WarcraftReamls.com
  FAQFAQ    SearchSearch    MemberlistMemberlist    UsergroupsUsergroups   RegisterRegister 
  ProfileProfile    Log in to check your private messagesLog in to check your private messages    Log inLog in 
Site safety issue? email leaked

 
Post new topic   Reply to topic    WarcraftRealms.com Forum Index -> WarcraftRealms.com Bugs
View previous topic :: View next topic  
Author Message
Bero



Joined: 08 Dec 2006
Posts: 1

WR Updates: 0
Bero WR Profile

PostPosted: Fri Jan 08, 2010 4:52 am    Post subject: Site safety issue? email leaked Reply with quote

Since I started with internet many, many years ago, I use different emails for different sites. So I'm able to say what site gives away my email without my permission.

For some weeks I get fishing mails to this special email, I've created for this site.

Code:

Return-Path: <wowaccountadmin>
Received: from blizzard.com (92-48-127-66.static.as29550.net [92.48.127.66] (may be forged))
   by ***.dnsalias.com (8.13.8/8.13.8/Debian-3) with SMTP id o07Javps020359
   for <berowarcraftrealmscom>; Thu, 7 Jan 2010 20:37:04 +0100
Date: Thu, 7 Jan 2010 20:36:57 +0100
Message-Id: <201001071937>
Received: from PC-200911071413 ([192.168.1.155])
   (envelope-sender <wowaccountadmin>)
   by 192.168.1.111 with ESMTP
   for <berowarcraftrealmscom>; Fri, 08 Jan 2010 03:37:36 +0800
From: "wowaccountadmin"<wowaccountadmin>
To: berowarcraftrealmscom@***.dnsalias.com;
CC:
Reply-To: wowaccountadmin@blizzard.com
Subject: World Of Warcraft-Account Instructions
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----_=_wodSmtp.356a.2D7C023.ec.670"
Content-Transfer-Encoding: UTF-8


It's not that I'm afraid my WoW-account could be hacked, but I'm afraid this site don't care much of the site members personal data.

Of course I've disabled the visibility of my email in my profile and I didn't use this email for any other purposes than registering this account.

As a hint for the other WoW player around: At least don't use your WoW-email for any fansites and don't use your "usual" email for your WoW-account. So you will be able to see at once if someone tries to fish your account data.
Back to top
View user's profile Send private message
Hybuir
Gear Dependent Squirrel
Gear Dependent Squirrel


Joined: 06 Sep 2005
Posts: 1538
Location: Austin, TX
WR Updates: 2,622,751
Hybuir WR Profile

PostPosted: Sat Jan 09, 2010 3:15 pm    Post subject: Reply with quote

Are you aware that this is different than your actual Warcraft account, right?
_________________

Back to top
View user's profile Send private message Visit poster's website AIM Address
Taleel



Joined: 03 Feb 2006
Posts: 1

WR Updates: 1,398,410
Taleel WR Profile

PostPosted: Sat Jan 09, 2010 4:32 pm    Post subject: Reply with quote

I also get phishing mails sent to an address that I used for this site exclusively. This has nothing to do with my WoW account's safety (protected by an authenticator, anyway). This is about this site leaking out private mail addresses.
Back to top
View user's profile Send private message
Balgair
Araiceil


Joined: 30 Sep 2005
Posts: 1519
Location: UK
WR Updates: 11,104,505
Balgair WR Profile

PostPosted: Sun Jan 10, 2010 12:48 pm    Post subject: Reply with quote

Can't say whether or not it's this site since I use my main email for several wow-related sites but in the last 2-3 days I've started getting phishing mails targetted at WoW, yep (my WoW account is on another email address so I'm safe enough btw, can easy see they're fakes). Never had them before so perhaps there's been some leak somewhere. Rollie?
_________________
EU-Draenor:
-- Sagart - Tairbh - Buinne - Balgair - Eilnich - Ruire - Dubh - Laidir - Naomh --
Back to top
View user's profile Send private message
Alanthus
Updater Extraordinaire


