FXpansion Spam email ?spam? Turbo

[VitaminD]

This is kind of cool to check out. It's a password testing site and gives you a time estimate on how long your password might take to crack.

https://howsecureismypassword.net/


It would take a desktop PC about 5 trillion quadragintillion years to crack my random gibberish password. I don't use this one though I just had to test something ridiculous.

Length: 81 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 639 octillion quadragintillion

And now they have your password to add to the dictionary.

[codec_spurt]

This is kind of cool to check out. It's a password testing site and gives you a time estimate on how long your password might take to crack.

https://howsecureismypassword.net/


It would take a desktop PC about 5 trillion quadragintillion years to crack my random gibberish password. I don't use this one though I just had to test something ridiculous.

Length: 81 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 639 octillion quadragintillion

That is the site that I got the link from for the 10,000 passwords list.

But I wouldn't trust it too much, as he says, for a start, if you actually put your own original password into it for him to check, he could be reading it and storing it and selling it. Anyway, we don't need to be that paranoid, as long as we aren't that stupid (putting in your real password to check - use substitution cyphers instead if you want to find this out - it is all the same to a computer).

I'll give you an example. How long does it tell you it will take to crack a password such as '11111111111111111111111111' ?

792 Million years. Really? I think you will find that that is included in every single rainbow table going. Even in the non rainbow table brute force dictionaries.

So, that site, whilst giving an indicator, should be taken with a pinch of salt. To his credit he says as much. Common sense. Unknown factors. Use it if you got it. And never discount the existence of the other one. Respectively.

[codec_spurt]

Of course my passwords are not on that list.

My fxpansion email matches the email, case closed for me.

When I'm logged in here, my email is visible to me, is it visible to everyone?

I just checked your profile, I was going to send you some late (or is that early) morning drunken abuse. Unfortunately it was disabled. You can rest safe now. I'll have to find another unwitting victim.

[codec_spurt]

For the ultimate paranoid people out there

create passwords at least 16 characters long or more.

use this https://secure.pctools.com/guides/password/

keep a log of your codes somewhere safe (Not on your computer!)
*Secure locked USB drive with a password you can remember to access your list*

https://www.grc.com/passwords.htm

---------------------------------
Generating long, high-quality random passwords is
not simple. So here is some totally random raw
material, generated just for YOU, to start with.
Every time this page is displayed, our server generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use:

64 random hexadecimal characters (0-9 and A-F):
0EADBAA39EA5E3BB7F485ED81ADC63B784617D7BFFC6CAB338D58486DA031717

63 random printable ASCII characters:
XV'J]vJool='xfi!2*n.I'8fz-%"4NY.VGRE8uw^Lh>a2>-eC^jz"tQj[nmzPLB

63 random alpha-numeric characters (a-z, A-Z, 0-9):
jIRVMi38bfhgDfCOWgsQQAgGdfBxAxW7Zb7dA3CXaIwkInDQpITWMIVbI4L2YMh

--------------------------------


See also:

https://www.grc.com/haystack.htm

-----------------------
Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a "brute force" search - ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

If every possible password is tried, sooner or later yours will be found.
The question is: Will that be too soon . . . or enough later?
-------------------------------

[hibidy]

Of course my passwords are not on that list.

My fxpansion email matches the email, case closed for me.

When I'm logged in here, my email is visible to me, is it visible to everyone?

I just checked your profile, I was going to send you some late (or is that early) morning drunken abuse. Unfortunately it was disabled. You can rest safe now. I'll have to find another unwitting victim.

Lindsey?

[codec_spurt]

Yes, all FXpansion account password are encrypted, and always have been.

Further update: it appears VirtualDJ is now being spoofed as a source of emails as well. If you are a VirtualDJ customer, but NOT an FXpansion customer, we would be interested to hear from you to establish if there are a bunch of music software companies that have been compromised, or whether it is just a new "from" address spoof going to our customer's email addresses.

ClickBank are shutting down new aliases of the spammer as fast as we report them. DubTurbo is assisting us in gathering as much information as we can.

