this morning we’ve had 2 clients report that they’ve received emails (through the webflow form submission) telling our clients that their website has been hacked and they’re asking for ransom (in bitcoin).
Has anyone else experienced this? We’ve litterally had 2 clients report the exact same thing in a single morning.
Sounds like a scam. They received it through the form which is open to the public I assume.
What exactly is being held for ransom? Do the submissions reference the user’s login name or credentials? Are there sensitive documents on the site?
We got the same email through the Webflow form submission. I’d say it’s a scam attacking webflow sites. I was looking for a way to report to Webflow when I cam across your post.
This is a spam email sent via the website forms. Please ignore the email as all information in that email is completely false. We recommend enabling Google reCAPTCHA on all forms: (Add a reCAPTCHA field | Webflow University)
Here’s an interesting wrinkle: She no longer is receiving form submission notifications from that form. The info is captured, but she doesn’t get an email with the info. It’s like it’s going to someone else.
I couldn’t fix it, so I added a brand new form and tested that—everything worked perfectly as it should.
So I am deleting the old form and using the new one.
@matthewpmunger there may be something else more nefarious going on with these hacks beyond just the seemingly phoney email threat. Or it was just a wonky form.
Also, I’ve noticed that there is seemingly no way to get in touch with Webflow support directly right now. I just am redirected over and over again to the forum search page.
Yup, about 5 different Webflow sites that we host have ALL started to receive 2 to 3 spam emails per-day with the same awful spam. It’s so weird because this has never happened before. It only started about a week ago, but since then it’s been a nightmare - even with Captcha installed. They seem to specifically be targeting Webflow site forms… WF team, can you address this?
Everyone should be aware that anyone can manually fill out a Webflow form with spammy content. Webflow does not provide anti-spam on form submissions but may be able to mitigate bot traffic. If you want that then you need to use a third party provider that has that option. Plus reCAPTCHA is only helpful in blocking some bots, not all.
I use honeypot fields (hidden fields that when filled trigger a rejection), Askimet, and reCAPTCHA with my form provider of choice (usebasin.com). For apps I build I use the above but substitute Cloudflare Turnstile (HINT HINT WEBFLOW).
We’re also getting a ton of spam as of the last week on all of our client sites (and our own), including those threat ones. We’ll be adding recaptcha to every one this week, but so strange that there was been up uptick on most of our Webflow sites (30+ live ones)