Joined: 23 Aug 2005
Posts: 370

WR Updates: 1,891,532
Alanthus WR Profile

PostPosted: Mon Jan 11, 2010 6:19 am    Post subject: Reply with quote

There is no question the emails were leaked, and considering there are walkthroughs out there for how to hack this forum software that's easy enough to do. Just having your email address and even the password used on this site doesn't let anyone do anything but phishing emails though, tried to pass them on to blizzard when this started but they don't have an abuse@ address so I dropped it.

edit: if you use the same email and password combination on different sites that's of course a security risk, while it's a tad harder to get the actual passwords since they should be encrypted it's not impossible, especially if they're short or common enough.
_________________
Back to top
View user's profile Send private message
Hybuir
Gear Dependent Squirrel
Gear Dependent Squirrel


Joined: 06 Sep 2005
Posts: 1538
Location: Austin, TX
WR Updates: 2,622,751
Hybuir WR Profile

PostPosted: Mon Jan 11, 2010 10:12 am    Post subject: Reply with quote

Alphanumeric wif special characers f0rzewin!w@@@!
_________________

Back to top
View user's profile Send private message Visit poster's website AIM Address
TwiZt



Joined: 22 Aug 2005
Posts: 7
Location: United States!
WR Updates: 647,902
TwiZt WR Profile

PostPosted: Mon Jan 11, 2010 11:57 am    Post subject: Reply with quote

My spam folder is full of these messages atm too. I forwarded it to blizzard hopefully they will take these idiots down Razz

Also the email to forward these things to is: hacks@blizzard.com
Back to top
View user's profile Send private message
Alanthus
Updater Extraordinaire


Joined: 23 Aug 2005
Posts: 370

WR Updates: 1,891,532
Alanthus WR Profile

PostPosted: Mon Jan 11, 2010 3:23 pm    Post subject: Reply with quote

TwiZt wrote:
My spam folder is full of these messages atm too. I forwarded it to blizzard hopefully they will take these idiots down Razz

Also the email to forward these things to is: hacks@blizzard.com



Wink I do realize there is an email for this but since I don't play any more the extent of my efforts was using the abuse@ email suggested in the RFC's. If they don't have it set up that's their problem Wink
_________________
Back to top
View user's profile Send private message
alphaomega1



Joined: 01 Jul 2005
Posts: 1

WR Updates: 270
alphaomega1 WR Profile

PostPosted: Wed Jan 13, 2010 5:41 am    Post subject: Reply with quote

You receiving emails to this special account of yours doesn't automatically mean that warcraftrealms is the source of the leak. I do have special email addresses that I don't give out and I still receive phishing emails. Spammers randomly generate lots of email addresses and they will get through. Just delete them.

There are email harvesters out there, so you having your email publicly visible doesn't help. That's a lack of security on your part.
Back to top
View user's profile Send private message
Rollie
Site Admin


Joined: 28 Nov 2004
Posts: 5374
Location: Austin, TX
WR Updates: 480,131
Rollie WR Profile

PostPosted: Wed Jan 13, 2010 12:31 pm    Post subject: Reply with quote

Emails were definitely stolen. I sent out a mass email about it a few weeks ago, but I don't think it managed to send out to everyone. I had intended to send a follow up email, but I just haven't.

As Alanthus has mentioned, phpbb 2 is no longer developed and likely has holes. I made the mistake early on of tightly integrating the entire site with the phpbb database structure. I have wanted to upgrade, but it is something I have been afraid to look at.

Here is a copy of the email I sent:

----------------------------------------

I take security very seriously here at WarcraftRealms.com, but I will be the first to admit that I am no security expert. This site grew out of a hobby and has been a labor of love since WoW was in beta.

Due to the popularity and nature of the site, I am constantly under attack by hackers. One can only assume that these hackers wish to gather information pertaining to users' WoW accounts in an effort to hack, and use those WoW accounts for nefarious reasons (gold selling, character selling, etc).