- SKoT

Thanks SKoT.

I understand that Native Instruments accounts have been abused as well. So kind of good news in a way. It might also make things easier to track down the offender.

Then again, it is always possible that they hacked all of these accounts. I doubt it though. There is probably some other common denominating factor. The truth is, at the moment we are all in the dark and no one seems to know exactly what has happened or how they have gone about it.

Also, whilst our passwords might be encrypted, I doubt our Addresses and Telephone No. were. And neither were our real names probably. Then again, you have said that there appears to have been no breach of your servers. I trust that you are running IDS (Intrusion detection systems) and you have a qualified person to come to that conclusion.

This all goes for the other companies as well. I would imagine there would be a bit of an uproar on their forums as well if this is the case and it was wide spread. Seeing as it has come late in the day, I would not put it past these nefariously deceptive people to come up with this scenario as a smokescreen. Has there been a fuss over at Native Instruments? I've only heard one or two people say this so it doesn't seem that wide spread. On the whole it would appear that FXpansion have been the main target, with its customers suffering the majority of the abuse. I also assume Native Instruments to have a larger customer base than FXpansion. If we can only find one or two offended parties from them then there is definitely something else going on here to confuse the issue.

[codec_spurt]

Now, call me a bad minded bastard, but I'm smelling a bit of a rat here:

pmac342002 has just joined the FXpansion forum to declare:

---------------------------------------
I got the email and fell for it. I believed it to be associated with fxpansion. Anyway, long story made short, it is real instruments that work as advertised, but not of fxpansion level quality. I was pissed when I came to the fxpansion site and discovered that they were not associated with fxpansion. I filed a grievance thru PayPal. The next day ClickBank refunded my money.
My impression of DubTurbo is that they are EXTREMELY gimmicky, and not for serious musicians. The product is more of a beginner's toy. They do deliver what they claim, but their marketing is way over the line tacky. I am very relieved to learn the fxpansion is not associated with them.
-------------------------------------------

What a honker!

Can you say 'Damage Limitation'?

I thought so.


And get this, Mr. pmac342002 has the total of - 1 post. So he isn't a previous FXpansion customer, though he might be, but chances are that he has just tracked down and joined the FXpansion website out of the goodness of his heart to let us all know that nasty nasty duff turdo aren't so bad after all.

My bullshitometer is going through the stratosphere on this one.

He just can't help himself can he? Now, is this the affiliate that is getting nailed, or is it Mr. Duff Turdo himself? On the ropes, fighting back the only way he knows how - a spam like sig 'pmac342002' and note, and I quote: "EXTREMELY". My exegesis skills weren't even needed here. Just a nose for total bullshit and pisstaking.

I apologize if I am wrong. Sue me.


Somebody has bitten off more than they can chew, haven't they?


I smell fear in the morning. It smells like... victory!




There are about 10 other things wrong with this post.


FXpansion, do you have an i.p. address for this joker? A valid i.p.?
I'm not asking for it obviously, I'm just wondering if you do.

It could always be someone having a bit of a laugh, but I think the chances are that the explanation lies somewhere else.


Edit:

I see that Mr. pmac342002 Joined: 05 Dec 2012

Talk about covering your bases. And now he makes his first post. I know that I go to the trouble of signing up at a forum all the time and never making a post, only if I need to a few months later, if needs be. Why does this make me even more suspicious, not less?

Mmmm....

[SKoT_FX]

Forum accounts are associated with FX user accounts, so Dec 2012 was when pmac342002 first bought a product of ours and registered it. That's all legit - no compulsion to post to our forum as soon as you register a product. Stand down rat-sniffers in that department...

[codec_spurt]

So, I'm officialy a 'Rat-Sniffer'. That's good to know.

I do get excited sometimes. But you know...

I try to help, but I just end up rubbing peoples noses in the shit.

So it would seem. Next time, I'll keep out of it.



I'll try not to get so excited next time.




If you hadn't mentioned it, I probably would have forgot about it.

But, being a 'Rat-Sniffer'..


