There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.
There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.
Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.
If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.
UPDATE: Email from GOM:
Dear Valued GOMTV.net users:
We regretfully inform you that approximately at 2 AM KST, Aug.12th, there has been an attack against our web site, GOMTV.net.
We have found that some of the user information from GOMTV.net has been compromised from the attack. We suspect that the following information might have been exposed: name, location (country), e-mail address, GOMTV.net nickname and password.
We deeply apologize for the inconvenience and concern caused by the intrusion.
Since we use PayPal’s service to handle payments, we do not store nor have any payment related information on our site including your credit card numbers and bank account details.
We strongly encourage you to change your GOMTV.net password and if you have been using the same password for other web sites, we suggest changing the passwords for those sites as well.
Users who have signed up with Facebook or Twitter do not have to worry about changing their passwords as they did not have to enter separate passwords at the time of sign up.
As soon as we discovered the sign of intrusion we have conducted a complete investigation into the incident and have also taken steps to enhance security and strengthen our network system in order to provide you with better protection of your personal information.
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
If you have any concerns or questions please feel free to contact us at support@gomtv.net.
Helpful comment for those of you unsure of what this means, via Reddit. + Show Spoiler +
Bank details are NOT at risk. While this is bad for GOM, don't start sensationalising it. Saying its "a leak on the scale of the PSN shitstorm" is bullshit, plain and simple.
All payments made to GOM are handled through PayPal. GOM has no access to your financial details in the first place, so bank details have not and never will be compromised. This is why so many internet vendors use PayPal; its amazingly secure, and all payments are processed externally.
I can see you getting more and more worked up about this with every comment. Calm the fuck down. It's bad and GOM certainly needs to fix it, but at the end of the day a bunch of names and e-mails isn't really the most private of data.
On August 13 2011 03:14 R1CH wrote: There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access.
What if you've been using third-party authentication, ie having my twitter login be my GomTV login? Is my Twitter compromised?
edit: oh gg im dumb, sorry. good thing I did use twitter for authentication, then. this thread should probably be highlighted on the front page for people so it gets more attention
GOM is so unprofessional. The level of play of their players is amazing, but the business side of the Korean SC2 scene is really lacking to say the least.
On August 13 2011 03:16 thoradycus wrote: I used visa/mastercard to buy my ticket. Am I in trouble?
No, your financial information is safe since payments are done via PayPal.
On August 13 2011 03:18 itsjustatank wrote: What if you've been using third-party authentication, ie having my twitter login be my GomTV login? Is my Twitter compromised?
Well, the only other place that I used the same ID/PWD combo as the ones I use on GomTV are actually for RIGHT HERE, so thanks for the heads up Password is now changed and I can safely go back to playing ... HoN :D
Are you serious? When your dealing with as many customers as Gom has how can you not do your pat to protect your customers information? Gom not only needs to step up their security but also give something back to its customers for their errors.(free season tickets?) I will no longer be buying GSL season tickets until GOM fixes its security issues. Now if youll excuse me I have to go change all of my passwords.
On August 13 2011 03:20 ZidaneTribal wrote: when u say compromised do u mean stolen? and who would hack gomtv.net, some bw activists?
OP of the Reddit post here, I was in the original /v/ thread, which is where it came from. In it, there was no hostility, it was more showing off the numbers in the picture, which show how many people buy GOMtv tickets. He was saying 'esports is not dead', I doubt he was trying to cause any harm, because the picture with the compromised passwords/usernames is in the background, and isn't the focus.
Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
On August 13 2011 03:24 R1CH wrote: Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
I really doubt it will have been fixed. But regardless, changing passwords will not harm anyone, and it will only make it safer, although not a much at all.
On August 13 2011 03:24 R1CH wrote: Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
And I read this just after I changed my password xd
On August 13 2011 03:24 R1CH wrote: Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
And I read this just after I changed my password xd
On August 13 2011 03:24 R1CH wrote: Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
And I read this just after I changed my password xd
yup this happened to me when i bought the pass for the GSL super tournament. A couple of days later my email was compromised as I stupidly used the same password so had to change it.
By the way, as a website developer, I can tell you storing passwords in plain text is much more common than most people think, even for large websites.
Basically, if you do the "forgot my password" procedure and get sent the original password, most of the time it means it's in plain text in the database.
