BE CAREFUL

There are bad guys out there. I just got an email that used my username from here on the Think Tank, offering to let me use a new forum. I would use my existing username, and simply provide a new password. I’m sure the intent was to invade my hard drive to find anything that could be used to make a buck. I immediately deleted the email, and I suggest that you do the same if something like this is sent to you.

I received a similar email. I haven’t looked into the details of it.

Yikes! Thank you, Piedad for alerting our members. I received the email too.

I confirm that PMQ did NOT send this email. Please delete.

I am notifying our tech admin Claudio about this and keeping my fingers crossed he will know some ways to prevent this from happening again.

Yes, thanks. The email I received is fairly non-descript and I did not even immediately associate it with my PMQ login until I saw Piedad’s post.

Missy - You might want to ask Claudio how this person was able to get our email addresses. It doesn’t look possible from just the forum interface.

@Registered Guest[/USER] , I certainly will ask [USER=1]@Claudio about that. We NEVER sell or share our email lists and the fact it got hacked means that some action needs to be taken. Thank you for the input. This community has such a beautifully strong spirit of collaboration!

Maybe someone grabbed the email addresses with a magnet? :smiley:

Would it be appropriate to send out an email warning users that this did not come from PMQ and warn them against clicking on the link?

Getting the email itself is relatively harmless, but clicking on the link could expose users to more harmful things.

Many may not know of the risk unless they are following the conversation here.

And NO magnets, registered guest, lol!

I use the same user name on several forums but never the same password…I saw an email like this but did not link it to a specific forum…I think I “trashed” the email…Thanks…

Nice idea MidnightRider

I think we may have solved the case and it dates back to December 2013. Have any users who signed up after December 2013 received this spammer email? Any users such as @'Boli Girl[/USER] , [USER=12392]@Barry Hadley[/USER] , [USER=11826]@Ben Fogt[/USER] , [USER=11417]@BspaPizza?

Just joined last week, got an email from Missy/PMQ inquiring about this. Missy - happy to reply to you, but you’ve a gmail account in your private email to me - is that right? I only joined via FaceBook last week, when trying to joing ‘regular way’ 2 weeks ago failed miserably.

Hi William. Yes I have a Gmail account linked to my Think Tank username. I’m sorry to hear signing up the regular way was unsuccessful. What happened?

made a regular username/password combo over to one of my sites, and it never, ever sent me the confirmation email. I only have 5 sites, and i waited 72 hours on the confirmation email, kept trying, then got busy, gave up, and tried the FaceBook signup. That’s it, that’s all.

will reply to your priv/email soonish.

@Nicholas Weaver messaged me with some information that made a lot of sense.

“Classic phishing is the motivation. People commonly reuse passwords, so getting someone’s password for a forum like this can likely get into their other accounts elsewhere.”

That’s including your POS. So if you updated your password in that mysterious “new forum” do please change your other passwords!

Are you serious? Your database was compromised. Fix your security holes, and tell everyone to change their passwords. The entire forum and all of your user information was accessed. It is not 1996 any more. Ignoring that giant security leak is not what we need to do. Fix your holes in the think tank, send out an apology, and hope that nothing worse comes from this.

Seriously PMQ! How many people here are really that internet savvy that they have separate passwords for each account or forum they use? Logging into that hacker’s forum gives the hacker access to all of the accounts they have with the same user name and/or email. Do ya think nobody did that? Even the people who were duped into doing it are going to be too embarrassed to admit to it.

To other users: Imagine the public backlash if your customer database was hacked. How are more people not pissed off about lax security?

Thanks for your feedback and let me explain in more detail what we know and see what you might add to the conversation.

We do not believe that the scammer has any password information. Our website was never hacked. Actually, the company that sent the emails was a prospective vendor that did an analysis of our bulletin board back in December of 2013 when we were in the process of looking for a better bulletin board software. It appears they made a copy of our list of users and could now be trying to get passwords. That is why we are warning our users to ignore this email.

At this point what would you recommend? Thanks much

Was there no confidentiality agreement with this prospective vendor?
After reading the PMQ privacy policy I am thinking I did the right thing to have an email address that is only used for the Think Tank. You have not specifically stated that this information will not be sold to a third party.

