Whew excellent work to get this glitch-as serious as it is , in the Site under control as quickly as now.

Kudos to Admin--hope all the nasty stuff can be sanitised quickly and efficiently .

Yes I also admit the double take when an Email arrived  at 8am asking to reset my PW--oh oh I thought 

one of "those"--delete hovered--but realised when I tried to login all was kosher and the problem was real.

 

All good now just as well it asked for a new P/W--I couldn't locate the old one!

 

Hope all to square and clean without too much hassle and time --good luck!

 

 

Willco 

2 minutes ago, agisthos said:

 

Yes! The average person, especially older, seem to have this idea its safer to pay for something via your bank account than PP or credit card. It's not. No protection. They have never had a payment dispute, so do not realise the banks do not go and get your money back, you have to take the recipient to court to get a judgement, wasting $$ on legal's fees. And then after court, you have to enforce payment, which will probably be $10 per week for the next 10 years.

Very true, but how do you use a CC to pay a private seller for something you may purchase on SNA

Pretty impressed with both the speed of resolution, the seriousness taken by SNA and the depth of information on the breach and outcomes. This kind of response gives a lot of confidence and I wish some institutions handling much more personal data than SNA took their responsibility as seriously. 

Good stuff Marc, thanks for giving up your Sunday to keep the wheels greased. 

Awesome turn around guys! Well done.

 

Unfortunately it's raised to me that my personal account @caminperth has been around for so long (since 2005!) that it's associated with an old email address that no longer exists - this means I can't reset my password to access the account.

Can one of the mods please PM me and I'll send through the correct email address? ?

 

Just PM me the correct email addy @Line Magnetic Australia

1 minute ago, rantan said:

Very true, but how do you use a CC to pay a private seller for something you may purchase on SNA

 

For a private seller you can obviously only use your CC via Paypal. But in general if buying something from a vendor who has a merchant account, its far safer to pay via CC than Direct Deposit because you can do a chargeback if the merchant tries to scam you. You have 45 days under Visa/MC rules.

What a PITA for you, Marc.  Sadly, this sort of thing will not go away.

 

I also got an email telling me you had locked my account:

 

 

 

Password now changed!

 

Andy

 

3 minutes ago, agisthos said:

 

For a private seller you can obviously only use your CC via Paypal. But in general if buying something from a vendor who has a merchant account, its far safer to pay via CC than Direct Deposit because you can do a chargeback if the merchant tries to scam you. You have 45 days under Visa/MC rules.

 

Yes. This makes a lot of sense. Thank you.

 

I will do this for any future payments

12 minutes ago, Marc said:

Just PM me the correct email addy @Line Magnetic Australia

Thanks mate - I'm back!! ??

Nice work getting control back and addressing the breach. Well done and thanks for the quick response. ?

A very well-known user on Head-fi had their account hacked and suspicious classifieds posted as well, so it looks like the attackers are going on a spree.

Thank you for letting me know. I have changed my password. Thank you also for the clear  and detailed explanation of this matter.

Those who vandalised this site are just nasty people, and they have to look at themselves each day in the mirror. Some people choose to do evil, shame on them. They deserve their karma from what they do.

@Marc

How did you find out about the breach?

Did an alarm go off with a red flashing siren?

 

Clarification please... passwords were encrypted however it was noted that the hackers accessed them.

 

"Do I need to worry?

In short, no. The only identifying information contained in the database is your username, email address, and password (stored with encryption)."

 

If passwords were encrypted then hackers could not access them without the decryption key(s) yet it is stated that they did get them as part of 'identifying information'.

Do they have my old password or not?

 

This is the first time I have been part of a database hacking - congratulations. Frankly, I am furious they got even my e-mail address. I know a bit about IT and security so I would really like a detailed explanation of the vulnerability that was exploited.

 

Edited April 25, 20214 yr by Timzy

Great. I've changed my password. Now how do I change my email address. ????????????

6 minutes ago, crispi said:

Great. I've changed my password. Now how do I change my email address. ????????????

 

First post since 2004 

Welcome back  

 

50 minutes ago, Timzy said:

 

This is the first time I have been part of a database hacking - congratulations.

 

I'd be very, very surprised if it was really the first time. This stuff happens far too often, and it often gets covered up.

My iPhone told me that a couple of my passwords had been got when I was looking through the new OS features, the first time I knew about it, and I check the various sites for hacked password checks regularly (I have to use a couple of sites with short passwords and am a bit paranoid)

Thanks for your responsiveness Marc and keeping this a safe site. 

 

2 hours ago, crispi said:

Great. I've changed my password. Now how do I change my email address. ????????????

Don't think you need to.

3 hours ago, Timzy said:

....This is the first time I have been part of a database hacking - congratulations....

 

Hmmm... might be worth chucking your email into here and checking if that is indeed the case.

 

Edited April 25, 20214 yr by slashrawr
Just being an idiot...

9 hours ago, Timzy said:

Clarification please... passwords were encrypted however it was noted that the hackers accessed them.

 

"Do I need to worry?

In short, no. The only identifying information contained in the database is your username, email address, and password (stored with encryption)."

 

If passwords were encrypted then hackers could not access them without the decryption key(s) yet it is stated that they did get them as part of 'identifying information'.

Do they have my old password or not?

 

This is the first time I have been part of a database hacking - congratulations. Frankly, I am furious they got even my e-mail address. I know a bit about IT and security so I would really like a detailed explanation of the vulnerability that was exploited.

 

 

I have outlined much more information in this thread. While I have explained what information is stored here against your account, the hackers were not interested in our database and member information and from the logs, we can see they didn't even access this information. I have outlined what appeared to be their sole intention elsewhere already in this thread.

9 hours ago, Timzy said:

This is the first time I have been part of a database hacking - congratulations. Frankly, I am furious they got even my e-mail address. I know a bit about IT and security so I would really like a detailed explanation of the vulnerability that was exploited.

 

 

I checked your email against the https://haveibeenpwned.com/ website for you. Your email (and potentially other information), has been exposed in 9 major data breaches. Might want to check that and clean up your accounts where possible.

Hey mods, My account will need to be merged as well. I'm metal-fan but got a reset email for sketchdude??

 

Cheers.

15 hours ago, mvyrmnd said:

Explaining this breach in the password reset email would have been useful. Getting an aggressive password reset notification out of the blue just looks like phishing, and a good percentage of people would rightfully mark it as spam.

I felt similar when I saw the email, so I just did a bit of a search and found this discussion quite quickly. I'd encourage everyone to approach things that way instead of clicking blindly.

 

Having said that, I can imagine that the administrators had many things going on and were under extreme pressure to right the ship so I can understand the terseness of the password email.

14 hours ago, rantan said:

Very true, but how do you use a CC to pay a private seller for something you may purchase on SNA

PayPal or cash on pickup/delivery.

If EFT is the only option, then perhaps a phone conversation to convey or confirm the details is safer than other channels.