There should be laws against that. I don't understand it's still possible to do such things (on large sites). Anyway, with that in mind, always pick different passwords for important stuff or better, never use the same password twice.
O RLY GOM What a shame not to crypt the password, every programmer knows that you have to crypt them ... Now I have to change a good third of my passwords, yay
Well I'm just worried as my email was my first/last name at gmail.... Although it ended up being an email I only have tied to my gom account so I'm not all that concerned about being hacked, although I'll change all my passwords anyway
I was about to ask if I was at risk, but then I saw that those of us who logged in through FB are not. TY for the warning and I am really disappointed at GOM for keeping the passwords so unprotected...
On August 13 2011 03:30 HTODethklok wrote: I just changed all my other passwords but left my Gom password the same. I wont be editing that one until the issue is resolved
lol that must have took a lot of work. how do u change all ur passwords so quickly
Meh, don't use the same password for anything anyway so I'm cool. I'm sure GOM will fix it ASAP, TY for the warning R1CH. (Honestly you'd think with all this kind of shit going on by 2011 people wouldn't use the same pw. )
Edit: With that said the numbers look pretty sweet. Props to the e-Sports community for managing over $2.5m this past year.
Yeah, this is totally unacceptable if it is true. Storing passwords in plain text? I learned about hash tables in fucking high school. Gom definitely owes us an explanation.
Not surprising. Korean websites seem to be notoriously poorly coded (sc2bw anyone?). I remember not too long ago gomtv didn't even filter anything in comments and were like here, use XSS lol. Out of curiosity do you know the nature of the exploit? Was it something trivial like SQL injection?
i think someone with skills got pissed that koreans withdrew, too bad that prick didnt know the full story, or he might not have done this. EFFING a-hole hackers!
On August 13 2011 03:41 Chaosvuistje wrote: God damnit, plain text?
Come on... why does EVERY website out there seem to be made by a complete security noob! This is first grade database protection people =.= . Sigh...
It's really not surprising. I'm working on my computer science bachelors right now and security is barely ever touched upon. A class that covers databases never even bothered telling students to use prepared statements. I know several of my classmates turned in projects that were completely vulnerable to SQL injection. I doubt half of my classmates know what salting a hash means rofl.
On August 13 2011 03:41 Chaosvuistje wrote: God damnit, plain text?
Come on... why does EVERY website out there seem to be made by a complete security noob! This is first grade database protection people =.= . Sigh...
It's really not surprising. I'm working on my computer science bachelors right now and security is barely ever touched upon. A class that covers databases never even bothered telling students to use prepared statements. I know several of my classmates turned in projects that were completely vulnerable to SQL injection. I doubt half of my classmates know what salting a hash means rofl.
O god ,that seems like bad teachers??Salting isnt the only security proof method used.
SHA-1 256/512 even an MD5 can take months to crack. And MD5 salted the salt can be isolated ,and thus negated.
God damnit I like to use the same few pwords for everything because there's too many different sites to keep track of any more, then shit like this happens and I run out
On August 13 2011 03:41 Chaosvuistje wrote: God damnit, plain text?
Come on... why does EVERY website out there seem to be made by a complete security noob! This is first grade database protection people =.= . Sigh...
It's really not surprising. I'm working on my computer science bachelors right now and security is barely ever touched upon. A class that covers databases never even bothered telling students to use prepared statements. I know several of my classmates turned in projects that were completely vulnerable to SQL injection. I doubt half of my classmates know what salting a hash means rofl.
Which is why I have a big hatred towards IT people. Too many times have I encountered someone with a degree that has absolutely no knowledge of SQL injections or hashes. Too many a times have I been lied to that everything is optimized for speed and all that jazz when all they are doing is tying strings together until the thing starts falling apart.
It' s depressing to be someone in the designing industry to have more knowledge of security than some of the people that are actually supposed to know that sort of thing...
On August 13 2011 03:41 Crying wrote: I don't know even if we reset password will we be fine I already resetted password and got new but there is one but
If GOMTV got SQL'd and database was exported than its pretty fucked up..alot of accounts will be compromised if GOM doesnt fill the gap right now..
I doubt they are trying anything else than just getting paypal accounts from it by using the same email and pw's to log in, on top of that the emails themselves too. Dont think they care enough about the actual GOM accounts.