While I do everything I can and know to do, a couple of months ago, the site was compromised and a breach did occur. The extent of the breach was not known at the time, but I have reason to believe that, at the least, the hacker(s) made off with the email addresses contained in my database.

The hole used was found and sealed. Hopefully there are not any others that have not been found at this time.

Those email addresses are now being targeted for various Phishing schemes, particularly for WoW account phishing scams. These scams typically attempt to get you to visit their site and enter your WoW account credentials.

Please always be very cautious when entering your information. Never click links in emails, but instead type the url of the site you wish to visit into the address bar of your browser.

As a further precaution, I urge all of you to get a Blizzard Authenticator which will with almost complete certainty protect your account from hackers.

Finally, please never use your WoW account name or password as your username or password to any online site.

Again, my sincerest apologies for any inconvenience anyone might have suffered due to this intrusion.

Always be safe,

Rollie
www.warcraftrealms.com
Back to top
View user's profile Send private message Visit poster's website
FuxieDK



Joined: 22 May 2008
Posts: 455
Location: Copenhagen, DK
WR Updates: 2,596,413
FuxieDK WR Profile

PostPosted: Wed Jan 13, 2010 12:32 pm    Post subject: Reply with quote

Rollie wrote:
Emails were definitely stolen. I sent out a mass email about it a few weeks ago, but I don't think it managed to send out to everyone. I had intended to send a follow up email, but I just haven't.
I never received anything Sad
Back to top
View user's profile Send private message
Balgair
Araiceil


Joined: 30 Sep 2005
Posts: 1519
Location: UK
WR Updates: 11,104,505
Balgair WR Profile

PostPosted: Wed Jan 13, 2010 1:29 pm    Post subject: Reply with quote

I remember the incident a few weeks ago, but surprised in that case that nothing's happened until now - it's only been the past 3-4 days I've been getting phishing mails. Maybe mine's not connected since I use the same email on lots of sites anyway though.
_________________
EU-Draenor:
-- Sagart - Tairbh - Buinne - Balgair - Eilnich - Ruire - Dubh - Laidir - Naomh --
Back to top
View user's profile Send private message
wcrknarf



Joined: 02 Aug 2008
Posts: 1

WR Updates: 6,046
wcrknarf WR Profile

PostPosted: Sat Jan 16, 2010 12:58 pm    Post subject: Reply with quote

Same here. The email address only used for warcraftrealms got two WoW phishing emails the last week.

Thanks Rollie for your post.
Back to top
View user's profile Send private message
Eyeball-Dragonmaw



Joined: 14 Aug 2005
Posts: 415
Location: Portland, OR
WR Updates: 1,326,720
Eyeball-Dragonmaw WR Profile

PostPosted: Thu Feb 11, 2010 8:21 pm    Post subject: Reply with quote

Believe it or not most hackers wait to use your data so you have your defenses down. If you would have received those emails a week after the site was hacked you would be more aware of the phishing attempts.
_________________
WASDstomp General Gaming Blog
Dealing with Annoying Customers
Aion Gaming Headquarters
Back to top
View user's profile Send private message Visit poster's website
b00nish



Joined: 02 Jun 2006
Posts: 1
Location: lucerne[+]
WR Updates: 275
b00nish WR Profile

PostPosted: Tue Mar 16, 2010 1:25 pm    Post subject: Reply with quote

Yep, same here.
I used a 'exclusive' E-Mail-Adress for warcraftrealms.com.
Now I'm getting WoW pishing mails to this adress every day. Just recently I also recieve Aion pishing mails but of course I never had an Aion account Wink

Well it's not a desaster for me since I just can disable the adress - but it shows that using exclusive adresses is a good concept.

It's very commendable that Rollie is honest about the issue!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    WarcraftRealms.com Forum Index -> WarcraftRealms.com Bugs All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
WarcraftRealms.com  


Powered by phpBB © 2001, 2005 phpBB Group