67 replies to this topic

[Oderint dum Metuant]

Inertiaman, on 07 January 2013 - 10:06 AM, said:

So I post my issues in the official thread alongside the other 17 pages that haven't received a single official response yeah?

That is probably the biggest problem, here the spam mail is largely irrelevant, but the fact they just moved on, without acknowledging the problem firefox users had, or contributing to the simple fix (google search is fairly good)...and then not firming up their initial message in detail.

Prosperity Park, on 07 January 2013 - 10:10 AM, said:

Yes. Posting them all in the same place makes it easier for the Employees to gather the information, instead of having to manually browse the forums to accumulate a list of threads in order to address a situation. Information Consolidation breeds efficiency.

This lets them browse the forums more efficiently.

There is a big problem then, because IGP and PGI staff clearly are exceptionally inefficient, how many posts has there been in that thread with further problems and not a single response.

Edited by DV McKenna, 07 January 2013 - 10:12 AM.

[SI The Joker]

It's an issue with the forum software people. Just google "email from patriot@usa.com"

Here's another website (This one's about RVing) with the same issue, talking about other sites having the same problem.

http://www.rvnetwork...howtopic=102767

This is a forums software issue.

[Inertiaman]

DV McKenna, on 07 January 2013 - 10:06 AM, said:

Point 1 ) It is not his email database, he is a community moderator, not an employee, you'd do well to learn the difference in that aspect

Point 3) Given that nobody has had any suspicious transactions for any of their payment methods as yet, that answers that question

What PP is actually saying is correct, once you choose the amount of MC you want, your then directed outside of PGI's servers, you can quite clearly see that in the pop up window, you'd have to more than a simple injection script to change that part.

I'm aware that he's a mod - but he seems to be representing the company in lieu of anyone else (and we've waited a month) so here we are.

Injection - XSS etc affect the browser, and would not be required here if the host is compromised.

I'm honestly not being combative for the sake of it. We work across a number of fairly high profile sites where we are and there's simply a way of doing things right that builds faith. Equally there's several very easy ways of doing things badly that will ruin anyones reputation. I fail to believe that PGI/IGP don't see value in high conversion so you'd think that they'd be keen to demonstrate that they've conducted a root cause analysis and offer up some assurances.

[Oderint dum Metuant]

Locust76, on 07 January 2013 - 10:11 AM, said:

For the record, since I used an alias email I'm pretty sure nothing will happen to me as a result of this data theft. However, it's entirely possible that some people have the same email/PW combo here that they do other places. If the thieves only have salted hashes of the PWs, they can't use them, but in the worst case, they have email/pw combinations. Even if they only have email addresses, they could have also managed to lift enough info to cause damage through social engineering (PW resets, defamation, etc..)

So it's not just about spam or what has been stolen directly from this site, but rather what could the stolen information be used for. They can't use my mwomercs.com email address to access my banking information, but it's entirely possible that someone's data may have been so severely compromised.

And i agree, but down to the individual im afraid it is our responsibility to ensure we don't make it that easy, if kids in their bedrooms can hack websites too some of the biggest companies in the world and organisations (hello FBI) a small developer and publisher like IGP and PGI have no hope.

SI The Joker, on 07 January 2013 - 10:12 AM, said:

It's an issue with the forum software people. Just google "email from patriot@usa.com"

Here's another website (This one's about RVing) with the same issue, talking about other sites having the same problem.

http://www.rvnetwork...howtopic=102767

This is a forums software issue.

Nobody will believe you in the slightest. It goes against the grain of having a go at PGI

[Joe3142]

This is a concerning to read, and I will be well peed off if I keep on getting damn spam.
I still also get a security warning when I click on "forums".

Edited by Joe3142, 07 January 2013 - 10:18 AM.

[Thirdstar]

You know what could potentially help with some of these issues? The ability to change our passwords and/or attached email addresses.

[Inertiaman]

DV McKenna, on 07 January 2013 - 10:16 AM, said:

Nobody will believe you in the slightest. It goes against the grain of having a go at PGI

Come on, that's disingenuous at best. Yes it's a forum issue, but it's affected this forum.