Maybe they really really just wanted to watch the HQ GSL and GSTL streams =P
Thank you for the notice R1CH, will do. Also really glad I have different passwords for GOMtv and my actual e-mail. Still, worth making sure that nothing happened.
On August 13 2011 03:41 Crying wrote: I don't know even if we reset password will we be fine I already resetted password and got new but there is one but
If GOMTV got SQL'd and database was exported than its pretty fucked up..alot of accounts will be compromised if GOM doesnt fill the gap right now..
Every account is already compromised. As you say someone may have exported their whole user database and no matter how quick GOM acts they can't do much about that. If anyone did use their gomtv password for anything else important they need to change the password to those other things, and in particular if their email account has the same password. Changing your gom password will not necessarily do anything as someone may have your old password on file, and someone said the exploit still works.
Storing passwords in plaintext is obviously stupid, but given how badly designed many sites are people experienced with the Internet should have learned rudimentary protective measures (ideally unique passwords via an app like KeePass, but at least unique password for mail and financial management).
On August 13 2011 03:45 Phenny wrote: God damnit I like to use the same few pwords for everything because there's too many different sites to keep track of any more, then shit like this happens and I run out
As R1CH recommended try using an application like KeePass. You remember one master password that you DO NOT use for anything else, then have it generate complicated unique passwords for all sites. Personally I also regularly write down a hard copy of my passwords in case of HD failure.
On August 13 2011 03:30 HTODethklok wrote: I just changed all my other passwords but left my Gom password the same. I wont be editing that one until the issue is resolved
lol that must have took a lot of work. how do u change all ur passwords so quickly
Opened up all accounts that use the same password as My gom account in different tabs in my browser then go through and change the passwords one at a time. Plus using CTRL+F to find the word Password on each web page helps find the change your password selection.
Glad I use one particular password and email address for all the sites and stuff I don't care about...
Guess I'm not really surprised this happened, but still kind of surprised companies don't take the time and care to do some basic security on this kind of thing. GL to all the people seriously compromised. :/
This crap is exactly why I prefer finding the 'illegal' user re-streams of the GOM events instead of downloading their precious little player. Ridiculous that TL bans people for posting streams of the events when GOM has zero countermeasures to protect account information in place.
They btw will need alot of time to get all the passwords and usernames... For instance an 700usr/passwords is around 1hour to get and keep Btw ,what was the exploit used,is it a SQL string based,time based?? Or just a perl exploit?
Well, I only use that password for facebook, soooo...
I don't think it's a big deal. About all they can do is hack my facebook, but I can't see that being worth anyone's time or money just to troll my friends.
On August 13 2011 03:52 Hurricane Sponge wrote: This crap is exactly why I prefer finding the 'illegal' user re-streams of the GOM events instead of downloading their precious little player. Ridiculous that TL bans people for posting streams of the events when GOM has zero countermeasures to protect account information in place.
Of course. You knew that GOM had zero countermeasures in place before this so that is exactly why you watch illegal restreams. Brilliant argument here.
Anyone knows when exactly GomTV was hacked, since i changed my PW yesterday to something i never used before, so hopefully it was after this.
I can't believe after everything happening at the moment regarding hacking etc. companies still store passwords in plain text...this should really be illegal by now!
PLAIN TEXT. Oh man. A bunch of hashes to feed to some rainbow tables is bad enough, but seriously plaintext ?!?!?!?
I guess it is time to change my "I don't really care about it password" on a bunch of sites then, and leave it the same on GOM until I'm happy they have cleaned up whatever bug they had that exposed the information, and if someone wants to freeload of my account in the meantime, well, GOM kinda deserve it.
On August 13 2011 03:52 Hurricane Sponge wrote: This crap is exactly why I prefer finding the 'illegal' user re-streams of the GOM events instead of downloading their precious little player. Ridiculous that TL bans people for posting streams of the events when GOM has zero countermeasures to protect account information in place.
If you have problems with your brain please see your doctor!
Strange GOMTV didn't provide information to its users. The exploit might be still active, that could be why they don't want to communicate about it If it's not, every minute they wait is a minute a hacker can use to access a website with the password he retrieved.
this is pretty silly that gom was storing the passwords in unencrypted methods. You would think a company that runs TV stations would have better security on a website taking money then that.
I have a GOM account but I could never remember the password so i always signed in with twitter So I should be safe, but just in case ima change the password anyway.
