·Theme
- Forums
- Cross Site
- Site and Forum Feedback
- Does allakhazam sell our e-mail addresses? (was forum=21)
Does allakhazam sell our e-mail addresses? (was forum=21)Follow
Oh and I forgot to add, if you ever get an email that you are not sure about and you'd like one of us to check. Kaolian and I would be more than happy to assist you so that you are safe! We also have a computer help section on the forums as well. 
1 post
I also have a disposable email account for allakhazam. Got this spam yesterday. From the header the email did come from:
X-Originating-IP: [222.69.163.126]
Which is located in Asia Pacific Network Information Center.
Can you say China?
Had the same problem a couple of months ago with wowinterface.com. Used a different disposable email account for them. But, they did report that their database was hacked. After three spams, I deleted that email account and created a new one for them.
X-Originating-IP: [222.69.163.126]
Which is located in Asia Pacific Network Information Center.
Can you say China?
Had the same problem a couple of months ago with wowinterface.com. Used a different disposable email account for them. But, they did report that their database was hacked. After three spams, I deleted that email account and created a new one for them.
Interesting. Last week I also received a couple emails about someone initiating a password reset on my battle.net account. In response I decided to change the email associated with my battle.net acct, change that password as well as the one for that email, and add an authenticator to my battle.net acct. Perhaps I overreacted :P.
I have no idea though if this actually came from someone who acquired my email through this site. It is the email associated with my account here, but I use the same account for most of my website signups. =/
I have no idea though if this actually came from someone who acquired my email through this site. It is the email associated with my account here, but I use the same account for most of my website signups. =/
◕ ‿‿ ◕
Vataro wrote:
Interesting. Last week I also received a couple emails about someone initiating a password reset on my battle.net account. In response I decided to change the email associated with my battle.net acct, change that password as well as the one for that email, and add an authenticator to my battle.net acct. Perhaps I overreacted :P.
I have no idea though if this actually came from someone who acquired my email through this site. It is the email associated with my account here, but I use the same account for most of my website signups. =/
I have no idea though if this actually came from someone who acquired my email through this site. It is the email associated with my account here, but I use the same account for most of my website signups. =/
Perhaps Blizzard is creating fake phishing emails, in order to bolster sales of their authenticators :P
Its funny, because I got an email about a Faction Change from Blizzard. The funny part is I didn't use the same email for battle.net that I do for Zam. Not only that, but I haven't played WoW since before the linking of battle.net to emails and accounts and whatnot. Then you have the fact that I gave my account away to a friend of mine, and since then they've deactivated the account. The long and short is that there really is no way I could have gotten an email about my Faction Change unless it were some sort of phish, and I hate to accuse, but Zam is the only place I use the lolgaxe email address at. I'm not saying you guys sold it, of course. I've got enough faith in you guys to realize you wouldn't be that retarded.
I still have the email in my deleted folder. I could forward it, for what its worth.
I still have the email in my deleted folder. I could forward it, for what its worth.
George Carlin wrote:
I think it’s the duty of the comedian to find out where the line is drawn and cross it deliberately.
lolgaxe wrote:
I've got enough faith in you guys to realize you wouldn't be that retarded.
SUPER BANNED FOR FAILING TO POST 20K IN A TIMELY MANNER
6 posts
I got two more phishing emails to my allakhazam account today, one "Blizzard Store Order - StarCraft II: Wings of Liberty" with a fake link asking me to sign in to my blizzard account, and also "Blizzard Entertainment Cataclysm Beta" directing people to login to battle.net at worldofwarcraft-cataclysm-beta.net (which is now down).
I have no vested interest in Allakhazam, I just wanted to share this information to help others avoid this issue, and to tell Allakhazam staff of this potential breach of information. The fact 2-3 other people with allakhazam specific throwaway emails also got spammed and happened to see my post tells me at least that there seems to be a common thread.
