hoped.<br>They noticed the spam spike before I did. They suspended my submissions proactively. When I reached out, they worked with me to investigate. And when the dust settled, they dropped the charges for those 50,000+ emails from my invoice entirely.<br>That is the kind of provider behavior that builds loyalty for life.<br>Thank you to the Mailcoach team.<br>What I changed<br>Since this happened, I have made a few changes:<br>I set up automated dependency update alerts for...