FXpansion Spam email ?spam? Turbo

[codec_spurt]

Thanks SKoT.

I can imagine this is just an unbelievably annoying and frustrating thing for you and FXpansion. Thanks for keeping us updated.

I'm also assuming that you store our passwords in salted hashes and not as plaintext. You do do that don't you?

------------------------------
Even if hackers have our username and password table, we're covered, right? All they'll see is the hash values. Only the most grossly incompetent of developers would actually store passwords as plaintext in the database, right? Right?
-------------------------------


http://www.codinghorror.com/blog/2007/0 ... ectly.html


------------------------------
Hashing the passwords prevents plaintext exposure, but it also means you'll be vulnerable to the astonishingly effective rainbow table attack I documented last week. Hashes alone are better than plain text, but barely. It's not enough to thwart a determined attacker.
-------------------------------



This site has two zip files of the 10,000 most used passwords with one by frequency. This information is freely available. Crackers use lists built up by security breaches such as these (not implicating you here) to create lists with millions. In fact any hacker worth his salt will be using lists of millions, so these files are just for purposes of demonstration.

http://xato.net/passwords/more-top-worst-passwords/


4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords


From Coding Horror again:

------------------------
You might think it's relatively unimportant if someone's forum password is exposed as plain text. After all, what's an attacker going to do with crappy forum credentials? Post angry messages on the user's behalf? But most users tend to re-use the same passwords, probably because they can't remember the two dozen unique usernames and passwords they're forced to have. So if you obtain their forum password, it's likely you also have the password to something a lot more dangerous: their online banking and PayPal.
-------------------------------------


I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000. Download it and see. And of those people that are, a certain proportion of them will use the same password for paypal and online banking. So if your database was breached and you didn't store our passwords as hashes that were salted, and if people use the same password for their paypal as well as their FXpansion account, we are looking at a POTENTIALLY extremely serious situation.

Of course, no one will see any money disappear out of their accounts any time soon. You won't even get any more spam for a little while. Give it a few weeks and then it will come trickling in. There is no doubt about that - our email addresses are on a big list that is going to be sold. Remember, we are gold. We buy when we so easily could steal. And then we buy again. You wouldn't steal a handbag , probably because it involves a certain amount of risk. There is no risk in stealing software. Most people do. I know people that are upper middle class with 3 cars and 4 kids and an 80,000 quid a year job. They pay for NO software. And they think nothing of it. I digress.

Then after a little while again, those that got caught using the same password for their paypal etc. as their FXpansion account and didn't change it/know about this issue (old no longer used email address), will start to find money stolen from their account. POTENTIALLY. Let's not scaremonger here, and also let's now play down a POTENTIALLY very serious issue.


Now I'm not saying it was your database that was breached. And I'm sure you do salt our hashed passwords (you do don't you?), so really there is nothing to worry about apart from identity theft, with not just our real names and addresses but our telephone no.s etc... POSSIBLY.


So it would be really good to know if it was your database that was hacked and what information they got. Did they get our home address, telephone no. if so?
Did they get our passwords because you stored them as plain text? There have been quite a few examples of companies you would expect as not to be so stupid as to do this, as they exist in the security realm for one and have hundreds of thousands of customers for another. But no, they were that naive and their hundreds of thousands of user's passwords have now been added to the cracker's brute force or dictionary list.


Anyway, this is probably all just a storm in a teacup and no need to worry. Until we find out the full scale of the attack - who orchestrated it and whose database was hacked into and what information did they get.


Thanks for keeping us updated SKoT. It's good that you keep us informed and take our very real security worries seriously.


cheers.

[VitaminD]

We haven't found anything yet, and we've had the entire web team on log-scanning duty for a few days now. We'll continue for a while longer, until we run out of things to check, at that point I don't know what else we can do. In parallel we're chasing down the physical whereabouts of the spammer / identity thief.

Naturally we'll be reviewing every stage of our operations for holes; sadly this is a continually moving target. Do we add more frequent security reviews? How often? Will there be time for coding music software at some point still? (I've lost 3 days of BFD coding time this week to playing Cyber Sherlock Holmes).

I can categorically rule out financial stuff tho - as I've stated on several threads, that stuff is entirely handled by the banks.

Free Geist expanders for all!

You will get Dub Turbo for free...

(No, just a joke, I don't have anything to do with Dub Turbo...)

Maybe a limited edition Geist expander called 'Tub Durbo'

[Davias]

Yay none of my beloved passwords are on the list, I feel relieved !

[faun2500]

Thanks SKoT.

I can imagine this is just an unbelievably annoying and frustrating thing for you and FXpansion. Thanks for keeping us updated.