If I were to put money down, I think you do have a breach of information somewhere. It just takes an unvalidated string input in a web form for someone to extract data they shouldn't be. I think it is also irresponsible to take the attitude that "it can't happen to us". Scams like this cost people time and money, and if you have been breached it'll happen again if the holes are not fixed. It seems to me you owe your users a security audit to make sure you're not leaking their data out onto the internet.
Good luck to you all.
Edited, Aug 2nd 2010 3:48pm by anklebyter
I have no vested interest in Allakhazam, I just wanted to share this information to help others avoid this issue, and to tell Allakhazam staff of this potential breach of information. The fact 2-3 other people with allakhazam specific throwaway emails also got spammed and happened to see my post tells me at least that there seems to be a common thread.
If I were to put money down, I think you do have a breach of information somewhere. It just takes an unvalidated string input in a web form for someone to extract data they shouldn't be. I think it is also irresponsible to take the attitude that "it can't happen to us". Scams like this cost people time and money, and if you have been breached it'll happen again if the holes are not fixed. It seems to me you owe your users a security audit to make sure you're not leaking their data out onto the internet.
Good luck to you all.
Edited, Aug 2nd 2010 3:48pm by anklebyter
I've been posting here for six years and I've never once received a spam email at the address my account is registered to. You have to face the possibility that it isn't a leak on Allakhazam's end.
anklebyter wrote:
It just takes an unvalidated string input in a web form for someone to extract data they shouldn't be.
Are you required to confirm your registration to the site via e-mail now? If not, you could always just sign up with a fake address, unless you plan on receiving many mails from the staff in your time here.
I wonder how many mails meant for me have been forwarded to omfgzunoob@hotmail.com...
I wonder how many mails meant for me have been forwarded to omfgzunoob@hotmail.com...
Please "talk up" if your comprehension white-shifts. I will use simple-happy language-words to help you understand.
Quote:
I got two more phishing emails to my allakhazam account today, one "Blizzard Store Order - StarCraft II: Wings of Liberty" with a fake link asking me to sign in to my blizzard account, and also "Blizzard Entertainment Cataclysm Beta" directing people to login to battle.net at worldofwarcraft-cataclysm-beta.net (which is now down).
Yep, I got that first one also. Not the second one but that's probably because their little operation was shut down quickly.
Quote:
I've been posting here for six years and I've never once received a spam email at the address my account is registered to. You have to face the possibility that it isn't a leak on Allakhazam's end.
I've also been posting here many years and I've never gotten any kind of spam or phishing e-mail or anything unwanted to my Allakhazam-linked e-mail. The fact of the matter is that something is happening NOW, within the last week or so. Several of us have confirmed that we're getting these e-mails because the e-mail address is linked to our Alla accounts and to no other sites. Telling people to simply spoof an e-mail or use throw-away e-mails doesn't help the thousands of users who likely use one primary e-mail address for most things; it's these people who are vulnerable to being phished, they're the ones that aren't security-savvy and assume they can just use their primary e-mail on this site, Blizzard's site, etc., because they assume all of these sites to be 100% safe.
There's obviously a leak or some sort of vulnerability. As a long time visitor of this site, I see it as a big problem and I'm trying to raise awareness to PROTECT the site and its visitors. Pointing fingers away from Alla and absolving them of any vulnerability isn't going to help, it's only going to prolong the problem. It's actually kind of sad that a lot of you are trying to dismiss it and insist that Alla is an impregnable fortress and that we're somehow at fault for getting the exact same phishing e-mails every other day on e-mail accounts we ONLY use for THIS site.
I don't play WoW. Haven't had a battle.net account in over a decade. These phishing e-mails don't affect me at all, so why should I care? Maybe it's because no one deserves to be phished by linking their e-mail address to possibly the best MMO-oriented site on the net. And, because I want to see this problem nipped in the bud and Alla's reputation as a safe site kept in tact.
