Pizzamancer:
I feel your stress and frustration - you seem like you might need a magnet or two, placed on your temples, to alleviate all of that pent up stress.
@MidnightRider you put it all beautifully. I’m hopping on an international flight now but I’ve talked with the publisher and he is following up with urgency. Thanks so much to all of you who are helping us solve this together. It’s always what you’ve been best at!
Really?
There is no way the database could be compromised or accessed. All the passwords we use to manage the files, databases or even to enter to the Admin Panel are really strong.
My work is to ensure the forum works fine, without issues or security problems. The forum is running on XenForo which is the best forum software that haven’t had any security hole in the core system since it was released few days ago. Your security is my matter and I’m pretty sure no one have accessed to the database or sent the emails through PMQ website.
Hey Daddio. The wording of our agreement may have changed some over time but we are still not ever going to sell our email address list. It sounds like a prudent idea though to have a separate email address for a forum just in cases like this.
Just a little update here. We are analyzing the source code of the email to find out more about where the email came from.
Hi,
This is the email source code analysis:
http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=37e7dab5-5c23-4e9a-9539-a1c1d781a8d7
The email was sent from websitetoolbox.com and not pmq server (the forum is running on IP 198.58.106.66). You can check the email header yourself and ensure the forum IP isn’t there nor the DNS.
Indeed, Website Toolbox is the former vendor we mentioned. The pieces are coming together. We are still unsure if this was something they did or something a customer of theirs did. This “new forum” has 20,000 members populated in it, about 4 times as many as the Think Tank has ever had so PMQ was not the only one who got it.
@Daddio[/USER] and [USER=5167]@MidnightRider , we are following MidnightRider’s advice and reaching out to the community to be as transparent as possible.
This post is to address the confidentiality agreement with the vendor we mentioned before. While we were investigating Website Toolbox as someone we might hire, they asked us for an export of our data to set up a trial forum. Website Toolbox came recommended based on the research Liz and I conducted as a reputable company. The passwords in the export were encrypted and it seemed like standard procedure for setting up a forum. So to answer your question, no, there was no formal agreement with them, although one would assume that they would protect their clients, even prospective ones.
My username, password (even if hashed), e-mail address and all of my posts are in the hands of an unauthorized 3rd party. That means your database was compromised.
Never say there is “no way” to compromise a database - not knowing or understanding the risks is the path to weak security.
There are many ways to compromise a database other than having somebody log in with a weak password. On a technical side there are things like SQL injection attacks, there is social engineering, and there is commonly a case of somebody intentionally handing over data (while thinking they are well meaning) - and that seems to be exactly what happened here.
My work is to ensure the forum works fine, without issues or security problems. The forum is running on XenForo which is the best forum software that haven’t had any security hole in the core system since it was released few days ago. Your security is my matter and I’m pretty sure no one have accessed to the database or sent the emails through PMQ website.
First of all, nobody cares if the e-mails were sent from the PMQ website or not - that’s not the issue. The e-mail came addressed to my screen name here, and I don’t use that anywhere else. Whomever sent it obviously got my e-mail address from you in one way or another.
Part of running security means pushing back when somebody comes to you with a dangerous idea, even if it is a superior. Running XenForo that “doesn’t have any security hole” (yeah right) doesn’t do any good when you to offload all of the data to a third party that you have no relationship with.
Quite frankly, I find your defensiveness and denial to be rather rude considering it’s obvious all of your users have now been targeted in a phishing attack thanks to PMQ’s carelessness. And who knows where our data will end up now.
You can check the email header yourself and ensure the forum IP isn’t there nor the DNS.
Again, it doesn’t matter where the e-mail came from, the data came from YOU. You also don’t appear to know what DNS is. Did you mean domain name?
This post is to address the confidentiality agreement with the vendor we mentioned before. While we were investigating Website Toolbox as someone we might hire, they asked us for an export of our data to set up a trial forum. Website Toolbox came recommended based on the research Liz and I conducted as a reputable company. The passwords in the export were encrypted and it seemed like standard procedure for setting up a forum. So to answer your question, no, there was no formal agreement with them, although one would assume that they would protect their clients, even prospective ones.