On August 13 2011 03:56 adbrl wrote: Anyone knows when exactly GomTV was hacked, since i changed my PW yesterday to something i never used before, so hopefully it was after this.
I can't believe after everything happening at the moment regarding hacking etc. companies still store passwords in plain text...this should really be illegal by now!
I doubt it's possible to confirm when this first happened. Even if the ones who publicized this did it recently others may have downloaded the whole db months ago and just be waiting for a buyer (to spam mails for instance which is likely the most real risk).
Mr. Chae if you are following this thread use hash from now on. It's easy to setup and you would avert any future embarrassment. This also applies to any budding website developers.
On August 13 2011 03:52 Hurricane Sponge wrote: This crap is exactly why I prefer finding the 'illegal' user re-streams of the GOM events instead of downloading their precious little player. Ridiculous that TL bans people for posting streams of the events when GOM has zero countermeasures to protect account information in place.
Of course. You knew that GOM had zero countermeasures in place before this so that is exactly why you watch illegal restreams. Brilliant argument here.
I had my suspicions, and it looks like I was right. Just because I'm paranoid doesn't mean they're NOT all out to get me.
On August 13 2011 03:41 Chaosvuistje wrote: God damnit, plain text?
Come on... why does EVERY website out there seem to be made by a complete security noob! This is first grade database protection people =.= . Sigh...
It's really not surprising. I'm working on my computer science bachelors right now and security is barely ever touched upon. A class that covers databases never even bothered telling students to use prepared statements. I know several of my classmates turned in projects that were completely vulnerable to SQL injection. I doubt half of my classmates know what salting a hash means rofl.
Seriously? i followed a course CCNA (network) and i don't know how much security got drilled into our heads. It went to the point where at least 1/4th of the whole thing was about all possible security methods.
Well this is lovely, taught me a lesson I used the same email and password i used to sign in with gomtv as my msn email which got hacked today, could just be coincidence but meh.
On August 13 2011 03:41 Chaosvuistje wrote: God damnit, plain text?
Come on... why does EVERY website out there seem to be made by a complete security noob! This is first grade database protection people =.= . Sigh...
It's really not surprising. I'm working on my computer science bachelors right now and security is barely ever touched upon. A class that covers databases never even bothered telling students to use prepared statements. I know several of my classmates turned in projects that were completely vulnerable to SQL injection. I doubt half of my classmates know what salting a hash means rofl.
Seriously? i followed a course CCNA (network) and i don't know how much security got drilled into our heads. It went to the point where at least 1/4th of the whole thing was about all possible security methods.
Well a course for a cisco cert is a lot more likely to focus on security. Computer science is more theory and math and less practical shit. The problem is the majority of students graduating with a cs degree will go into software development where they will plague the world with their incompetence.
Shouldn't b e a problem as I use different passwords. I'm dissapointed in gom for not encrypting any of the data. That is something that should be done.
No encryption, I don't understand how corporations still fail to see how important it is. Anyway, I use facebook login so I guess that means not in the crossfire?
Storing in plaintext is absolutely unacceptable. I cannot even begin to explain how stupid this is by GOMtv. I'm not gonna check until I hear some official word from GOMtv but even then I'm hesitant. Time to find some restream links....
On August 13 2011 03:45 Crying wrote: SHA-1 256/512 even an MD5 can take months to crack. And MD5 salted the salt can be isolated ,and thus negated.
Your 14 character long password with uppercase, lowercase, symbols, and numbers isn't anything that won't fail to a sufficiently large rainbowtable attack within minutes. Sure, salting passwords makes them no stronger versus bruteforce/dictionary attacks, but adding a 20 character salt makes it significantly stronger versus rainbowtables, unless a new set of rainbowtables is generated to target that specific salt, which takes a long, long time (but can be reused for extremely fast and efficient attacks on the whole database).
All the SHA algorithms also vulnerable to rainbowtables attacks.
It's funny how you call out people for not knowing basic cryptography, when you yourself don't know some of the most basic attack methods. I'm not claiming to be some expert, since I'm not, but I do know that you've stated some clearly incorrect statements.
That said, it's still sad that GOM stored passwords in plaintext. Just use this as an opportunity to understand the "do not resuse passwords" warning that many sites give. Hopefully it'll get resolved soon.
Is there any way for me to check wether or not my account has been compromised? I think I remember sony providing such a service after they had their data stolen?
