Thread Tools Display Modes
02-07-10, 02:36 PM   #41
MidgetMage55
Grinch!
 
MidgetMage55's Avatar
AddOn Author - Click to view addons
Join Date: Feb 2007
Posts: 1,498
This might be what your looking for.
__________________

I think Hong Kong Phooey was a ninja AND a pirate. That was just too much awesome. - Yhor
  Reply With Quote
02-07-10, 03:11 PM   #42
Cosmic Cleric
A Deviate Faerie Dragon
 
Cosmic Cleric's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 15
Originally Posted by MidgetMage55 View Post
No, I read that, but that doesn't address the problem if there was a breach in security on their web site or not.

I get they wouldn't want to necessarily admit it, but I need to know if my email address was compromised because their database was, or something else.

Considering that many have posted this problem, I'm thinking they were compromised. I'd just like to hear some 'official update' on the subject.
  Reply With Quote
02-07-10, 03:28 PM   #43
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
Yes it does. And yes there was. Ages ago. And we posted about it. So how is that not admitting it?
__________________
“Do what you feel in your heart to be right — for you’ll be criticized anyway.” ~ Eleanor Roosevelt
~~~~~~~~~~~~~~~~~~~
Co-Founder & Admin: MMOUI
FaceBook Profile, Page, Group
Avatar Image by RaffaeleMarinetti
  Reply With Quote
02-07-10, 03:49 PM   #44
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Yes Cosmic Cleric, it does look like they did get a dump of our database back when we were hacked a few years ago and they are using it to send out phishing emails. At the time I only thought our filevault was compromised but it looks like they took our database as well.

I have since gone over every query to make sure there is no injection vulnerabilities. We have also moved to new servers since then with much better security.

I should have posted to make that more clear and I'm very sorry this happened.

Last edited by Dolby : 02-07-10 at 04:12 PM.
  Reply With Quote
02-07-10, 04:18 PM   #45
Shirik
Blasphemer!
Premium Member
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2007
Posts: 818
Furthermore, please do not post malicious links, with spaces or without. There's neither anything difficult nor confusing about putting a "[link removed]" message in a post.
__________________
たしかにひとつのじだいがおわるのお
ぼくはこのめでみたよ
だけどつぎがじぶんおばんだってことわ
しりたくなかったんだ
It's my turn next.

Shakespeare liked regexes too!
/(bb|[^b]{2})/
  Reply With Quote
02-07-10, 09:54 PM   #46
Cosmic Cleric
A Deviate Faerie Dragon
 
Cosmic Cleric's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 15
Originally Posted by Dolby View Post
Yes Cosmic Cleric, it does look like they did get a dump of our database back when we were hacked a few years ago and they are using it to send out phishing emails. At the time I only thought our filevault was compromised but it looks like they took our database as well.

I have since gone over every query to make sure there is no injection vulnerabilities. We have also moved to new servers since then with much better security.

I should have posted to make that more clear and I'm very sorry this happened.
Thank you for the reply.

The only lingering thought i have though is that you speak about 'a few years ago' but the attack just happened a few days ago? From what I understand, usually information is used right away, before it becomes outdated. /shrug
  Reply With Quote
02-07-10, 09:56 PM   #47
Cosmic Cleric
A Deviate Faerie Dragon
 
Cosmic Cleric's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 15
Originally Posted by Shirik View Post
Furthermore, please do not post malicious links, with spaces or without. There's neither anything difficult nor confusing about putting a "[link removed]" message in a post.
Apologies, but I didn't know if the information was needed or not in diagnosing where the hackers were coming from.
I felt it was better to supply as much information as possible to you guys, in hopes you'd be able to determine what was going on.

Since the link was non-usable, I don't think there's any issue with it being posted (malformed with spaces so its not a valid URL of course).

If someone goes to the trouble of copy/pasting the web link, removing the spaces, then going to that web site, then maybe they deserve what they get. /shrug

EDIT: By the way, while you're so fast to chastise me for the link and to go back and edit my post, you may want to check the OTHER posts made in this same topic for the same kind of links (with spaces added) that you object to me having done.