I'm also assuming that you store our passwords in salted hashes and not as plaintext. You do do that don't you?

------------------------------
Even if hackers have our username and password table, we're covered, right? All they'll see is the hash values. Only the most grossly incompetent of developers would actually store passwords as plaintext in the database, right? Right?
-------------------------------


http://www.codinghorror.com/blog/2007/0 ... ectly.html


------------------------------
Hashing the passwords prevents plaintext exposure, but it also means you'll be vulnerable to the astonishingly effective rainbow table attack I documented last week. Hashes alone are better than plain text, but barely. It's not enough to thwart a determined attacker.
-------------------------------



This site has two zip files of the 10,000 most used passwords with one by frequency. This information is freely available. Crackers use lists built up by security breaches such as these (not implicating you here) to create lists with millions. In fact any hacker worth his salt will be using lists of millions, so these files are just for purposes of demonstration.

http://xato.net/passwords/more-top-worst-passwords/


4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords


From Coding Horror again:

------------------------
You might think it's relatively unimportant if someone's forum password is exposed as plain text. After all, what's an attacker going to do with crappy forum credentials? Post angry messages on the user's behalf? But most users tend to re-use the same passwords, probably because they can't remember the two dozen unique usernames and passwords they're forced to have. So if you obtain their forum password, it's likely you also have the password to something a lot more dangerous: their online banking and PayPal.
-------------------------------------


I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000. Download it and see. And of those people that are, a certain proportion of them will use the same password for paypal and online banking. So if your database was breached and you didn't store our passwords as hashes that were salted, and if people use the same password for their paypal as well as their FXpansion account, we are looking at a POTENTIALLY extremely serious situation.

Of course, no one will see any money disappear out of their accounts any time soon. You won't even get any more spam for a little while. Give it a few weeks and then it will come trickling in. There is no doubt about that - our email addresses are on a big list that is going to be sold. Remember, we are gold. We buy when we so easily could steal. And then we buy again. You wouldn't steal a handbag , probably because it involves a certain amount of risk. There is no risk in stealing software. Most people do. I know people that are upper middle class with 3 cars and 4 kids and an 80,000 quid a year job. They pay for NO software. And they think nothing of it. I digress.

Then after a little while again, those that got caught using the same password for their paypal etc. as their FXpansion account and didn't change it/know about this issue (old no longer used email address), will start to find money stolen from their account. POTENTIALLY. Let's not scaremonger here, and also let's now play down a POTENTIALLY very serious issue.


Now I'm not saying it was your database that was breached. And I'm sure you do salt our hashed passwords (you do don't you?), so really there is nothing to worry about apart from identity theft, with not just our real names and addresses but our telephone no.s etc... POSSIBLY.


So it would be really good to know if it was your database that was hacked and what information they got. Did they get our home address, telephone no. if so?
Did they get our passwords because you stored them as plain text? There have been quite a few examples of companies you would expect as not to be so stupid as to do this, as they exist in the security realm for one and have hundreds of thousands of customers for another. But no, they were that naive and their hundreds of thousands of user's passwords have now been added to the cracker's brute force or dictionary list.


Anyway, this is probably all just a storm in a teacup and no need to worry. Until we find out the full scale of the attack - who orchestrated it and whose database was hacked into and what information did they get.


Thanks for keeping us updated SKoT. It's good that you keep us informed and take our very real security worries seriously.


cheers.

This was a very interesting read and I know that emails, names, phone numbers and that do get sold and bought. I have seen documentaries about this so It DOES happen.

Might be a good idea to change the password of your accounts if you had the spam 'Dick Turbo' email?

[cron]

I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000. Download it and see. And of those people that are, a certain proportion of them will use the same password for paypal and online banking. So if your database was breached and you didn't store our passwords as hashes that were salted, and if people use the same password for their paypal as well as their FXpansion account, we are looking at a POTENTIALLY extremely serious situation.

SHIT! I always use unique passwords for every site, but changed it to my 'master' when I forgot said unique FXpansion password a month or two back. Had completely forgotten I'd done that until I tried logging in just now. Ahh, tits. A day of password changing it is then...

There I was writing a post about how 'good password hygiene is easy, fools!' until I tried logging in at FX just to be sure I was using a unique one. Egg. On. Face.

[ZenPunkHippy]

I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000.

Even with a relatively secure password, cracking it is not too difficult these days. Check out this article from Ars Technica if you're interested:

http://arstechnica.com/security/2013/05 ... -passwords

Peace,
Andy.