How are things going your end?

Did you find out what happened?


Did your database get hacked or not?

Did our passwords get hacked or not?

Do you know or not?


There ain't any easy way out of this, in case you didn't know.

Rat-Sniffer or not.

Just a customer.


Either you know what happened or you don't.




Could you please give us a basic break down of the security breach at FXpansion?

Or at least admit defeat and say you don't know how to deal with security breaches.


Whatever you do, at this point, do not say "we will get back to you when we know more." That is like saying 'the check (cheque) is in the post'.

Go ahead and say it, you have said very little so far. Did you think that this would just disappear?

Rat-Sniffers want to know.


So what if you encrypted our passwords. Encryption can be broken.

Something got broken at your site. A hacker has my very private email that I trusted you with.


And you patronise me like this for trying to help by calling me a f**king Rat-Sniffer?


I don't think your tactic is going to work this way. Nothing personal.

But if you want to turn your best friend into an enemy, be prepared...


Exactly what has happened?

Where did it go wrong?


Or don't you know?

[hibidy]

I know what I'd like to say, but I can't. Well, I have to say something.......oh dear.......

I missed the rat sniffers comment. I'm not happy about it. Did I say that professionally enough?

[faun2500]

Would very much like more details too.

[codec_spurt]

Well I sure can over-react sometimes.

And sometimes other people can use less than appropriate choice of words.


I suppose in a way this is all good.


There is a certain amount of onus here on FXpansion to show what has gone wrong.


So far, I am sorry, but there only has been weasel words.


It is how many weeks into the event now?


I don't really care. I don't feel particularly threatened.

But, come the end of the year. 2014. Shall we know what went wrong? Shall we see if it was just email addresses?

How much longer for FXpansion to make their report?


Let's just face it:

You got hacked black and blue, and you are stunned. You don't know what the hell happened to you. You are wide open. And the last thing you are going to do is admit that to your paying customers.


This could have been done in private, but no, just like the governments of the day, you will not admit weakness or vulnerability, and anyone that questions you must be crushed by whatever means.


I am going to give you the benefit of the doubt.

The longer your silence, the greater the roar from the paranoid crowd.


Yours, Rat-Sniffer-General...

[faun2500]

I agree that I think they should make a statement but I don't think they are obliged to.


If you want answers maybe a private email might be better?

[ThoughtExperiment]

...Let's just face it:

You got hacked black and blue, and you are stunned. You don't know what the hell happened to you. You are wide open. And the last thing you are going to do is admit that to your paying customers.


This could have been done in private, but no, just like the governments of the day, you will not admit weakness or vulnerability, and anyone that questions you must be crushed by whatever means.


I am going to give you the benefit of the doubt.

The longer your silence, the greater the roar from the paranoid crowd.


Yours, Rat-Sniffer-General...

Ay caramba, this is you giving FXP 'the benefit of the doubt'

Just a suggestion: maybe the 'paranoid crowd' should drink a little less coffee?

[SKoT_FX]

Please, read "rat-sniffer" is a good way - that was how it is intended. Bad wordage on my part. We've had a lot of customers and friends putting forward theories, offering white hat hacking advice, giving us leads. I simply meant "the suggested theory isn't one we need to consider in this instance".

In cases like this, to be able to "smell a rat" (ie think up avenues for investigation) is an invaluable service and prized skill. This is the sort of thing the Ohmies would get away with saying, doh..!

We will be making an official announcement early next week. After a lot of extremely thorough trawling of logs and web systems analysis, exchanging information with other companies that were similarly attacked by the same hacker, and putting formal legal pressure on ClickBank to reveal the spammer/hacker's identity and address - all of which take time, and have a due process, some of it has involved lawyers - we are now very confident we know what happened, and what needs to happen next, and that its under control.

It is for our web team to make the formal statement next week; but the fact that you haven't heard from us yet was because we were making sure we could demonstrate full understanding of the situation, and prepare proper, detailed duty of care for the next stage. If anything had come to light requiring urgent attention, you would have heard from us much, much sooner.