Site safety issue? email leaked

[Bero]

Since I started with internet many, many years ago, I use different emails for different sites. So I'm able to say what site gives away my email without my permission.

For some weeks I get fishing mails to this special email, I've created for this site.

Code: Select all

Return-Path&#58; <wowaccountadmin>
Received&#58; from blizzard.com &#40;92-48-127-66.static.as29550.net &#91;92.48.127.66&#93; &#40;may be forged&#41;&#41;
	by ***.dnsalias.com &#40;8.13.8/8.13.8/Debian-3&#41; with SMTP id o07Javps020359
	for <berowarcraftrealmscom>; Thu, 7 Jan 2010 20&#58;37&#58;04 +0100
Date&#58; Thu, 7 Jan 2010 20&#58;36&#58;57 +0100
Message-Id&#58; <201001071937>
Received&#58; from PC-200911071413 &#40;&#91;192.168.1.155&#93;&#41;
	&#40;envelope-sender <wowaccountadmin>&#41;
	by 192.168.1.111 with ESMTP
	for <berowarcraftrealmscom>; Fri, 08 Jan 2010 03&#58;37&#58;36 +0800
From&#58; "wowaccountadmin"<wowaccountadmin>
To&#58; berowarcraftrealmscom@***.dnsalias.com;
CC&#58; 
Reply-To&#58; [email protected]
Subject&#58; World Of Warcraft-Account Instructions
MIME-Version&#58; 1.0
Content-Type&#58; multipart/alternative;
	 boundary="----_=_wodSmtp.356a.2D7C023.ec.670"
Content-Transfer-Encoding&#58; UTF-8

It's not that I'm afraid my WoW-account could be hacked, but I'm afraid this site don't care much of the site members personal data.

Of course I've disabled the visibility of my email in my profile and I didn't use this email for any other purposes than registering this account.

As a hint for the other WoW player around: At least don't use your WoW-email for any fansites and don't use your "usual" email for your WoW-account. So you will be able to see at once if someone tries to fish your account data.

[Hybuir]

Are you aware that this is different than your actual Warcraft account, right?

[Taleel]

I also get phishing mails sent to an address that I used for this site exclusively. This has nothing to do with my WoW account's safety (protected by an authenticator, anyway). This is about this site leaking out private mail addresses.

[Balgair]

Can't say whether or not it's this site since I use my main email for several wow-related sites but in the last 2-3 days I've started getting phishing mails targetted at WoW, yep (my WoW account is on another email address so I'm safe enough btw, can easy see they're fakes). Never had them before so perhaps there's been some leak somewhere. Rollie?

[Alanthus]

There is no question the emails were leaked, and considering there are walkthroughs out there for how to hack this forum software that's easy enough to do. Just having your email address and even the password used on this site doesn't let anyone do anything but phishing emails though, tried to pass them on to blizzard when this started but they don't have an abuse@ address so I dropped it.

edit: if you use the same email and password combination on different sites that's of course a security risk, while it's a tad harder to get the actual passwords since they should be encrypted it's not impossible, especially if they're short or common enough.

[Hybuir]

Alphanumeric wif special characers f0rzewin!w@@@!

[TwiZt]

My spam folder is full of these messages atm too. I forwarded it to blizzard hopefully they will take these idiots down

Also the email to forward these things to is: [email protected]

[Alanthus]

My spam folder is full of these messages atm too. I forwarded it to blizzard hopefully they will take these idiots down

Also the email to forward these things to is: [email protected]

I do realize there is an email for this but since I don't play any more the extent of my efforts was using the abuse@ email suggested in the RFC's. If they don't have it set up that's their problem

[alphaomega1]

You receiving emails to this special account of yours doesn't automatically mean that warcraftrealms is the source of the leak. I do have special email addresses that I don't give out and I still receive phishing emails. Spammers randomly generate lots of email addresses and they will get through. Just delete them.

There are email harvesters out there, so you having your email publicly visible doesn't help. That's a lack of security on your part.

[Rollie]

Emails were definitely stolen. I sent out a mass email about it a few weeks ago, but I don't think it managed to send out to everyone. I had intended to send a follow up email, but I just haven't.

As Alanthus has mentioned, phpbb 2 is no longer developed and likely has holes. I made the mistake early on of tightly integrating the entire site with the phpbb database structure. I have wanted to upgrade, but it is something I have been afraid to look at.

Here is a copy of the email I sent:

----------------------------------------

I take security very seriously here at WarcraftRealms.com, but I will be the first to admit that I am no security expert. This site grew out of a hobby and has been a labor of love since WoW was in beta.

Due to the popularity and nature of the site, I am constantly under attack by hackers. One can only assume that these hackers wish to gather information pertaining to users' WoW accounts in an effort to hack, and use those WoW accounts for nefarious reasons (gold selling, character selling, etc).

While I do everything I can and know to do, a couple of months ago, the site was compromised and a breach did occur. The extent of the breach was not known at the time, but I have reason to believe that, at the least, the hacker(s) made off with the email addresses contained in my database.

The hole used was found and sealed. Hopefully there are not any others that have not been found at this time.

Those email addresses are now being targeted for various Phishing schemes, particularly for WoW account phishing scams. These scams typically attempt to get you to visit their site and enter your WoW account credentials.

Please always be very cautious when entering your information. Never click links in emails, but instead type the url of the site you wish to visit into the address bar of your browser.

As a further precaution, I urge all of you to get a Blizzard Authenticator which will with almost complete certainty protect your account from hackers.

Finally, please never use your WoW account name or password as your username or password to any online site.

Again, my sincerest apologies for any inconvenience anyone might have suffered due to this intrusion.

Always be safe,

Rollie
www.warcraftrealms.com

[FuxieDK]

Emails were definitely stolen. I sent out a mass email about it a few weeks ago, but I don't think it managed to send out to everyone. I had intended to send a follow up email, but I just haven't.

I never received anything

[Balgair]

I remember the incident a few weeks ago, but surprised in that case that nothing's happened until now - it's only been the past 3-4 days I've been getting phishing mails. Maybe mine's not connected since I use the same email on lots of sites anyway though.

[wcrknarf]

Same here. The email address only used for warcraftrealms got two WoW phishing emails the last week.

Thanks Rollie for your post.

[Eyeball-Dragonmaw]

Believe it or not most hackers wait to use your data so you have your defenses down. If you would have received those emails a week after the site was hacked you would be more aware of the phishing attempts.

[b00nish]

Yep, same here.
I used a 'exclusive' E-Mail-Adress for warcraftrealms.com.
Now I'm getting WoW pishing mails to this adress every day. Just recently I also recieve Aion pishing mails but of course I never had an Aion account

Well it's not a desaster for me since I just can disable the adress - but it shows that using exclusive adresses is a good concept.

It's very commendable that Rollie is honest about the issue!