[Bromineberry]

Prosperity Park, on 07 January 2013 - 09:55 AM, said:

Numerous internet communities got "hit" by that Windows 8 is fail email, it's not an MW:O exclusive. Also, many of us don't get MW:O-specific spam (myself included).

I got this email too. I created this email account only for MWO and did not use it for anything else.

[PerfectTommy]

I got that patriot e-mail as well.

I also use a unique alias e-mail that I use for nothing else except MWO.

Something is up with the security for MWO.



-PT

Edited by PerfectTommy, 07 January 2013 - 10:31 AM.

[Oderint dum Metuant]

Joe3142, on 07 January 2013 - 10:17 AM, said:

This is a concerning to read, and I will be well peed off if I keep on getting damn spam.
I still also get a security warning when I click on "forums".

Using Firefox?

Inertiaman, on 07 January 2013 - 10:20 AM, said:

Come on, that's disingenuous at best. Yes it's a forum issue, but it's affected this forum.

Not entirely it's not, it's effected this forum and other forums.
It's a problem yes, is spam mail annoying..yes, do spam filters work? yes...has anyone lost anything of value? Not yet.

Irrespective of weather we can change details here (silly that we can't) if your passwords here match anything else..change them its simple practice.

[BrotherEJ]

In regards to PGI selling your info from the Privacy page http://mwomercs.com/privacy

Disclosure and Sharing of Your Information
We do not sell or license your personal information to any other party. However, in the normal course of business we may share some of your personal information with our affiliates and partners, and with third parties acting on our behalf or as permitted or required by Applicable Privacy Legislation.

Now PGI may not sell your info, but maybe a Third Party or affiliates and partners might be. How would we or PGI know if there partners is violating their agreement with PGI?

Edited by BrotherEJ, 07 January 2013 - 10:38 AM.

[SI The Joker]

BrotherEJ, on 07 January 2013 - 10:34 AM, said:

In regards to PGI selling your info from the Privacy page http://mwomercs.com/privacy

Disclosure and Sharing of Your Information
We do not sell or license your personal information to any other party. However, in the normal course of business we may share some of your personal information with our affiliates and partners, and with third parties acting on our behalf or as permitted or required by Applicable Privacy Legislation.

Now PGI may not sell you info but maybe a Third Party or affiliates and partners might be. How would we or PGI know if there partners is violating their agreement with PGI?

Oh... my... word. Please read the thread.

It's a forums software issue.

[Inertiaman]

But very early on VBB responded that the vuln was present against specific style sheets - and amongst your confirmation that payments are secure (thanks for those) - have you forgotten that the URL was distributing a rootkit attack for half a day before anyone in charge noticed a problem, let along confirmed it?

[BrotherEJ]

Locust76, on 06 January 2013 - 12:13 PM, said:

Hello,

I've configured and operate my own mail server. I registered to this site and to the mw online open beta using an dummy email address "mwonline@mydomain.com"

I do this for security reasons because:

• My login data per site is unique
  
• I can quickly identify the source of spam if I receive it at a junk addres

Lo and behold, Yesterday (Jan 5, 2013) I received a spam mail from patriot@usa.com with the Subject "Sen. Dianne Goldman Feinstein Is A Loaded Gun Out to Destroy America" and the email gets delivered to (you guessed it!) "mwonline@mydomain.com"


This is disturbing to me because it indicates that either

• The forum DB has been compromised and the email addresses contained within have been stolen or
  
• Our email addresses are being sold

Like I said, the email address I used to register here has not been used anywhere else for any other purpose, and the only place the email address actually exists is in the user data database here on this site and this forum.


Has anyone else gotten such an email at their registered email address?

SI The Joker, on 07 January 2013 - 10:35 AM, said:

Oh... my... word. Please read the thread.

It's a forums software issue.

I did and yes its a forum issue this time lol

[ChaosAvenger0]

I have only ONE Email that I use to register for anything I need to register an Email account with. I can't be bothered to remember more than one Email address for stuff in adition to all my user names and passwords. I get spam, but I did/do not get this spam associated with this supposed breach. I mark any spam as such and it goes in the spam forlder from then on. I have an Email 'provider' and when they gather enough evidence from their user base to go after a spam server they work to shut it down. Sucks if you run your own Email server.