I am not an internet security expert or a PR expert, however my day job is as a software consultant so I have a solid grasp of the technical details.

First, there is little danger in someone having a list of email addresses. Email addresses can also be obtained by any entry level hacker by monitoring traffic over unsecured public networks, such as a coffee house or perhaps many of the wireless networks we expose from our businesses. This would be analogous to swiping someone’s mail out of their unlocked mailbox and opening it up and collecting SSN, account number, etc. At this point (according to Missy’s statement) this list of email’s and login’s is all we believe anyone has.

However, as Pizzamancer points out, the danger can increase significantly when and if people click on the link. In this case, if people do click on the link, they are prompted to change their password. This process (known as a fishing expedition as Missy points out) is designed to capture your password. Once that password is captured, the BAD GUYS now have three pieces of information that are associated together, your PMQ login, your email address and your new password. They can then use that information to do a couple of things. They could login into your PMQ account and post messages, view profile information, and basically anything you can do. While this is annoying and disruptive to our community, probably not that harmful in the scope of things (unless you are asking registered guest to try magnets on his ovens, ha ha). More likely however that data would be combined with other sources of data to build a digital profile about you…so imagine that not only was you information compromised from PMQ, but also from Jimmy Johns where I also use the same email address to order subs as I do to login to PMQ. My digital profile would now include the information from Jimmy Johns and PMQ. Eventually there may be enough information for someone to get into my online bank account, credit card accounts, credit monitoring, etc. Over time, the identity thief will gain pieces of information that allow them to impersonate me and act as me.

Digital security is an important concern and anyone who holds any piece of digital information about me has a strong responsibility to ensure that they are securely storing that information and not contributing to the process of identity theft.

So, some suggestions on what can or should be done now:

1.) I appreciate that an email was sent out last night. However, I do not believe the wording was strong enough. It is not enough to “ignore” the spammers email. I would like to have seen wording that made it clear NOT to click on the link or enter any password information under any circumstances.
2.) This is where someone trained in internet security might come in handy to craft specific action plan, but I think PMQ could help play a role in assisting anyone who has clicked on the link. Maybe advise that they have a heightened monitoring of their credit report and accounts for any signs of suspicious activity…
3.) PMQ probably needs to add additional scrutiny to people trying to login to their site for some period of time. They probably should have heightened awareness not only of those successful attempts, but also unsuccessful.
4.) PMQ should probably ask the community to be report on any suspicious activity they see that might be traced back to this breech. Perhaps this needs to happen one on one because many people are embarrassed or there may be other need for discretion.
5.) It may be needed to reset all user passwords…as a user I hate this idea, but it could be a needed step. I think it would at the very least, be wise to suggest that users reset their passwords.
5.) Daddio just brought up an important line of questions about this supposed “vendor”…do you have agreements in place about they were supposed to use the information, what information they could have? Did they maliciously take information from PMQ - perhaps they need to be reported somewhere? Did they allow someone else to take PMQ’s information from them - perhaps they were duped out of additional information? Why were email addresses and account information given during an evaluation? Could they not have worked from a set of made up accounts just for this purpose? I feel PMQ does need to be asking these questions to address the present - it is important to understand what happened, the depth of the breach, and ensure that the appropriate reporting of the breech is done. Additionally, we need to address the future and ensure that PMQ takes steps to prevent this from happening again.

In conclusion, based on what we know right now, there probably is no need for widespread panic. Unfortunately, it is an increasingly prevalent risk in the world we live in. However, it is a very serious topic and can lead to more serious consequences if “ignored”. I would ask PMQ to be as proactive, transparent and aggressive as they can be in understanding this breech and addressing it.

Missy - Internet security isn’t my direct area of expertise, I do mostly database, analytic and reporting work, but if you have any additional questions or wish to discuss anything further offline, please feel free to PM me and I am happy to assist in anyway I can. This forum and it’s contributors have made so many fantastic contributions to me and I think it is important that we keep those contributions and contributors safe and secure.