Site safety issue? email leaked

Bero · Joined: 08 Dec 2006 Posts: 1 WR Updates: 0 Bero WR Profile

Since I started with internet many, many years ago, I use different emails for different sites. So I'm able to say what site gives away my email without my permission.

For some weeks I get fishing mails to this special email, I've created for this site.

Hybuir · Posted: Sat Jan 09, 2010 3:15 pm Post subject:

Are you aware that this is different than your actual Warcraft account, right?
_________________

Taleel · Posted: Sat Jan 09, 2010 4:32 pm Post subject:

I also get phishing mails sent to an address that I used for this site exclusively. This has nothing to do with my WoW account's safety (protected by an authenticator, anyway). This is about this site leaking out private mail addresses.

Balgair · Posted: Sun Jan 10, 2010 12:48 pm Post subject:

Can't say whether or not it's this site since I use my main email for several wow-related sites but in the last 2-3 days I've started getting phishing mails targetted at WoW, yep (my WoW account is on another email address so I'm safe enough btw, can easy see they're fakes). Never had them before so perhaps there's been some leak somewhere. Rollie?
_________________
EU-Draenor:
-- Sagart - Tairbh - Buinne - Eilnich - Ruire - Balgair - Dubh - Laidir - Rosad - Naomh --

Alanthus · Posted: Mon Jan 11, 2010 6:19 am Post subject:

There is no question the emails were leaked, and considering there are walkthroughs out there for how to hack this forum software that's easy enough to do. Just having your email address and even the password used on this site doesn't let anyone do anything but phishing emails though, tried to pass them on to blizzard when this started but they don't have an abuse@ address so I dropped it.

edit: if you use the same email and password combination on different sites that's of course a security risk, while it's a tad harder to get the actual passwords since they should be encrypted it's not impossible, especially if they're short or common enough.
_________________

Hybuir · Posted: Mon Jan 11, 2010 10:12 am Post subject:

Alphanumeric wif special characers f0rzewin!w@@@!
_________________

TwiZt · Posted: Mon Jan 11, 2010 11:57 am Post subject:

My spam folder is full of these messages atm too. I forwarded it to blizzard hopefully they will take these idiots down Razz

Also the email to forward these things to is: hacks@blizzard.com

Alanthus · Posted: Mon Jan 11, 2010 3:23 pm Post subject:

alphaomega1 · Posted: Wed Jan 13, 2010 5:41 am Post subject:

You receiving emails to this special account of yours doesn't automatically mean that warcraftrealms is the source of the leak. I do have special email addresses that I don't give out and I still receive phishing emails. Spammers randomly generate lots of email addresses and they will get through. Just delete them.

There are email harvesters out there, so you having your email publicly visible doesn't help. That's a lack of security on your part.

Rollie · Posted: Wed Jan 13, 2010 12:31 pm Post subject:

Emails were definitely stolen. I sent out a mass email about it a few weeks ago, but I don't think it managed to send out to everyone. I had intended to send a follow up email, but I just haven't.

As Alanthus has mentioned, phpbb 2 is no longer developed and likely has holes. I made the mistake early on of tightly integrating the entire site with the phpbb database structure. I have wanted to upgrade, but it is something I have been afraid to look at.

Here is a copy of the email I sent:

----------------------------------------

I take security very seriously here at WarcraftRealms.com, but I will be the first to admit that I am no security expert. This site grew out of a hobby and has been a labor of love since WoW was in beta.

Due to the popularity and nature of the site, I am constantly under attack by hackers. One can only assume that these hackers wish to gather information pertaining to users' WoW accounts in an effort to hack, and use those WoW accounts for nefarious reasons (gold selling, character selling, etc).

While I do everything I can and know to do, a couple of months ago, the site was compromised and a breach did occur. The extent of the breach was not known at the time, but I have reason to believe that, at the least, the hacker(s) made off with the email addresses contained in my database.

The hole used was found and sealed. Hopefully there are not any others that have not been found at this time.

Those email addresses are now being targeted for various Phishing schemes, particularly for WoW account phishing scams. These scams typically attempt to get you to visit their site and enter your WoW account credentials.

Please always be very cautious when entering your information. Never click links in emails, but instead type the url of the site you wish to visit into the address bar of your browser.

As a further precaution, I urge all of you to get a Blizzard Authenticator which will with almost complete certainty protect your account from hackers.

Finally, please never use your WoW account name or password as your username or password to any online site.

Again, my sincerest apologies for any inconvenience anyone might have suffered due to this intrusion.

Always be safe,

Rollie
www.warcraftrealms.com

FuxieDK · Posted: Wed Jan 13, 2010 12:32 pm Post subject:

Balgair · Posted: Wed Jan 13, 2010 1:29 pm Post subject:

I remember the incident a few weeks ago, but surprised in that case that nothing's happened until now - it's only been the past 3-4 days I've been getting phishing mails. Maybe mine's not connected since I use the same email on lots of sites anyway though.
_________________
EU-Draenor:
-- Sagart - Tairbh - Buinne - Eilnich - Ruire - Balgair - Dubh - Laidir - Rosad - Naomh --

wcrknarf · Posted: Sat Jan 16, 2010 12:58 pm Post subject:

Same here. The email address only used for warcraftrealms got two WoW phishing emails the last week.

Thanks Rollie for your post.

Eyeball-Dragonmaw · Posted: Thu Feb 11, 2010 8:21 pm Post subject:

Believe it or not most hackers wait to use your data so you have your defenses down. If you would have received those emails a week after the site was hacked you would be more aware of the phishing attempts.
_________________
WASDstomp General Gaming Blog
Dealing with Annoying Customers
Aion Gaming Headquarters

b00nish · Posted: Tue Mar 16, 2010 1:25 pm Post subject:

Yep, same here.
I used a 'exclusive' E-Mail-Adress for warcraftrealms.com.
Now I'm getting WoW pishing mails to this adress every day. Just recently I also recieve Aion pishing mails but of course I never had an Aion account Wink

Well it's not a desaster for me since I just can disable the adress - but it shows that using exclusive adresses is a good concept.

It's very commendable that Rollie is honest about the issue!