IMPORTANT! Have you received an email to your forum username?

splicecom

I have rec one too

SpartaBantam

I'm pre 2010 as well, although it confused me as I recently re-registered for the newsletter only two days ago (but on a different email address to the forum one).

According to the Control Panel, this is the first time I've actually logged in in ages!

Welcome, SpartaBantam. You last visited: 22-09-2006


Hope that helps.

david72

My commiserations to Martin, his IT team and the designated Data Controller, who I am sure are all having a sadly unpleasant evening (it is very encouraging to see official responses even at this time of night, however - chins up!).

It seems most likely that Personal Data has been compromised as a result of an organised external cracking attempt. I'm sure Martin's staff are all trustworthy and decent people, but nonetheless part of the investigation needs to attempt to verify that it was not an inside job (sadly, such things do happen, even to nice people/organisations, and as the CSIs would tell you, you can't rule anything out until the evidence points otherwise..).

Sadly, it is most likely that there is probably now some black-hat somewhere in the world enjoying a financial pay-off from whatever spam/malware criminal cartel they are acting for. With millions on the MSE email list, I would imagine that forum users must be in the tens, if not hundreds, of thousands, sadly making the site a very juicy target for ne'er-do-wells..

Certainly I would now be hoping that the MSE IT team is simultaneously also checking that the access controls and security defences over the main weekly email data are up-to-date, appropriate and secure! It may be unlikely that the black-hat would strike the same target twice after their actions have been detected, but on the other hand, with a preliminary major distraction underway, that may be just the opportunity they would take?

I am pleased that MSE is now taking this incident seriously, but this needs to be a wake-up call about the importance of IT and data security: if only one good thing can come out of this it needs to be that this incident has shown just how absolutely important this aspect of business is.

As a high-profile site with many members, this has hopefully alerted any members who may previously have taken a lax attitude to their own computer security, to take action to learn what they can do to try to protect themselves (and other members have kindly pointed to the IT areas of the forum where I am sure advice will be generously offered).

And furthermore, given that I imagine that the forum's user base must extend across all sections of society, including I am sure many business managers, elected representatives and so on, hopefully this will also serve as a wake-up for those in appropriate positions in their own organisations to be certain to take action first thing tomorrow morning to verify that their organisation's own IT and data security practices are appropriate and fit-for-purpose.

I emphasise again that I am pleased that MSE is now taking this seriously, but I am extremely concerned to read in this forum thread that there was a previous cracking attempt/data breach, yet users were not individually notified of this at the time by email (to enable us to take remedial action ourselves). I'm afraid that I have to say that taking no action to alert users at that time is surely very remiss, and I am very disappointed. If the same had happened to any other organisation (eg, a bank, major store chain, etc), we would all have been rightly complaining, and MSE would also have been joining in the clamour on behalf of the public.

If it turns out that MSE has been caught by a 'zero day' or other 'fresh' website security exploit, then you certainly do have my sympathies, but nonetheless, as I am sure you are aware, there are Data Protection obligations to have suitable protections for Personal Data, and to ensure that IT facilities are suitably secured and that software is up-to-date with security updates. I emphasise again that if you have been caught by a very recent exploit then you do have my sympathy, but, as I'm sure you do know, it is vital that system alert lists are tracked and that security fixes are installed timeously, and if MSE has not previously dedicated sufficient IT resources and time to ensure that this happens, then it must do so from now on. If you have been very lax in applying security updates, then I'm afraid that would be a considerable worry. It is a real shame that it is a wonderful resource run by decent people that has been attacked, but I do hope that this incident shows the importance of taking IT seriously.

To all at MSE, get a good night's rest, and please re-double your efforts tomorrow to track down the source of the breach, and to assist the authorities in tracing the culprits if at all possible.

And, as I said, if anything good can come of this, I do hope that this unfortunate incident serves as a timely warning to all businesses and organisations to take action to verify that their own IT infrastructure is secure and up-to-date, lest they be next!


Footnote: I've just re-read my message, and I just want to add that I didn't mean to come over as overly lecturing in my post (although I probably did!), more just a gentle-ish reminder that because of the trust that so many people put in MSE, it really is important to take IT issues seriously (but I'm sure you do all know that). And that definitely applies to all organisations with far larger budgets than Martin's!

mandarinduck

MSE_Martin wrote: »

We will further continue looking at this in the morning. My tech team and our server company's security team have been looking it at this and the access logs and no indication of a recent breach has been found yet (as far as Im aware it is 10.30pm and I can't get hold of them all).

Thanks ML and all at MSE - we appreciate the hours you're putting in on this . These things happen and it's obviously being taken very seriously.

smk77

edda wrote: »

2. As MSE is a trusted site to many and it appears that usernames unique to MSE are being used in a spam email, can you send out an additional urgent email to all subscribers warning them of the current issue? This could save some people a lot of trouble.

Or confuse them further?

PhylPho wrote: »

There's not one intelligent poster on here who to my knowledge has posted that this is about spam. Posts have been about a security breach -- the exact nature of which has yet to be identified -- contrived by person or persons unknown for the purposes of getting recipients of a phony email to click on a dangerous link.

It's about spam! Seriously though, 99% of us (CitySlicker seems to be an exception!!) get spam. In fact, 78% of all e-mails sent over the net are spam(source). Why is it that we get spam? By supplying our email addresses to 3rd parties, on websites, forums, chat rooms, newsgroups etc. So, why the uproar with MSE (who have probably been a victim from people) when the vast majority of us don't do enough to protect our own personal details?

PhylPho wrote: »

What's so damned depressing about this thread isn't the mad melodramatics of a demented few but the larger number of posters who have taken the "we're not tecchies" line as an argument for criticising MSE.