I was cutting you significantly more slack when I thought you were just hacked. The fact that you willingly handed over our e-mail addresses, screen names and, apparently, posts, to a 3rd party that you had no formal business relationship with is hard to believe. “Seemed like” and “one would assume” sound awfully dangerous. You assumed that a company you found online and didn’t enter a formal agreement with was completely legit and would protect your data? On what grounds would you assume that? Welcome to the world, it’s a dangerous place.
As a side note, you never use production data in a test. Never, ever.
Sorry guys, but I’m PO’d.
At the very least a system for dealing with something like this when it does happen, the response from you guys seems very unorganized. And the fact that you gave our information to someone you have no formal relationship with is disturbing. To me it means you either don’t value it, or didn’t know what could happen.
Mysterious Monday Email Explained
Dear Think Tank Community:
Thank you all for displaying your protective instincts of the Think Tank this week with your quick responses, analysis, suggestions and even your complaints.
Many of us received an ominous email on Monday directing us to change our passwords as part of signing up for a new forum. Since PMQ did not create a new forum, we knew that this email was unauthorized and highly suspicious so we immediately asked our community to ignore or delete the email until we could understand its origin.
Now that we have been able to discuss the problem with the sender (Website Toolbox) and they have been able to investigate the problem we know what happened.
Website ToolBox conducted an internal test which ended up sending an email to all Think Tankers who were active during December of 2013. The email was not part of a phishing scam as we had first worried nor was PMQ.com or WebsiteToolbox.com ever hacked. It was however, very unnerving for everyone.
In the enclosed letter at the bottom of this post, WebsiteToolbox admits that it made an inadvertent error, that it will delete any email information from PMQ ThinkTankers and we not be getting any more emails from them. At 8PM tonight, Daddio will also post his chat conversation with a member of the Website Toolbox team that he had with them last night.
So how did WebsiteToolBox get my email address?
In December PMQ began converting our old Think Tank to a new BBS developed by a highly regarded company called WebsiteToolbox. Since the Think Tank has been in existence since 1998, it had a very large and lumbering database which had already been reimported a few times. It was necessary to test to see if the Think Tank actually could be imported into the new system and we agreed to have Website Toolbox test the process. Although the test was successful we ended up going with XenForo because we thought it would be a better fit for our users. The data at this point should have been deleted but obviously was not.
Here is an explanation according to Website Toolbox>
Letter from Austin Walker of WebsiteToolbox. Friday October 3, 2014.
Hello Steve,
I have gone through the emails send by you and was able to find out that these emails were sent out to you while our testing team was trying to upload the data provided by you to the forum. I would request you to please ignore these emails and be rest assured that this will not happen again. We have also instructed our testing team not use the data send by you for any testing purpose again and delete all the data.
We understand that how sensitive it can be to your clients who are receiving such emails. I would like to let you know that the Website Toolbox will not rent or sell potentially personally-identifying and personally-identifying information to anyone. The information provided by you is only disclosed to the employees of the organization.
We apologize for all the inconvenience caused to you. Please contact us if you need any further clarification on this.
–
Regards,
Austin Walker
Team Leader - Customer Support
Website Toolbox, Inc.
1-800-921-7803 extn: 104
09:30 AM to 6:00 PM EST, Mon-Fri
Thank you all once again for your concerns and comments about the security of the Think Tank.
How did PMQ respond to this situation?
Our first concern was to be alert our users of a possible scam and to ignore or delete the email. I then contacted Website Toolbox and got hold of our former representative there who finally put me in touch with Austin Walker. I sent the email to Austin Walker so that he could track down the problem and he provided us with an explanation and promise to not do this again. I do apologize that it took me an extra 24 hours to bring you this news as I had made an error in using a wrong email address.
I had a chat with the site that send out the email here is a transcript. Just a note the user CrashTest is one that I had created a while back when there were issues with the Think Tank.
Now Chatting
Thanks for stopping by! Can I help you with anything?
→Why am I getting spam from your site?
Abhi: We regret the inconvenience.
Abhi: You might have signed up for any service with us.
Abhi: We do not srnd spam emails.