Not really surprised that it'd be compromised... considering you can just dl the hq vods from their site without... and they haven't made any significant changes since 8 months ago...just a token for authentication( since december 2010 or so )...and their app is poorly designed, too...
It would be nice if I learned about this from GOMTV first. So far, the only acknowledgement by GOM is a single post on the GOMTV forum by a worried random user.
Do they even know there's a security problem, and if so, why aren't they telling anyone?
On August 13 2011 03:45 Crying wrote: SHA-1 256/512 even an MD5 can take months to crack. And MD5 salted the salt can be isolated ,and thus negated.
Your 14 character long password with uppercase, lowercase, symbols, and numbers isn't anything that won't fail to a sufficiently large rainbowtable attack within minutes. Sure, salting passwords makes them no stronger versus bruteforce/dictionary attacks, but adding a 20 character salt makes it significantly stronger versus rainbowtables, unless a new set of rainbowtables is generated to target that specific salt, which takes a long, long time (but can be reused for extremely fast and efficient attacks on the whole database).
All the SHA algorithms also vulnerable to rainbowtables attacks.
It's funny how you call out people for not knowing basic cryptography, when you yourself don't know some of the most basic attack methods. I'm not claiming to be some expert, since I'm not, but I do know that you've stated some clearly incorrect statements.
That said, it's still sad that GOM stored passwords in plaintext. Just use this as an opportunity to understand the "do not resuse passwords" warning that many sites give. Hopefully it'll get resolved soon.
Im familiar with the rainbow tables but hacked by rainbow tables means that this password u chose is already in the table...RT is also a dictionary attack if im not mistaken,and if ur password is SOCCER its gonna be cracked within seconds,but if its s0cc3rrrr8765 its not gonna get hacked by rainbow table..
On August 13 2011 04:23 Aim Here wrote: It would be nice if I learned about this from GOMTV first. So far, the only acknowledgement by GOM is a single post on the GOMTV forum by a worried random user.
Do they even know there's a security problem, and if so, why aren't they telling anyone?
It's 4am, the majority of them are probably sleeping.
thanks for letting me know. I will be using keepass now. Looks easy enough to use.
Question though. Say you are at a friends house or something and want to look something up. Can you gain access to these pws any other way? No way I can remember 30random characters lol
This reminds me how protected you can be with facebook. Even if you tell your password to anyone, unknown devices/computers cannot login without SMS code which you get automatically from Facebook. ^^ Unless your telephone gets stolen, there's no way. I wish all websites were like this.
On August 13 2011 04:00 LegionUK wrote: I've never trusted things like Keep Pass, would people actually recommend it?
Rich recommended it before.
Yeah I saw that, just wondered if anyone else has any experience using it though.
It's pretty easy to use, they have a small beginner tutorial on they page that helps you to set it up... Been using it for a week not and didn't encounter any problems. I imagine it could become a bit bothersome if you are using someone elses pc and want to do a quick check of your Facebook or something like that, since you're going to nee KeyPass and you PW data file on that pc as far as i can tell :o
On August 13 2011 04:28 pureability wrote: thanks for letting me know. I will be using keepass now. Looks easy enough to use.
Question though. Say you are at a friends house or something and want to look something up. Can you gain access to these pws any other way? No way I can remember 30random characters lol
You can save your keepass database on a USB stick then just make sure to carry your USB around. It takes like 10 seconds to install keepass on someone elses computer if you really need to access something on their computer.
Okay, that isn't pretty. The log-in information was just there in the database with zero encryption? Oh boy, GOM, please hire someone that knows at least basic server / database security ;(.
You guys should avoid changing your password on GOMtv until it's been confirmed that the security flaw has been fixed, unless you're changing it to an unique password.
Damn, MLG seems to be down. Can't access my profile to change my password.
Can we talk about the whole plaintext thing for a second? It feels like me, with no actual security training, would be be better at securing half the world's websites.
How much was the Sony security guy (the one that also decided to sore passwords in plain text) getting paid? Pay me half I can do that job easily, since apparently despite having no actual education in security, I know more than him/her.
How about the guy at GOM who decided to store passwords in plaintext? How much did they pay him to make such awful security decisions?
It's frustrating that over and over again this shit happens, and companies keep using poor security regardless.