Last edited by Cosmic Cleric : 02-07-10 at 10:17 PM.
  Reply With Quote
02-07-10, 10:13 PM   #48
Cosmic Cleric
A Deviate Faerie Dragon
 
Cosmic Cleric's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 15
Originally Posted by Cairenn View Post
Yes it does. And yes there was. Ages ago. And we posted about it. So how is that not admitting it?
To be honest, the 'feel' I'm getting about this is that this is a recent break-in, and that you all are trying to pretend its actually from a long time ago.

I honestly don't know if I'm right or wrong about it, but the perceived hostilty level I'm seeing from the admins seems excessive based on the concern of the posts being made by your users.

Do you all honestly think that this RECENT sending of emails is from a data theft from YEARS AGO?

Really?
  Reply With Quote
02-07-10, 10:39 PM   #49
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
So far every one that has posted has had an older account. I haven't received a report from any one with a newer account report that they have received a phishing email from a wowinterface only email address. I know its a bit strange and it has me un-easy as well and I'm monitoring queries extremely close right now.

I don't see anything in our logs or logwatch that would suggest a break in since then either. I have even recently gone over our mysql queries that take external data and make sure they are all protected from injection attacks. I also have plans to switch to mysqli so that injection attacks aren't possible.

Again I'm very sorry this happened to every one. I appreciate every one posting about they received one and in no way am I or other staff trying to cover it up. I'm sorry if you feel jumped on Cosmic Cleric however shirik just didn't want google/yahoo/bing bots to index that site by crawling our threads.

If we do find anything in the future we will let every one know.

Last edited by Dolby : 02-07-10 at 10:56 PM.
  Reply With Quote
02-08-10, 12:44 AM   #50
Cosmic Cleric
A Deviate Faerie Dragon
 
Cosmic Cleric's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 15
Smile

Originally Posted by Dolby View Post
So far every one that has posted has had an older account. I haven't received a report from any one with a newer account report that they have received a phishing email from a wowinterface only email address. I know its a bit strange and it has me un-easy as well and I'm monitoring queries extremely close right now.

I don't see anything in our logs or logwatch that would suggest a break in since then either. I have even recently gone over our mysql queries that take external data and make sure they are all protected from injection attacks. I also have plans to switch to mysqli so that injection attacks aren't possible.

Again I'm very sorry this happened to every one. I appreciate every one posting about they received one and in no way am I or other staff trying to cover it up. I'm sorry if you feel jumped on Cosmic Cleric however shirik just didn't want google/yahoo/bing bots to index that site by crawling our threads.

If we do find anything in the future we will let every one know.
Thank you for the additional information and apology, they are appreciated.
  Reply With Quote
02-08-10, 07:08 AM   #51
Zyonin
Coffee powered Kaldorei
 
Zyonin's Avatar
AddOn Author - Click to view addons
Join Date: May 2006
Posts: 1,443
Originally Posted by Cosmic Cleric View Post
To be honest, the 'feel' I'm getting about this is that this is a recent break-in, and that you all are trying to pretend its actually from a long time ago.

I honestly don't know if I'm right or wrong about it, but the perceived hostilty level I'm seeing from the admins seems excessive based on the concern of the posts being made by your users.

Do you all honestly think that this RECENT sending of emails is from a data theft from YEARS AGO?

Really?
I think that the answer to your question is yes as I have been getting a spike of phishing emails at the account I used to register with originally. However I am getting zero phishing spam at the address that I am currently using as my WoWI registered address which I have been using for the last year or so. The email address I am getting the phishing spam is the one that I used when the file vault was broken into a couple of years ago.

Many times, crackers who swipe details like email addresses don't act on the data right away. In many instances they will wait until everyone has forgotten about the theft. In many cases, the thieves will sell the harvested addresses. This is likely the case here, the thieves have sold the addresses to numerous parties or have stashed the db in some forum/community were phishers hang out.

Fortunately in my case, Yahoo is real good at filtering all this crap into the spam box. In addition, I don't use that address for day to day email anymore.
__________________
Twitter

Last edited by Zyonin : 02-08-10 at 07:11 AM.
