IMPORTANT! Have you received an email to your forum username?

Mupette

I have just checked but not got anything and to be honest, people really should be more savvy now.

Having lots of experience with fake world of warcraft emails for a few years........

innovate

StumpyPumpy wrote: »

At a guess, you are confusing a Private Message (PM) with an email. PMs are specific to the site, you don't (by default) get an email message.

fermi wrote: »

It would have been a PM sent out en mass, not an email. Hence the forum pop-up notification.

Depends on your personal settings whether you got an email as well as a PM. People who use their email more often than MSE may well have set their profile so they get notified when they receive a PM. In this case, they got the full text of the PM, incl loads of links (which are all harmless but why send links when some people are already nervous), and some slightly misleading info ("we don't hold any personal data on individuals"). Ah well, everyone is human.

4$£&*(£$&*(!

I am pretty angry at the nature of how some people have attacked this website and Martin himself throughout this thread. Some people have been frustrated (including myself) that there has been a data breach and they have rightly expressed their concerns. The language a small minority of others are using is bordering on bullying site staff though and to be candid with this, bullying just is not on.

Martin has made it clear this was not intentional (despite being accused of profiteering from this at one point here). He has made it clear the site IT staff have kept up to date with security. Yet the nit-picking continued when Martin told us he learned today the site faces an attack every minute on average and someone criticised that. To me, Martin was expressing how he was surprised how frequently the attacks happen rather than being unaware of attacks, and trying to demonstrate how hard his IT team works. That explanation apparently is not enough for some.

My view of the situation:
1 - I am annoyed my email address has found its way into the hands of spammers as I have never received spam up to now since I have been meticulously careful who gets my email address.
2 - I voiced my concerns, they are being dealt with.
3 - Although an issue has been identified, IT staff are on it and working hard to resolve this.
4 - This attack was not allowed to happen on purpose by anyone at MSE.
5 - There are hundreds (if not thousands) of organisations who must loathe MSE as Martin and the team are clawing back money for us. This year alone I have saved personally several hundreds of pounds on insurance, I have made money on good savings, I have also helped friends and saved someone not far off a grand last night with just a few hours work. I am not saying there is a UK organisation who would sponsor an attack to try and discredit MSE, but let's be honest there will be plenty of UK organisations who wouldn't be totally unhappy about learning of any sort of drop in confidence with this site.
6 - Martin could drop this forum tomorrow if he wanted, and the way some people have been down his neck I wouldn't blame him if he did. Would we all receive the same support we give each other on another competitor's forum? Is there such a forum even in existence?

What I am saying is can some of the people who are just as upset as me about this attack please take out the venom. It is not going to get anyone anywhere, and I think everyone including me needs to show our appreciation for the work Martin and all MSE staff are putting into righting this and for their continued work on this forum generally.

Thank you Martin and the MSE team.

PhylPho

PaulBear wrote: »

PhylPho I understood everything that you said but then again I am a bit of a geek.
Unfortunately your good intentions probably bamboozled loads of users who just are not and cannot be bothered to be tech savvie and why should they.

There's no compulsion on anyone to understand the Highway Code or simple stuff about how to cross a road. But then, there's no excuse for them to complain about the dangers of road hazards and lament their misfortune from their hospital bed afterwards.

Scammers only thrive because victims make it easy for 'em to do so.

To defeat cyber crime, there's a moral if not legal responsibility on every computer user to understand the basics of self protection and to implement same.

I know people don't need to have an engineering degree to drive a car but they should at least be alert enough to know whether to put diesel or petrol in the tank.

VictimOfImpersonation wrote: »

Cripes!!! Who rattled your cage PhylPho?

Sensationalist posts like yours. (I see you're still at it, by the way.)

Gamegal

I joined in this name in October 2008 & I haven't received a (hacker) email to the Gmail address I am using for this username. I did recieve a warning to this address today though.

HOWEVER, I DID recieve the (hacker) email to the Virgin address I used for my previous username. I joined MSE January 2007 with that name, I stopped when I started using 'Gamegal'. The (hacker) email went into my spam, which I check before deleting. I thought it wasn't spam so I opened it. Looked boring so I immediately deleted it without clicking any links. :T

I haven't received a MSE warning email though to the virgin a/c where the (hacker) email was sent. :think:

newleaf

I haven't received one yet, and I only download headers initially, then delete anything that I don't recognise.

mary-op

Thanks for the information/warning.
So far no e mails received of that nature

Diamond78

Hi, I got an email too but it was in my junk mail. I did not open it and deleted it straight away. However can somone advise me if its best to change the password I have for here or is it safe. I use the same password for a few other forums too, so not sure what to do. Thanks in advance.