[V0RT3X]

This is kind of cool to check out. It's a password testing site and gives you a time estimate on how long your password might take to crack.

https://howsecureismypassword.net/


It would take a desktop PC about 5 trillion quadragintillion years to crack my random gibberish password. I don't use this one though I just had to test something ridiculous.

Length: 81 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 639 octillion quadragintillion

[hibidy]

Of course my passwords are not on that list.

My fxpansion email matches the email, case closed for me.

When I'm logged in here, my email is visible to me, is it visible to everyone?

[V0RT3X]

For the ultimate paranoid people out there

create passwords at least 16 characters long or more.

use this https://secure.pctools.com/guides/password/

keep a log of your codes somewhere safe (Not on your computer!)
*Secure locked USB drive with a password you can remember to access your list*

[V0RT3X]

If you trust microsoft more than the other password strength tester then use this
https://www.microsoft.com/en-gb/securit ... ecker.aspx

[ZenPunkHippy]

If you trust microsoft more than the other password strength tester then use this
https://www.microsoft.com/en-gb/securit ... ecker.aspx

... or test with a password that is like your password, but not actually "four battword"

[hibidy]

If you mix your email with caps or numbers randomly, chances are better you won't get foiled. Doesn't mean they won't nab you anyways.

[SKoT_FX]

Yes, all FXpansion account password are encrypted, and always have been.

Further update: it appears VirtualDJ is now being spoofed as a source of emails as well. If you are a VirtualDJ customer, but NOT an FXpansion customer, we would be interested to hear from you to establish if there are a bunch of music software companies that have been compromised, or whether it is just a new "from" address spoof going to our customer's email addresses.

ClickBank are shutting down new aliases of the spammer as fast as we report them. DubTurbo is assisting us in gathering as much information as we can.

- SKoT

[codec_spurt]

I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000. Download it and see. And of those people that are, a certain proportion of them will use the same password for paypal and online banking. So if your database was breached and you didn't store our passwords as hashes that were salted, and if people use the same password for their paypal as well as their FXpansion account, we are looking at a POTENTIALLY extremely serious situation.

SHIT! I always use unique passwords for every site, but changed it to my 'master' when I forgot said unique FXpansion password a month or two back. Had completely forgotten I'd done that until I tried logging in just now. Ahh, tits. A day of password changing it is then...

There I was writing a post about how 'good password hygiene is easy, fools!' until I tried logging in at FX just to be sure I was using a unique one. Egg. On. Face.

Like the article that I linked to says - we are all human.

I also had a really dumb password connected to major stuff. I don't practice what I preach. Then again, I never said I did. This is just stuff to learn from. For all of us. Me as much as anyone.

[codec_spurt]

I pretty much guarantee that most people who have received this spam are using a password from that list of the top 10,000.

Even with a relatively secure password, cracking it is not too difficult these days. Check out this article from Ars Technica if you're interested:

http://arstechnica.com/security/2013/05 ... -passwords

Peace,
Andy.

There are more ways than that even. I read that article before and it is quite informative. However, I don't just use a 'relatively secure' password, I use an unbreakable password that would need a quantum computer to crack. Problem is, I only use this on a couple of things. Stuff like FXpansion and Camel Audio accounts I admit, I use the same password coz it is easier to remember. Did I mention I am human? I have learned.

This is why I am interested to know what has gone wrong. To learn.

I have two types of password - one that can be cracked in ten minutes or even guessed, and the other that would take all the super-computers on the planet a few thousand years to break. It is actually quite simple if you combine upper/lower case, numbers, special characters. Problem is, a lot of places won't let you do that. I use the first for what I consider unimportant sites and the second for when I just absolutely have to guarantee my arse is covered. I'm an all or nothing type of guy and I know there is a grey area, but...

Then again it is not so simple.

http://www.codinghorror.com/blog/2007/0 ... -hack.html

Social Engineering can glean passwords where rainbow tables and brute force fail. I just came across a phishing site reported by Comodo from a reputable member of this very site (KVR). And like the article says, like an idiot, I still dived right in. This was because I was sure it was a false positive, and I like to think I can tell the difference. Most people don't even have this on their radar. Then again if you read that article there were greater computer experts than I who were part of the demographic.


For me, security is binary. There is no middle ground. Is this a site where I must absolutely protect myself, or is it just not worth bothering about. Btw, my password at KVR (and this is assuming they don't store it as plain text) is virtually uncrackable. You won't find me coming on here after going off the rails and saying, er, someone cracked my password. Then again, I use it for other sites, so if there was a breach there, then here would be compromised too. But they aren't interested in posting here as me trying destroy my reputation (too late ), they are more interested in being able to empty my bank account without being caught.


cheers.