IMPORTANT! Have you received an email to your forum username?

StumpyPumpy

@HateLPG
Points 1 -3

Whilst it is of the greatest concern to the individual user, the details of the emails sent are not of real importance because tomorrow you may see a completely new email being sent out, also there were different hosts for the payload location which may mean different payloads. Anything said in answer to these 3 points may be wrong to a large percentage of the recipients and actually put a user more at risk.

Points 4-10

are in all likelihood beyond the technical ability of the MSE team to answer, and having worked in this area of the industry you will never get a reasonable answer to Point 7 that isn't destructive, probably involving landfill.

Points 10-12

This is what is currently being worked on, but you might have to expect never to know any details. Public reports on these incidents are, through necessity, rarely any more than "There was a problem, we fixed it." Further details only emerge through leaks or via the perpetrator.
Also, keep in mind that MSE have a duty of confidentiality to all the other vBulletin users out there. It would be highly irresponsible to announce a new breach if there is not a patch available, they should hand this information off to vBulletin to deal with.
If it is found to be theft, they need to hand the case over to the proper authorities and again keep quiet.

Point 13

Most likely unanswerable apart from to say all data may have been compromised - Which is why MSE have a policy of only requiring the minimum data to be entered.

Point 14 (point 12 v2 - you mis-numbered)

Easy one: All steps are being taken...
That does not mean it will never happen again, no sane person would ever guarantee that.

Point 15 (point 13 v2)

This is subjective, I think the response was pretty good for a non-dedicated team. And I say that as someone who has been involved with incidents that have garnered international news reports.
It is difficult to judge the scale of any attack at the beginning and information is sparse. Do you send out a PM when 10 people are affected? 100? 1000? And messages of this sort often only serve to muddy the waters: you only have to read the number of entries on this thread asking whether the PM is also a threat to understand that.

Of course this thread is messy, you and I are adding to that mess, I acknowledge that but there are alternatives that have been put in place. To avoid the mess, the best approach currently is to read the news article and the PM that was sent and to assume that while you are receiving no new news the reason is that there is no new news to give.

SP

Ed_Jogg

nilrem wrote: »

Did you check in the (hidden) Spam folder? I changed my email addy to googlemail some time ago and the rogue email was 'hiding' in the googlemail spam folder.

Just in case the MSE team are following this sub-thread...
Yes, I did check in the Spam folder before posting -- empty. And there's nothing relevant in the bin either.
Hence I have still not received any such emails to this address (used since May 2009).


So far I don't remember suffering any spam in my gmail account. How much of this is down to whatever inbuilt filtering there is, and how much to my segregation of email accounts, I cannot tell. But I get junk mail in other accounts, including my work account that is only used for work purposes! Wastes so much time...

MSE_Martin

First of all thank you to those who are being supportive.

I've spent the last hour again in another meeting with my senior team and technical staff who are working flat out on this.

Yet it is not a linear event, as noted we haven't yet found any hole or any breach. In Nov 2009 we found traces quite easily, there is no evidence of anything since then.

Sadly we've been swamped with an enormous number of emails and PMs and are still trying to work through those verify anyone who joined post 2010 who got this email - that is the no. 1 priority of the admin team (separate to the techie team who are re-examening our security) - and before suggesting that we pm people on this thread who say they've received one later - we've already been doing that, and are still waiting for verified replies.

As to the questions about the trojan - again that isn't our expertise it is something the police are looking at - and until we have information to give from them, we can't say anything about it as we don't know the answers.

THis is not an easy thing to work on - we are working hard on this - but we can't give answers where we don't have them.

This is not an uncommon thing to happen, as everyone will know with the huge amount of spam and malware people are sent (i get 50 or 60 a day).

I'm not belittling this event, we take it seriously and I have committed huge resources of my team to looking at it - yet in the scheme of thinks this is one of the problems of the internet that people do face daily - we have for years warned of the risks and the need for anti-virus, and careful use of the web over dodgy emails and that is the first defence.

Frankly its been a horrible few days for us on this, because we take our responsibilities seriously, yet even if we closed this forum tomorrow and deleted every email address people would still be sent malware the next day from others sources - it is one of the risk reward balances users of the internet must understand.

There are criminals out there, sometimes they rob banks, break into homes, mug people, and sometimes they break into websites and send malware.

We are also taking this opportunity to think of any other areas of the forum where people may do things we’re unaware of that present a security risk. For example PMing each other credit card details over a non-secure communication – and we are going to try and think of these and put warnings where appropriate.

Primrose

Also just had an email and I signed up before 2010.

I feel for you and the technical team. There are so many users on here now. It must be a real headache for you trying to get to the bottom of it.

Tigsteroonie

Still nothing received in the email account (gmail) for Franklymydear c.2009, not even in the spam folder. Still time, I guess

eta. Thanks for the update, Martin.

poppie123

I still haven't received the email although i could still yet i suppose.

I do though on a daily basis receive a barrage of the spam ones from banks which drives me nuts. Mostly they go straight to my spam folder but some still get through and i have accidently opened a couple (then immediately deleted)
Strangely it never used to be from my own banks but just lately i have been getting a least 2 a day from one in particular.
I run malewarebytes each morning and then again just before i shut the computer down, plus i run a full AVG the same time each day. I think that is enough, oh and about once a week i run ad-aware too.

All i seem to do all day is hit the delete button :rotfl:

jean48

I had it also

Premier_2

MSE_Martin wrote: »

...
Sadly we've been swamped with an enormous number of emails and PMs and are still trying to work through those verify anyone who joined post 2010 who got this email - that is the no. 1 priority of the admin team (separate to the techie team who are re-examening our security) - and before suggesting that we pm people on this thread who say they've received one later - we've already been doing that, and are still waiting for verified replies. ...

Is there a possibility of someone not seeing the wood for the trees here?

I accept it is somewhat sad that over 50 users have voted in this thread to suggest they have registered in the last 11 months and have received the email, but haven't been able to give a verifiable response yet as indeed such evidential data would perhaps focus the resources much better.

However, let us not forget the key issue today is that the email addresses being spammed are now addressed to the MSE user name. This is only a recent development, I believe.

The email address you have for me (which is unique to MSE and bears no resemblence to my user name) is regularly spammed nowadays presumably because of past security breaches and the subsequent sale/transfer of lists of email addresses by spammers.
But no spam emails previously have ever tied the email address to the user name.

(I would say I haven't received one of these recent spam emails, but that doesn't mean it wasn't sent. The email address you have for me doesn't even accept what is clearly judged as spam, and the remainder falls into a spam folder which only has a short lifespan before that is automatically emptied, so unless I'm expecting an email from you, there is a lot that gets filtered/deleted. However I have been spammed at least daily over the past 3 days ... but no indication as to my user name was included.)

Now I suppose it could be that the data leaked 12-18 months ago (or older) did actually contain the link between user name and their email address and surprisingly no one until now has used that information.

But with spammers keen to obtain latest live email addresses (and I know our own website often gets attacks searching for these, typically daily), does the circumstantial evidence not suggest this is a recent harvest?

Remember, this post from July 2009 denies being able to identify any security breach ... yet the circumstantial evidence at the time was damning and so had to be the source.

nhoneymonster

I've had one of those but wasn't sure about it so deleted it.

KittyPryde

I had one in my hotmail too. Joined before 2010. I did think it was real but deleted it anyway cuz didn't know what it was going on about (the tool thing lol).