Rossy.

Diamond78 wrote: »

Hi, I got an email too but it was in my junk mail. I did not open it and deleted it straight away. However can somone advise me if its best to change the password I have for here or is it safe. I use the same password for a few other forums too, so not sure what to do. Thanks in advance.

Change it if you feel you need to.

IMO it's safe though. Although i use different passwords for different sites as a matter of precaution anyway

mynewaccount

PhylPho wrote: »

(1) Purpose of the email hit was to trick recipients into installing malware on their computer. The exercise went insanely wrong because the con depended on persuading recipients that the email was from moneysavingexpert.com. Instead, the morons bombarded their MSE targets with text about moneyexpert.com and an invitation to use a new “tool” from moneyexpert.com.

Yep, they bungled it. But now they know better - and they still have the database. It's the work of a few minutes to send out a further email which purports to be from Moneysavingexpert.com and says something along the lines of "Hi, this is Martin, you might have had a scam email recently, make sure you don't open it. We take this seriously so we've got you a deal for some free anti-virus software, just download it from this address..." and how many people would fall for that? Even if only a few percent of the hundreds of thousands of people on the forum, it's enough to be worthwhile for any passing miscreant. Stuff like this DOES happen, just as people who get their houses robbed in real life are sometimes repeat-burgled once the flaws in their security or the desirability of their contents (which you can guess will have been replaced with new, ready to steal again) becomes apparent.

No-one is trying to be alarmist but you have to be realistic about the kind of things that a breach like this makes possible. The above could happen right now, with the the data that we already know is compromised.

Yes, they bungled it - it could have been much worse. But it could still get worse. Going around and saying "it's spam, just delete it" ignores the real issue. And constantly referring to this email as a "spam" email is itself wilfully playing down the true situation. It wasn't a SPAM email, it was a VIRUS email which, if clicked, could compromise your computer and lead to all manner of problems both for your computer and potentially your bank accounts and real-world finances in the future. There is a danger here and it's wrong to play that down because "Martin does a good job, so he does".

I don't envy the position that Martin and the MSE team are in one bit, I'm sure they're passionate and committed. But equally at the same time I'm pretty sore that despite the compromise of the forum member list back in July 2009 (I knew about this immediately because I received getting scam mail from Russian dating sites) there was no significant announcement. I looked around the forums at the time, and even posted a few messages, but saw no announcements. And indeed quite the reverse, all I saw was posts from helpful but wrong people assuring me that there was obviously no breach and that "spammers just try every possible email address until they get one that works". Anything but admit a problem.

Even the announcements which it seems were posted in well-hidden corners of the forum back in July 2009 (and again later in 2009 when it was suggested that a second breach occured) all said that the MSE people couldn't find any evidence of a problem. And that's what they've said today as well. They've obviously been hacked, but they don't know how. That's got to be worrying. If you're operating a forum which has been compromised and you just don't know how it happened, then how can you stop it happening again?

Well and good to say "Well we know there's a new version of vBulletin but it's so much work to upgrade"... Well, yes, but again, staying up-to-date with the latest security patches and releases of software is vital for any serious web-facing system. It's just essential. You should never get yourself into a position (whether through popularity or size or the number of tricked-out features you've added to something) where you can't update your software immediately there is a new security release available. Especially when you're being compromised in ways you don't know or understand.

No-one is trying to be alarmist, but you don't increase your safety by sticking your head in the sand and thinking that it's going to be alright or that the bad guys are stupid or won't do something that's "a bit difficult". If there's a reward, they'll do the difficult thing. They've already hacked one of the UK's largest web forums, that shows you straight away that there's something in it for someone. This is not a game. You work out the potential problems and take the correct actions to guard against them.

Despite there being "no evidence" that passwords have been taken, and that it would be "very difficult" for hackers to use the salted hashes if they had accessed them, it is worth taking the time to be sure that you don't use your forum password elsewhere. If it has been, as a matter of good and sensible security, you should condsider it to be compromised, and you should change it on any other places where you use it - and especially your online banking.

No alarm, no sensationalism. Just a good and sensible precaution to take, right now. Keep your passwords good and unique. Words to live by. You might think that 'ncc1701' is a password that nobody else would use, you'd be wrong, it's the 139th most popular password on the planet. There IS nothing to worry about, but only if you take the time to know the facts, and take precautions.