No, I read that, but that doesn't address the problem if there was a breach in security on their web site or not.

I get they wouldn't want to necessarily admit it, but I need to know if my email address was compromised because their database was, or something else.

Considering that many have posted this problem, I'm thinking they were compromised. I'd just like to hear some 'official update' on the subject.

Yes it does. And yes there was. Ages ago. And we posted about it. So how is that not admitting it?

Yes Cosmic Cleric, it does look like they did get a dump of our database back when we were hacked a few years ago and they are using it to send out phishing emails. At the time I only thought our filevault was compromised but it looks like they took our database as well.

I have since gone over every query to make sure there is no injection vulnerabilities. We have also moved to new servers since then with much better security.

I should have posted to make that more clear and I'm very sorry this happened.

Furthermore, please do not post malicious links, with spaces or without. There's neither anything difficult nor confusing about putting a "[link removed]" message in a post.

Thank you for the reply.

The only lingering thought i have though is that you speak about 'a few years ago' but the attack just happened a few days ago? From what I understand, usually information is used right away, before it becomes outdated. /shrug

Apologies, but I didn't know if the information was needed or not in diagnosing where the hackers were coming from.
I felt it was better to supply as much information as possible to you guys, in hopes you'd be able to determine what was going on.

Since the link was non-usable, I don't think there's any issue with it being posted (malformed with spaces so its not a valid URL of course).

If someone goes to the trouble of copy/pasting the web link, removing the spaces, then going to that web site, then maybe they deserve what they get. /shrug

EDIT: By the way, while you're so fast to chastise me for the link and to go back and edit my post, you may want to check the OTHER posts made in this same topic for the same kind of links (with spaces added) that you object to me having done.

To be honest, the 'feel' I'm getting about this is that this is a recent break-in, and that you all are trying to pretend its actually from a long time ago.

I honestly don't know if I'm right or wrong about it, but the perceived hostilty level I'm seeing from the admins seems excessive based on the concern of the posts being made by your users.

Do you all honestly think that this RECENT sending of emails is from a data theft from YEARS AGO?

Really?

So far every one that has posted has had an older account. I haven't received a report from any one with a newer account report that they have received a phishing email from a wowinterface only email address. I know its a bit strange and it has me un-easy as well and I'm monitoring queries extremely close right now.

I don't see anything in our logs or logwatch that would suggest a break in since then either. I have even recently gone over our mysql queries that take external data and make sure they are all protected from injection attacks. I also have plans to switch to mysqli so that injection attacks aren't possible.

Again I'm very sorry this happened to every one. I appreciate every one posting about they received one and in no way am I or other staff trying to cover it up. I'm sorry if you feel jumped on Cosmic Cleric however shirik just didn't want google/yahoo/bing bots to index that site by crawling our threads.

If we do find anything in the future we will let every one know.

Thank you for the additional information and apology, they are appreciated. :)

I think that the answer to your question is yes as I have been getting a spike of phishing emails at the account I used to register with originally. However I am getting zero phishing spam at the address that I am currently using as my WoWI registered address which I have been using for the last year or so. The email address I am getting the phishing spam is the one that I used when the file vault was broken into a couple of years ago.

Many times, crackers who swipe details like email addresses don't act on the data right away. In many instances they will wait until everyone has forgotten about the theft. In many cases, the thieves will sell the harvested addresses. This is likely the case here, the thieves have sold the addresses to numerous parties or have stashed the db in some forum/community were phishers hang out.

Fortunately in my case, Yahoo is real good at filtering all this crap into the spam box. In addition, I don't use that address for day to day email anymore.

I'll add my own anecdote to this thread. As with others, I am using a unique email address (this one from Sneakemail) that I only gave to WoWI, and no one else. Also, as with others here, I can see no other possible means by which they extracted my e-mail except for through WoWI.

The idea of a random assemblage of letters and numbers (brute force) is possible, I suppose, but hardly seems likely, since that's exactly how Sneakemail generates redirect addresses, that and it seems an awful lot of trouble to go through just to send me an e-mail with a phishing link and baiting me by telling me an Aion account I have never had in the past or present is compromised.

I have been here a while, and this sounds like a possibility, though as others have, I'd have to question: "Why now and not when they made off with the addresses?" I've never before had this sort of issue with WoWI, and that I'm just now having it seems significant enough to mention. It also seems significant that two months after the last post made in this thread is past, this issue is still cropping up.

On my end it's a simple matter of changing the redirect address I have linking me to WoWI. But if something is compromised somehow at your end, well, I suppose the bottom line is that all this information is far more valuable to you than to me.

In the meantime, I suppose the ultimate test would be simply to change the address and keep an eye on what happens. If water still somehow makes it out the bottom of the bucket after that, it seems fair to assume there's a hole in it.

See my previous post in this thread:

Likely the folks that did the original break-in a couple of years are NOT the ones spamming everyone's email account.

Data thieves will usually hold onto and wait to use data like email addresses, WoW Account info, Social Security numbers and other such data. It's not "perishable" like Authenticator keys, credit card numbers and bank account data; thus the thieves can afford to wait months before using or selling the data. This also adds a "fog of time" effect that causes confusion for victims as in most cases they will not be able to remember when and where the theft occurred.

This issue will keep cropping until the email addresses that were stolen are either closed, relegated to spam "honeypots" (like my old email account that was used to register here) or otherwise ignored. Change your account email address and keep an eye on the email that comes in.

In case it helps- I also got a phishing mail to an account that was only registered on this site (I have a wildcarded set of e-mail addresses so it wasn't just an address that they had guessed)- hopefully this combined with my first registered account date will give you more indication that this is just the old hack on the previous server.

There's a hole in the bucket
Dear Liza, Dear Liza
There's a hole in the bucket
Dear Liza
A hole.

By which I mean to say, I've since the above event changed to another unique e-mail address, and once again, I find myself getting scam e-mails trhough the address given uniquely to WoWI and only WoWI.

This time it was a beta test scam. You know when your e-mail reader tells you that you need to install a chinese language pack to read all the e-mail's content correctly, that's not a good sign from the get-go.

'Greetings'?

So, I'm once again forced to wonder if there is not a more recent or ongoing breach of your servers.

When did you last change your email address?

I'm sorry this happened to you again.

Just yesterday I had found a potential hole into our database where when you updated an AddOn the cached username could allow an injection based upon the users name. So far it looks like that was the only field that wasnt wrapped with mysql_real_escape_string() due to the fact it was getting the name from vbulletin and I wasnt thinking. I'm investigating the logs to see if anything was taken advantage of there.

We are upgrading to new servers soon (already upgraded our addon file server). I will again audit my mySQL queries and change all passwords (As I do with all moves).

The date of my second to last post in this thread (the one I quoted in my latest post) is a pretty reliable date for that- so I'd say around about 04-22-2010.

I'll probably change it again not long from now, but I figured I'd see about what was happening here first.

Ok if it isn't too much trouble and when you have the time please change your email address again. I have a few test accounts too but have received zilch from them at the moment.

I'm going to have a 2nd set of eyes look over my queries too.

Done as of yesterday (7/25). Thanks for your diligence.

I'm sure you've read this but since you mention vBulletin I thought this might be related:

http://www.h-online.com/open/news/it...n-1044462.html