Gatero wrote:
There's obviously a leak or some sort of vulnerability. As a long time visitor of this site, I see it as a big problem and I'm trying to raise awareness to PROTECT the site and its visitors. Pointing fingers away from Alla and absolving them of any vulnerability isn't going to help, it's only going to prolong the problem. It's actually kind of sad that a lot of you are trying to dismiss it and insist that Alla is an impregnable fortress and that we're somehow at fault for getting the exact same phishing e-mails every other day on e-mail accounts we ONLY use for THIS site.
Completely missed the point. We're not all running around yelling "IT CAN'T POSSIBLY BE ALLAKHAZAM!!! DON'T SUGGEST THAT!!!" It's rather insulting that you think we have no logical reason for believing it isn't Allakhazam, actually. The fact of the matter is, even if this is the only site you use that email for, there are still plenty of other ways your email can be obtained. If someone did have access to the emails people used to register here, then why have so many of us not gotten anything? My email address here is a Yahoo one, which, aside from having horrible spam protection, allows you to view all of your spam messages without deleting any automatically. And, like I said, I have never received one, not in the last six years nor in the last few days. So unless you think this is a polite spam bot who only likes to target some of the emails it receives, this is not a clear-cut case of the leak being on Allakhazam's end. Besides which, their code has always proven to be secure in the past, and I'm not inclined to think their quality took a nosedive just because some people are running around screaming about a couple of spam emails.
I got a WoW Faction change phishing e-mail last week, from an e-mail that is different from the one I use for Alla. That suggests rather strongly that Alla is not the address source for that particular phishing e-mail.
Amusingly, I don't play WoW, so I wasn't terribly concerned that I had changed factions.
Amusingly, I don't play WoW, so I wasn't terribly concerned that I had changed factions.
Recently an admin account was compromised by using the password reset feature on their zam.com account after gaining access to a 3rd party email hosting service the admin was using which was attached to their zam.com user account. After which time, a successful sql injection vulnerability was located on an old admin script which allowed the attacker to gather a partial list of our user's email addresses.
Since then we have implemented measure to prevent this from occurring in the future. The sql injection hole has been closed. We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
The only time a 3rd party will get your email address from us willingly is if in a contest (like the current one running) has a checkbox where you expressly say we can give that specific 3rd party your email address.
Since then we have implemented measure to prevent this from occurring in the future. The sql injection hole has been closed. We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
The only time a 3rd party will get your email address from us willingly is if in a contest (like the current one running) has a checkbox where you expressly say we can give that specific 3rd party your email address.
When was that? =o
Nizdaar wrote:
We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
SUPER BANNED FOR FAILING TO POST 20K IN A TIMELY MANNER
MDenham wrote:
Nizdaar wrote:
We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
Quote:
It's rather insulting that you think we have no logical reason for believing it isn't Allakhazam, actually. The fact of the matter is, even if this is the only site you use that email for, there are still plenty of other ways your email can be obtained.
Simply piecing together the reports of the many people that received phishing e-mails to Alla-registered addresses was enough to deduce that there was no way that all these people with Alla-exclusive addresses were simultaneously scraped by the same party and that it was not somehow via a compromise of Alla's database. It was the only logical theory, and was the correct one.
Quote:
Since then we have implemented measure to prevent this from occurring in the future. The sql injection hole has been closed. We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
Fortunately the staff at Alla got to the bottom of it and stamped it out quickly. Comforting to know there's a much lower chance of it happening in the future.
Unfortunately there's still some worthless pricks out there that have a decent number of Alla users' addresses to spam-up for a long time.
Bring 'em on! I've got 22 gigs of inbox space and a spam filter than has catched every spam mail yet.
Please "talk up" if your comprehension white-shifts. I will use simple-happy language-words to help you understand.
6 posts
Nizdaar,
Thank you for your straight forwardness. No harm done (at least to me) as its a throw away email.
What you describe and then what we're seeing for phishing seems like a very calculated and target attack. I seriously didn't think there was still a big market for gold farming or whatever that would make the effort to compromise folks worth the time. I guess after 2 years of not playing the game some things still don't change ;)
I hope you don't get compromised through this or other methods in the future. It sounds like you're taking some good steps towards protecting that.