Now from what I've been reading about 'forum' breaches for forum registered specific Emails in the links provided, and further searches, is that the actual breach is more often occuring on the user side.

I'm not saying specifically that the user who's Email privacy was compromised is at fault, but that anyone the user communicates with electronicaly can be the breach. Not excluding a computer in the developers office.

More than likely everyone on this thread is PC savy and is on top of they're PC maintanence and is, of course, constantly scanning for and removing spyware/malware/tracking cookies on a regular basis. It's my experience that everyone else is not. I personnaly know a lot of people who 'just don't get it' and can't be bothered to download a free tool that automates the security process.

If the breach occured in the user database we should all be getting this spam, because only a select few seem to be receiving it, likely it's not a widespread occurence. So basicaly what I'm saying is don't be supprised if igp/pgi again confirm that user Emails weren't compromised on their end.

[ChaosAvenger0]

If I ever get as many kills in a match as I got quotes in a thread I could die happy.

So I got an Email notfication from MWO that I got quoted on the forums and there is a LOT OF LINKS AND CONTACT INFORMATION in the Email. I'm thinking... If ever my computer was compromised by a 3rd party it might be able to use this information for nefarious (did I spell that right?) purposes.

As with every other topic on the forums I'm waiting to see an accredited expert weigh in on the actual causes. Unlike other users I have patience for a proper investigation to run it's course.

[Moguai]

Locust76, on 18 January 2013 - 10:15 PM, said:

When I registered for my mwomercs.com forum account, I came up with a wholly unique email address (mwonline@mydomain.com) to use here. Nobody else in the entire internet has this email address, just me and mwomercs.com. I do that exactly because I can then identify who the spammers are or who's been compromised and blacklist that destination address if I choose to do so.

I received spam at my unique email address that only existed in one place outside of my mail server: here. The evidence doesn't get any more definitive than that. This forum was hacked and some email addresses were stolen. Period.

I manage my E-Mail Adresses the same way as you and i can confirm everthing you have written so far.
Latest Spam Mail came 2 Minutes ago.

[Avon]

Locust76, on 23 January 2013 - 06:25 AM, said:

I just received a message from Liberty@Bell.com telling me that the Sandy Hook shooting didn't happen. Guess which email address it came to? That's right! mwonline@mydomain.com

Yeah, I just got the same thing to my unique mwo@mydomain email address.

[Inertiaman]

ChaosAvenger0, on 18 January 2013 - 10:55 PM, said:

As with every other topic on the forums I'm waiting to see an accredited expert weigh in on the actual causes. Unlike other users I have patience for a proper investigation to run it's course.

Will two decades of LAMP, Exchange, Dynamics and AWS system design and integration around electronic messaging and payment processing do? Because my opinions are further up the thread.

We've been asking for what you're waiting for for nearly two months now. If it were forthcoming from the only people who can actually offer any insight, for better or for worse, we would no longer be asking. We'd have changed our passwords and email addresses and moved on.

Locust76, on 23 January 2013 - 06:25 AM, said:

I just received a message from Liberty@Bell.com telling me that the Sandy Hook shooting didn't happen. Guess which email address it came to? That's right! mwonline@mydomain.com

Hilarious mail by the way. Damn that commie Obama!

[Rumjaku]

Lonestar1771, on 06 January 2013 - 12:25 PM, said:

Trust me I am getting spam calls to my phone that I NEVER EVER got until AFTER that fiasco. I am also getting lots of spam to my email as well and received the same email. PGI has been less than honest in regards and I have been considering getting my lawyer involved since we really don't know how far the damage goes..

It's so sad knowing that 75% of incidents could have been prevented if the end user took necessary precautions to protect themselves online.

More and more I see people falling victim to scams, phishing, spam, etc. And all because they didn't first secure the MOST important asset of all....

Their own computer.

Case in point: You should not always assume that your own equipment has not been compromised.