I'm not too worried. Oh and the passwords as plain text deal... GOD WTF... I can sort of forgive GOM cause they are small. But PSN doing that was LOL do they not have experienced men on board? Storing PW as tokens is like the most basic thing.
It seems to me that mainly the Asian websites are having plain text stored passwords,PSN now GOMTV ,i cant recall major big corporation in USA/EUROPE that had such problems?
Question: Right now my GOMTV password is not the same as my other passwords, however, a few months ago, it was. Should i still go and change my other passwords?
On August 13 2011 03:18 Keap wrote: GOM is so unprofessional. The level of play of their players is amazing, but the business side of the Korean SC2 scene is really lacking to say the least.
This sucks for GOM, but thankfully nobodies bank information is at risk. Also major thanks to R1CH for bringing this to the forum and also showing keepass, this seems great
It's actually incredibly, frustratingly, and unreasonably expensive for private companies to have proper data security. It's a bit like how businesses pay exorbitant prices for their computers hardware from 'IT business solutions" companies.
So what could be motivation for this? Did someone really want to see some GSL that badly without paying? Everyone change your PWs, allow no freeloaders!
On August 13 2011 04:48 duckTemplar wrote: Oh they have my email , my password and access to my paypal now, rather unfortunatly, I just paid for GSL August a few days ago.
On August 13 2011 03:18 Keap wrote: GOM is so unprofessional. The level of play of their players is amazing, but the business side of the Korean SC2 scene is really lacking to say the least.
that happens to the best companies
sometimes there is just bad luck
Heard that some quite small unheard company called Sony did a similar thing, saving data in a simple text.
Can't believe the passwords weren't even encrypted -_- Well, I was overdue for a password change anyway. Thanks for the keepass link, definitely gonna use that instead of my poorly hidden notepad file.
On August 13 2011 04:45 gullberg wrote: What if I logged in via twitter/facebook. Has it been compromised?
Did you read the OP?
Not really, freaked out since I use that password for alot of important stuff <.<
Good to know that I'm not affected, lol.
Stored in text? lol'd
You should use different passwords for different stuff... I have always done so, but they were rather simple, since they were so many and I had to remember them by head. Didn't know about that program R1CH mentioned in the OP, so that makes the job a lot easier.
I used an email I never use, and a password that you could consider as a "throwaway" password, meaning I only use it on sites I don't fully trust and don't really care about. But I do use this password pretty much everywhere and I've given it out to some friends already.
I really find it hard to believe that any company would still store personal information in plaintext. What a joke. Thanks for updating the community R1CH, you are the man!
On August 13 2011 03:18 Keap wrote: GOM is so unprofessional. The level of play of their players is amazing, but the business side of the Korean SC2 scene is really lacking to say the least.
that happens to the best companies
sometimes there is just bad luck
Not encrypting passwords != luck at all This is stupidity.
Has this happened before? I had someone from south korea access my gmail a few months back when my GOMTV pass was the same as my email's (I tend to cycle my email along with newest passwords so I don't forget it). I made a post about it then in a thread about hacked gmail accounts here.
I just remembered that I changed my gom password to some obscure password I really never use, + it has a dummy e-mail. I generally don't use my dummy e-mail or different passwords. Wow, lucky.
For those curious, this is how TL passwords are stored.
The difference between TL website and GOMTV is that TL isn't at all vunerable to SQL and i think is really well written(props to the ones that did the site) However GOM seems bad since its hacked
Someone says MD5 is good way,it is good if the passwords aren't whole words like:mother,sister,football,basketball because every MD5 cracking website already has their MD5's ,however if they are like mmm0007h333R pretty much the MD5 will never get cracked or will take months,years.Hackers dont like waiting XD
My gmail account (for school) says there has been suspicious activity on my email account, and that I have to verify myself through phone or text :/
I checked my email and found someone tried to email all my contact lists:
(no subject)
to ggonzale, monkeyskratch, cross.andy, bcebecioglu, bighitter, dpol85, james, JTarzia show details Aug 11 (2 days ago) im sure my friends are all tired of always loaning me money I was at the end of the road this couldnt have worked out better! ://rallispor.com/CarlSpencer74.ht now I can afford season tickets You will thank me for this!
I edited the link so no one accidentally clicks on it. Should I be worried?