Thank you for your straight forwardness. No harm done (at least to me) as its a throw away email.
What you describe and then what we're seeing for phishing seems like a very calculated and target attack. I seriously didn't think there was still a big market for gold farming or whatever that would make the effort to compromise folks worth the time. I guess after 2 years of not playing the game some things still don't change ;)
I hope you don't get compromised through this or other methods in the future. It sounds like you're taking some good steps towards protecting that.
Nizdaar wrote:
Recently an admin account was compromised by using the password reset feature on their zam.com account after gaining access to a 3rd party email hosting service the admin was using which was attached to their zam.com user account. After which time, a successful sql injection vulnerability was located on an old admin script which allowed the attacker to gather a partial list of our user's email addresses.
Since then we have implemented measure to prevent this from occurring in the future. The sql injection hole has been closed. We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
The only time a 3rd party will get your email address from us willingly is if in a contest (like the current one running) has a checkbox where you expressly say we can give that specific 3rd party your email address.
Since then we have implemented measure to prevent this from occurring in the future. The sql injection hole has been closed. We've also added stripping admin status when an admin does a password reset so unauthorized password resets do not allow someone to gain access to an admin account.
We apologize for any inconvenience this may have caused anyone. We definitely did not sell your account info to anyone.
The only time a 3rd party will get your email address from us willingly is if in a contest (like the current one running) has a checkbox where you expressly say we can give that specific 3rd party your email address.
Thanks for getting to the bottom of it. I'm relieved to hear that the issue was uncovered and addressed, despite "certain people" being very dismissive of the potential of a problem.
Edited, Aug 5th 2010 5:20pm by Eske
Nizdaar wrote:
a partial list of our user's email addresses
Follow up question: If it's the former, any possibility you'd send a mass PM on site here to everyone on said list to give them a heads up? I know not everyone reads this section and a heads up might be appreciated.
Just to report.
I have received phishing email to the email account that is registered to battlenet.
I have not received phishing email to the email account that is registered to this website.
Both are very old accounts.
I have received phishing email to the email account that is registered to battlenet.
I have not received phishing email to the email account that is registered to this website.
Both are very old accounts.
6 posts
mearlus wrote:
Nizdaar,
Thank you for your straight forwardness. No harm done (at least to me) as its a throw away email.
What you describe and then what we're seeing for phishing seems like a very calculated and target attack. I seriously didn't think there was still a big market for gold farming or whatever that would make the effort to compromise folks worth the time. I guess after 2 years of not playing the game some things still don't change ;)
I hope you don't get compromised through this or other methods in the future. It sounds like you're taking some good steps towards protecting that.
Thank you for your straight forwardness. No harm done (at least to me) as its a throw away email.
What you describe and then what we're seeing for phishing seems like a very calculated and target attack. I seriously didn't think there was still a big market for gold farming or whatever that would make the effort to compromise folks worth the time. I guess after 2 years of not playing the game some things still don't change ;)
I hope you don't get compromised through this or other methods in the future. It sounds like you're taking some good steps towards protecting that.
I echo your sentiment exactly mearlus. I'm extremely glad you found the issue Nizdaar and were able to patch it, though it was unfortunate some e-mail addresses got leaked out. Being up front and open about potential issues is the best way to address them, allowing people affected to protect themselves.
I'm happy to see someone at Allakhazam that takes security and user concerns seriously.
Thanks,
anklebyter
Scholar
35 posts
Since the WoW phishing e-mails have started, I have deleted over 200 from my e-mail account all of which is being 'sent' from my Zam registered e-mail address. It's gotten a bit ridiculous and I don't see it ending any time in the future. Not happy.
Em
Em
Recent Visitors: 150
All times are in CST
Anonymous Guests (150)
- Forums
- Cross Site
- Site and Forum Feedback
- Does allakhazam sell our e-mail addresses? (was forum=21)
© 2024 Fanbyte LLC