  Reply With Quote
04-22-10, 05:17 AM   #52
SkunkWerks
A Fallenroot Satyr
 
SkunkWerks's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2006
Posts: 21
I'll add my own anecdote to this thread. As with others, I am using a unique email address (this one from Sneakemail) that I only gave to WoWI, and no one else. Also, as with others here, I can see no other possible means by which they extracted my e-mail except for through WoWI.

The idea of a random assemblage of letters and numbers (brute force) is possible, I suppose, but hardly seems likely, since that's exactly how Sneakemail generates redirect addresses, that and it seems an awful lot of trouble to go through just to send me an e-mail with a phishing link and baiting me by telling me an Aion account I have never had in the past or present is compromised.

Originally Posted by Dolby View Post
Since you are long time members its possible when we were compromised a few years ago (we posted news about it when it happened) that they got away with some email addresses. That was on our old server and I do not have the logs for that.
I have been here a while, and this sounds like a possibility, though as others have, I'd have to question: "Why now and not when they made off with the addresses?" I've never before had this sort of issue with WoWI, and that I'm just now having it seems significant enough to mention. It also seems significant that two months after the last post made in this thread is past, this issue is still cropping up.

On my end it's a simple matter of changing the redirect address I have linking me to WoWI. But if something is compromised somehow at your end, well, I suppose the bottom line is that all this information is far more valuable to you than to me.

In the meantime, I suppose the ultimate test would be simply to change the address and keep an eye on what happens. If water still somehow makes it out the bottom of the bucket after that, it seems fair to assume there's a hole in it.

Last edited by SkunkWerks : 04-22-10 at 05:56 AM.
  Reply With Quote
04-23-10, 04:10 AM   #53
Zyonin
Coffee powered Kaldorei
 
Zyonin's Avatar
AddOn Author - Click to view addons
Join Date: May 2006
Posts: 1,443
Originally Posted by SkunkWerks View Post
I have been here a while, and this sounds like a possibility, though as others have, I'd have to question: "Why now and not when they made off with the addresses?" I've never before had this sort of issue with WoWI, and that I'm just now having it seems significant enough to mention. It also seems significant that two months after the last post made in this thread is past, this issue is still cropping up.
See my previous post in this thread:

Originally Posted by Zyonin View Post
Many times, crackers who swipe details like email addresses don't act on the data right away. In many instances they will wait until everyone has forgotten about the theft. In many cases, the thieves will sell the harvested addresses. This is likely the case here, the thieves have sold the addresses to numerous parties or have stashed the db in some forum/community were phishers hang out.
Likely the folks that did the original break-in a couple of years are NOT the ones spamming everyone's email account.

Data thieves will usually hold onto and wait to use data like email addresses, WoW Account info, Social Security numbers and other such data. It's not "perishable" like Authenticator keys, credit card numbers and bank account data; thus the thieves can afford to wait months before using or selling the data. This also adds a "fog of time" effect that causes confusion for victims as in most cases they will not be able to remember when and where the theft occurred.

This issue will keep cropping until the email addresses that were stolen are either closed, relegated to spam "honeypots" (like my old email account that was used to register here) or otherwise ignored. Change your account email address and keep an eye on the email that comes in.
__________________
Twitter
  Reply With Quote
04-28-10, 08:44 AM   #54
ScreamingPict
A Kobold Labourer
Join Date: Mar 2008
Posts: 1
In case it helps- I also got a phishing mail to an account that was only registered on this site (I have a wildcarded set of e-mail addresses so it wasn't just an address that they had guessed)- hopefully this combined with my first registered account date will give you more indication that this is just the old hack on the previous server.
  Reply With Quote
07-25-10, 04:14 PM   #55
SkunkWerks
A Fallenroot Satyr
 
SkunkWerks's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2006
Posts: 21
Originally Posted by SkunkWerks View Post
In the meantime, I suppose the ultimate test would be simply to change the address and keep an eye on what happens. If water still somehow makes it out the bottom of the bucket after that, it seems fair to assume there's a hole in it.
There's a hole in the bucket
Dear Liza, Dear Liza
There's a hole in the bucket
Dear Liza
A hole.