Agreed. This email only becomes a problem for those who are stupid enough to click on a link in an email! That type of person should just give me their bank details instead of logging in to their bank using the link on the "Several Failed Attempts to Access to Your Account" email they were sent. Seriously, put the computer back in the box.

PhylPho wrote: »

As for lecturings about data protection legislation, and the penalties for breaching same, no webmaster needs a lesson in that from posters who give every appearance of not having the slightest clue what they're on about.

Shame they didn't read the Privacy Policy prior to joining the site:

5. Security Policy

We use reasonable precautions to keep the information disclosed to us secure. However, we cannot guarantee the security of the information that you disclose to us. You accept the inherent risks of providing information and dealing on-line and will not hold us responsible for any breach of security unless this is due to our negligence or willful default.

PhylPho wrote: »

As ever, the most sensible posts from folks here have been from those who decline to rush to judgment and prefer instead to let MSE get on with sorting out the how-what-when-who-where of the current situation.

Exactly, they probably know what they're doing. If not, I'm sure there are enough qualified experts here who can help out rather than the melodramatic people!

thelawnet

Jesthar wrote: »

Unfortunately there isn't a Cluebat big enough to 'educate' all computer users into using strong passwords, let alone a different one for every site/application!

However, given a database dump of the userbase for a site like this, why bother with the effort of going after the passwords? You're not really going to get any useful information from this site, as most things barring PMs and e-mail addresses are public, and it'd be a HUGE job to trawl all the accounts. Far easier to just grab the screen names and e-mail addresses and go 'phishing' in a semi plausible fashion.

Phishing?

I expect this database is being sold to every petty computer criminal in the world.

They'll each do something with it.

Looking at the forum there is:

all or fewer of:

Date of birth
Home page
ICQ
AIM
MSN
Yahoo Messenger
Skype

And always:
Email
Password

This site has 772,000 members, so the stolen database is worth millions to criminals.

What I would expect:

dictionary attacks on the passwords - should give a couple of hundred thousand sets of the following:

* email
* password
* username

with minimal effort - the stolen database is not protected, there is no throttling, logging, nothing, you could bring the full force of say a network of hundreds of compromised PCs, or simply a multi-core server, and easily crack vast numbers of passwords

Then I'd expect them to use a botnet to login automatically to paypal (very vulnerable, low-security, high-value system) using the emails and cracked passwords. The users that have used the same accounts will then obviously have their funds stolen.

Other sites likely to be attacked would be places like Amazon (again, not well secured).

The database is a goldmine and contains far more users than one person can deal with, so what I'd then expect is for the cracked users to be sold in tranches to other crooks.

Crooks dealing with smalller subsections of the list have the time to go a bit deeper.

Example - login to your email account, look for online banking details, credit card numbers, etc.

Obviously if your password on here was, at the time of theft (which MSE seems to know about, but failed to disclose), used on no other sites, you don't have anything to worry about, but if you did, then best get changing all your passwords....

relative_millionaire

I use a unique e-mail address, like I do for any website I sign up to, and this spam/scam message targeted the unique e-mail address I use for the MSE forums (different from the one I use for the MSE newsletter).

I do this because far too often, companies ignore or 'forget' your marketing preferences. I'm so meticulous when it comes to checking whether I have to tick the box or untick the box consenting to marketing e-mails. If they thereafter send me unsolicited marketing e-mails, they go on 'the list'.

Sad to see that MSE has fallen foul of a breach, but I understand this breach happened a while ago and that steps have been taken to make sure it won't happen again.

I will be creating a new unique e-mail address for my forum membership however

chicken_or_egg

meher wrote: »

Thanks CitySlicker, I'm confused if it's the case. How could people create usernames today and login to post saying that they received one?

Well, there could be a range of possibilities, but just 3 of them might be

- maybe it relates to a username which for whatever reason, maybe personal, they don't want to be seen posting on here any more

- it could be to a username which was banned

- maybe they haven't logged in for so long that they can't remember the password, and they can't get a reminder email for the password because the email address was volatile, like hotmail - if you don't use it for months it gets cancelled

Yes, that seems an illogical suggestion if they just received an email relating to an address used here, but maybe they changed the registered email address once or more

If anyone is in that category, having changed their email, they may be able to offer a bit of help to MSE in pinning down when the leak occurred - if that's not yet known behind the scenes

23n1th

david72 wrote: »

I emphasise again that I am pleased that MSE is now taking this seriously, but I am extremely concerned to read in this forum thread that there was a previous cracking attempt/data breach, yet users were not individually notified of this at the time by email (to enable us to take remedial action ourselves). I'm afraid that I have to say that taking no action to alert users at that time is surely very remiss, and I am very disappointed. If the same had happened to any other organisation (eg, a bank, major store chain, etc), we would all have been rightly complaining, and MSE would also have been joining in the clamour on behalf of the public.

Couldn't agree more!

Justcoll

I joined MSE back in 2005 after hearing about the site by chance on the Johnnie Walker show. I've spent the last hour reading through this thread and have been really saddened by some of the comments I have read, particularly those that suggest Martin could have sold our details!!! To those who have suggested this I would like to ask you:

How many sites do you know of that give you so much for nothing? You don't even have to put up with annoying ads!

Martin Lewis started this site on a shoestring because he wanted to help people by sharing his knowledge and giving them more control over their finacial affairs. I've watched it grow over the years from a pretty basic site to what it has become today.

The forums provide a place where people can share their collective wisdom on everything from the best way to grow herbs to dealing with the problems of debt or redundancy. It has been a remarkable achievement and has benefited hundreds of thousands of people, myself included.

I have no idea how this problem started but I am sure that there are a lot of people beavering away to sort it out. If there is one website I trust it is this one - and I am absolutely positive that the person who is most upset by all this is Martin himself.