Unfortunately, it's the later - no details of exploit, just a proof.

If this comes to ransom, rather than unethical/unexperienced gray hat thing, are there any good steps to take? Or hiring an expert consultancy is probably the only good option here?

I can't comment on the correct approach in that case, I'm under qualified. I would urge you to make sure you have good backups in a location that can't be compromised (as in, you won't wake up tomorrow to fine them all deleted). If your system already supports this, all the better. Keep in mind the worst case scenario here is that every production server is wiped, which is essentially close to the situation of a natural disaster at the site they are housed. If you don't have a plan on how to deal with a situation like this (disaster recovery/business continuity plans), such as redeploying to the cloud or to a different cloud, or a different datacenter, then that's a thought for the future (and the present if you have time).

I assume a professional computer security firm could help, but I don't know enough about the incentives at play to know whether that's good in practice (if they often deal with situations like this and not just hardening/forensics, I assume they would have good advice). I have no idea what that costs, and whether your business can afford it.

Total data loss isn't the worst case scenario, in my opinion. Quietly interacting with your site, contacting your customers to abuse their trust in you, etc.

I would recommend taking your oldest backup offline and storing it indefinitely, in case later backups are corrupted. Make sure you turn on verbose firewall logging as well.

Actually it's reasonable that this person haven't given you the details. If he disclosed specific way he got in you'd probably patch it and carry on. Then he'd probably find another way to get in, disclosed it too, you'd patch it and it could turn into full-time (low/un)paid job for him. Not to mention that all of the holes found by him could earlier be exploited by someone else who could left something on your server.

By sending just the proof he forces you to reconsider your approach to security and start from clean state.

Does the e-mail (appear to) give you a way to contact the person who sent it?

I'm not saying you should or shouldn't, but several comments have suggested contacting this person; it's not clear that that's even possible.

OP here. Thanks for all the responses.

I took action and updated firewall settings (which were too loose), ensured that offsite backups are in place if worse comes to worst, rotated all api keys etc, meanwhile trying to contact the anonymous person. Will rebuild the servers asap as well, super glad that we have properly maintained ansible scripts.

Also will try my best to convince the CEO to allocate some money for professional audit/consultancy since we are no experts in security and to reduce the chances of future incidents.

Trying to do our best and avoid things like SQL injection, XSS, etc but no one is secure after all.

This incident isn't over. You must fully scope the incident, and the only way to do that is to hire outside help. If the breach leaks and it's found that you haven't properly responded, it will destroy trust with clients and possibly expose you to legal risks.

Hire an incident response firm. They can usually react next day if you can sign a contract today.

None of these things you've done will remove access for this person.

Contact me if you need a recommendation. I can point you to good security consultants probably within your budget.

Thanks, will have that in mind, as its' not up to me to allocate funds for consulting, etc.

Any idea how much can such a service cost, assuming web application with a very common stack (such as Ruby on Rails + PostgreSQL)? Is it something like $5k, $10k, or $20k+? Or it really depends? Sorry if it's a very amateur question, I have no experience in dealing with such companies so have no clue how much can it cost.

It really depends, common stack don't mean that much. Depend what app is doing, how much dependencies it has, with what external services it talks, etc. Also 5k, 10k - this would price per day. And then you hire guy/company for day. It depends from app, but it might take some time.

Security is not cheap.

Disclaimer: worked for such company.

From your post here, you clearly have only rudimentary security knowledge at absolute best.

You need to bring an expert and/or firm on-site.

Hi,

If you need security professional I can help you. Is the box on AWS, if so that would be a perfect use case for us? You won't have to worry to much about costs since we're starting up we're willing to work with your budget if you provide a testimonial for our website.

Send me an email: contact@cloudhawk.io and we'll get started quickly.

I noticed IR services are not listed on your website.

I hate to be this guy, but you don't want to offer IR/forensic services if you don't have experience doing exactly that.

Your client can sue you if you get it wrong. (http://arstechnica.com/security/2016/01/security-firm-sued-f...)

We do but it's not part of our MVP ;)