→I am a member of a forum that investigated using you in december 2013 now every member on that forum had an email from your site
→You’re invited to join new forum From: new forum <gopal@websitetoolbox.com>
→Hi CrashTest, The administrator just set up an account for you on new forum. Your username is CrashTest. All you need to do is choose a password. CLICK THIS LINK TO GET STARTED: http://gopal55.forumchatter.com/register/reset_pw?userid=3261324&aid=6ME05Ih1Swv7gXBCygfuO0Xglxn8iTE[/URL] Thank you, new forum [URL=‘http://static.olark.com/jsclient-bucket6/follow.html?v=1412093691055&_ok=2069-109-10-1435&wcsid=jiqakPWju8OvSuQ65h1TA5DJFVF0F02F&_oklv=1412411666644,jiqakPWju8OvSuQ65h1TA5DJFVF0F02F&hblid=y6bVNv6SVKsPzHH35h1TA5DJFV0FF2F0&_okgid=**null&olfsk=olfsk019630100007227536&url=aHR0cDovL2dvcGFsNTUuZm9ydW1jaGF0dGVyLmNvbQ==&host=www.websitetoolbox.com’]http://gopal55.forumchatter.com
Abhi: I really apologize for this.
Abhi: This is one of our test forums and it seems that some data import must have been done at the time when your forum was functioning.
Abhi: I’ll get this fixed for you.
→How did this get send to every member on the forum?
Abhi: There must have been a data import done, while data import a member list also have been imported. The Gopal55 is a test account on which we tested the member list import before doing it on your account.
Abhi: This was done to ensure that data import happened correctly.
Abhi: Now, it seems that the testing team must be trying out another import and it triggered a test email.
→Your reputation is getting hurt by this. check out this link http://thinktank.pmq.com/threads/be-careful.15628/
Abhi: I apologize for all this mix up.
Abhi: If you are a member of the forum that you pointed out, I request you to ask the forum admin to remove the negative comments.
Abhi: I’ll ensure that all the test data to be removed from the test forum.
→Not a chance of that you are the one that needs to clean up the mess you created.
Abhi: I am deleting all the data from test forum from our end.
Abhi: This will ensure that no such emails are sent to you in future.
→I am of the opinion that you own PMQ and the members of their forum an apology. You have cast a bad light on both yourselves and PMQ
→Just to be up front I am not an employee or contractor of PMQ
→Just a member of the forum.
Abhi: I understand that.
Abhi: You can provide this entire chat transcript to all the members on that forum.
Abhi: Just to let them know that this was not done to harm them in any manner.
Abhi: It was just an error that happened from our testing team.
→I will post the transcript but I doubt there will be a positive response. Did you read all of the post in the link?
Abhi: I went through a few of them and will pass on this complain to the required team.
Abhi: We do not want a bad name for our company and would request your forum members to understand that this was an unintentional mistake.
→have a look at the last post of the thread. I think that gives a good picture of how you have damaged both you reputation as well as PMQ’s
→maybe you should consider posting an apology as a representative of your company
Abhi: I’ll ask about this to the required team and hope they will do so. Please allow us some time on this.
→I will post this transcript in 16 hours
Abhi: Sir, when did you receive this email?
Abhi: Can you send a copy of that email to support@websitetoolbox.com.
→09-29-2014 03:48 AM
→so you have my email to send more spam to? You have the content of the email in this transcript.
Abhi: Please try to understand that this was not meant to happen and it only happened due to error. We do not have any such intention.
Abhi: If you can forward a copy of that email to us, we can send it to the concerned team in a complain from you end.
→No I will not forward the email. I do not want you having my email address. I have posted the content in this transcript.
Abhi: That is fine.
Abhi: I am deleting all the imported data from the test forum.
Abhi: This will ensure that nothing of this sort happens in future.
→thank you for your time. I hope you do the right thing and contact PMQ.
Abhi: Thank you for your understanding.
Really strong? That doesn’t much matter when you are phished.
If this was a malicious attempt, many users would be screwed.
Enough Monkey Pile it seems to me.
I received all the emails mentioned and deleted them. Not much of a hardship and considering how many places eventually get my email address one way or another and not something that concerns me. If I receive no more emails from them I consider this done and over.
Wow, I haven’t dropped in for a couple of weeks and missed all of this. As Steve said, I too got the email and ignored/deleted it because I assumed it was another scam. Not to be too judgmental, but the comments from Websitetoolbox posted by PMQ read a little like an email from an exiled Nigerian prince if you look at grammar and syntax.
Yes I received one but deleted it