On August 13 2011 05:10 Hokay wrote: My gmail account (for school) says there has been suspicious activity on my email account, and that I have to verify myself through phone or text :/
I checked my email and found someone tried to email all my contact lists:
(no subject)
to ggonzale, monkeyskratch, cross.andy, bcebecioglu, bighitter, dpol85, james, JTarzia show details Aug 11 (2 days ago) im sure my friends are all tired of always loaning me money I was at the end of the road this couldnt have worked out better! ://rallispor.com/CarlSpencer74.htm now I can afford season tickets You will thank me for this!
I edited the link so no one accidentally clicks on it. Should I be worried?
yes you should be worried. change your password immediately
So are 100% of accounts compromised? And is it only accounts that have paid that were compromised or are all types of accounts (like the free ones used to watch the SQ live stream) compromised as well?
On August 13 2011 05:05 Crying wrote: The funny thing is that there is nothing under "News" at GOM website?? Wtf is this R1CH knows that attack occured when GOM has no clue HIRE R1CH !
Because R1CH isnt employed by GOM. He posted the news at 3am KST. Do you work at 3am? I doubt it.
For those curious, this is how TL passwords are stored.
Really? Isn't that supposedly too expensive on the login operation?
Not if you balance the iterations properly. A few hundred ms extra on the login isn't noticeable by most people and is plenty enough to defeat brute force attacks.
Turns out i used the same pass for my hotmail as i did for GOMtv (couldn't remember my GOM pass at first), just glad i had the time to change it before i got hacked.
Seriously, GOM needs a slap in the face for this shit.
On August 13 2011 05:05 Copymizer wrote: just changed my gomtv acc password.
Honestly, until gom makes a statement I'm not even going to visit their website. We know that there is a possible compromise of account information but who knows if they loaded their website with all kinds of goodies.
I'm not too surprised to find this out. I bought the first two seasons of GSL with two separate new emails that I didn't use for anything else, and received phishing emails back then on both of them. I guess their security isn't that great. :/...
On August 13 2011 05:19 Titorelli wrote: Can someone tell me if my financial data is safe or not? I did NOT pay via paypal since I dont have a paypal account
You still paid through PayPal since there is no other way to pay. PayPal lets you checkout even without an account.
For those curious, this is how TL passwords are stored.
Really? Isn't that supposedly too expensive on the login operation?
Not if you balance the iterations properly. A few hundred ms extra on the login isn't noticeable by most people and is plenty enough to defeat brute force attacks.
True, I read that it ain't ACTUAL Blowfish cyphering, but a modified function, and that you can also adjust the calculation rate.
But tell me this, if you want to adjust the iterations, won't you have to re-calculate every password for each user?
I find it absolutely mind boggling that people still store passwords in plain text. Are there any reasons for not encrypting passwords more than sheer laziness (even that is not a valid reason due to the easiness of encrypting passwords)? I just don't understand why you would ever set it up like that, still it seems to not be very uncommon even among big companies.
Well I am glad I decided to play robin hood and let my friend view all of the previous seasons of GSL and GSTL, so I changed my password to something stupid for him months ago.
On August 13 2011 05:28 Badboyrune wrote: I find it absolutely mind boggling that people still store passwords in plain text. Are there any reasons for not encrypting passwords more than sheer laziness (even that is not a valid reason due to the easiness of encrypting passwords)? I just don't understand why you would ever set it up like that, still it seems to not be very uncommon even among big companies.
Should be bloody common after SONY got hacked, thought that would make nearly everyone think twice about security.
On August 13 2011 03:24 R1CH wrote: Someone just pointed out that the exploit through which this information was gained may still exist, so you may want to hold off changing passwords until GomTV confirm it is safe.
And I read this just after I changed my password xd
On August 13 2011 05:28 Badboyrune wrote: I find it absolutely mind boggling that people still store passwords in plain text. Are there any reasons for not encrypting passwords more than sheer laziness (even that is not a valid reason due to the easiness of encrypting passwords)? I just don't understand why you would ever set it up like that, still it seems to not be very uncommon even among big companies.
Should be bloody common after SONY got hacked, thought that would make nearly everyone think twice about security.
Sadly many companies think exactly twice about security. They think about it once when they are designing their system then when they get the bill they think twice about having security.
Changed my PayPal password just to be safe. Glad I have non funds on there but my credit card is linked. No recent transaction history so looks like I'm safe.
On August 13 2011 05:26 ravemir wrote: But tell me this, if you want to adjust the iterations, won't you have to re-calculate every password for each user?