By which I mean to say, I've since the above event changed to another unique e-mail address, and once again, I find myself getting scam e-mails trhough the address given uniquely to WoWI and only WoWI.

This time it was a beta test scam. You know when your e-mail reader tells you that you need to install a chinese language pack to read all the e-mail's content correctly, that's not a good sign from the get-go.

getting
'Greetings'?

Get those opt-ins ready for the World of Warcraft: Cataclysm closed beta! The sundering of Azeroth is nigh, and you don’t want to be left out in the cold of Northrend when you could be enjoying the sun-drenched beaches on the goblin isle of Kezan. To ensure you’re opted-in and eligible as a potential candidate, you’ll need a World of Warcraft license attached to your Battle.net account, have your current system specifications uploaded to the Battle.net Beta Profile Settings page, and have expressed interest through the franchise-specific check boxes.

Get the Installer - Log in to your Battle.net account: [LINK REMOVED]

** IMPORTANT ** To avoid graphical bugs and other technical issues, please ensure your video card drivers are up-to-date.

Enjoy the game!

Blizzard Entertainment, Inc.
So, I'm once again forced to wonder if there is not a more recent or ongoing breach of your servers.
  Reply With Quote
07-25-10, 05:52 PM   #56
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
When did you last change your email address?

I'm sorry this happened to you again.

Just yesterday I had found a potential hole into our database where when you updated an AddOn the cached username could allow an injection based upon the users name. So far it looks like that was the only field that wasnt wrapped with mysql_real_escape_string() due to the fact it was getting the name from vbulletin and I wasnt thinking. I'm investigating the logs to see if anything was taken advantage of there.

We are upgrading to new servers soon (already upgraded our addon file server). I will again audit my mySQL queries and change all passwords (As I do with all moves).

Last edited by Dolby : 07-25-10 at 06:01 PM.
  Reply With Quote
07-25-10, 06:12 PM   #57
SkunkWerks
A Fallenroot Satyr
 
SkunkWerks's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2006
Posts: 21
Originally Posted by Dolby View Post
When did you last change your email address?
The date of my second to last post in this thread (the one I quoted in my latest post) is a pretty reliable date for that- so I'd say around about 04-22-2010.

I'll probably change it again not long from now, but I figured I'd see about what was happening here first.
  Reply With Quote
07-25-10, 06:14 PM   #58
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Originally Posted by SkunkWerks View Post
The date of my second to last post in this thread (the one I quoted in my latest post) is a pretty reliable date for that- so I'd say around about 04-22-2010.
Ok if it isn't too much trouble and when you have the time please change your email address again. I have a few test accounts too but have received zilch from them at the moment.

I'm going to have a 2nd set of eyes look over my queries too.
  Reply With Quote
07-26-10, 08:20 AM   #59
SkunkWerks
A Fallenroot Satyr
 
SkunkWerks's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2006
Posts: 21
Originally Posted by Dolby View Post
Ok if it isn't too much trouble and when you have the time please change your email address again.
Done as of yesterday (7/25). Thanks for your diligence.
  Reply With Quote
07-26-10, 10:58 AM   #60
Rilgamon
Premium Member
 
Rilgamon's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Sep 2009
Posts: 822
Originally Posted by Dolby View Post
When did you last change your email address?

I'm sorry this happened to you again.

Just yesterday I had found a potential hole into our database where when you updated an AddOn the cached username could allow an injection based upon the users name. So far it looks like that was the only field that wasnt wrapped with mysql_real_escape_string() due to the fact it was getting the name from vbulletin and I wasnt thinking. I'm investigating the logs to see if anything was taken advantage of there.

We are upgrading to new servers soon (already upgraded our addon file server). I will again audit my mySQL queries and change all passwords (As I do with all moves).
I'm sure you've read this but since you mention vBulletin I thought this might be related:

http://www.h-online.com/open/news/it...n-1044462.html
__________________
The cataclysm broke the world ... and the pandas could not fix it!
  Reply With Quote

WoWInterface » Site Forums » Site help, bugs, suggestions/questions » WowInterface.com email database has been compromised

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off