Most systems store the algorithm and settings with the password hash and salt. For example, if your password hash is $2a$10$WyJ.NSYEmLixexXspQyoEOVYGK55cDjQd2cZedBN4t9.., the 2a identifies the algorithm (blowfish) and the 10 identifies the iterations (2^10). So if suddenly PCs become 100x faster I can just increase the 10 in our config and all new passwords become more secure, and old passwords are upgraded on successful logon.
I guess I will use FB/Twitter on Gom to login from now on... who would've thought that using those makes you safer? Hahah.
In any case, changed my pw's already to the more important things I'm aware of. Email is already a unique pw and paypal requires a security token generator so I'm covered.
Laziness ftw. Thank god I never bothered to change the original password they handed out when I created my account, since I certainly do use the same for all my accounts o.O
For those curious, this is how TL passwords are stored.
Really? Isn't that supposedly too expensive on the login operation?
Not if you balance the iterations properly. A few hundred ms extra on the login isn't noticeable by most people and is plenty enough to defeat brute force attacks.
COOL, i hadn't heard of bcrypt, I just finished integrating a java version into my software Thanks TL
On August 13 2011 05:51 slicknav wrote: this should really be put on the front page of TL somewhere. This is kinda serious if personal information has been compromised.
Kinda annoying that there's nothing on Gom's site about this.
On August 13 2011 05:26 ravemir wrote: But tell me this, if you want to adjust the iterations, won't you have to re-calculate every password for each user?
Most systems store the algorithm and settings with the password hash and salt. For example, if your password hash is $2a$10$WyJ.NSYEmLixexXspQyoEOVYGK55cDjQd2cZedBN4t9.., the 2a identifies the algorithm (blowfish) and the 10 identifies the iterations (2^10). So if suddenly PCs become 100x faster I can just increase the 10 in our config and all new passwords become more secure, and old passwords are upgraded on successful logon.
I think this is the point where Hot_Bid posts:
I don’t understand the check_password function, why don’t you compare with the stored hash in the BBDD? Something like this: function check_password(password, nickname) { //get user from nickname user = User.objects.get(nickname=nickname) return user.hash_stored == hash(password) Btw in your function check_password I suppose that in order to calculate again the hash I’d have to do it with the cost parameter, something like this: // this will be used to compare a password against a hash public static function check_password($hash, $password) { $new_hash = hash($password); return ($hash == $new_hash);
On August 13 2011 03:14 R1CH wrote: There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.
There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.
Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.
If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.
R1CH, from what I can deduct they simply used a SQL Injection to list all the data, if it's that simple then why does it matter if we change the password, they will still get it, you could change it a million times.
Just got done changing a lot of my passwords... Just in case. My fault for using the same pass for so many sites, but better to be safe than sorry. Or so they say
I use the same password for nearly everything EXCEPT my Bnet account, so I don't really care, the rest is not really important (I don't know what they would do with my other accounts).
On August 13 2011 03:14 R1CH wrote: There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.
There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.
Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.
If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.
R1CH, from what I can deduct they simply used a SQL Injection to list all the data, if it's that simple then why does it matter if we change the password, they will still get it, you could change it a million times.
Change it to something that you don't use anywhere else.
what, they used plain text to store the password....... WTF, encryption is a build in feature in PHP and there existst thousands of professionally made salt functions out there. WHY are people so dammn retarded when it comes to security!
On August 13 2011 05:26 ravemir wrote: But tell me this, if you want to adjust the iterations, won't you have to re-calculate every password for each user?
Most systems store the algorithm and settings with the password hash and salt. For example, if your password hash is $2a$10$WyJ.NSYEmLixexXspQyoEOVYGK55cDjQd2cZedBN4t9.., the 2a identifies the algorithm (blowfish) and the 10 identifies the iterations (2^10). So if suddenly PCs become 100x faster I can just increase the 10 in our config and all new passwords become more secure, and old passwords are upgraded on successful logon.
Good point! The password will have matching smaller value until a valid login after you make the system wide change.
On August 13 2011 03:14 R1CH wrote: There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.
There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.
Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.
If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.
R1CH, from what I can deduct they simply used a SQL Injection to list all the data, if it's that simple then why does it matter if we change the password, they will still get it, you could change it a million times.
Change it to something that you don't use anywhere else.
IF people used the same password that they used on GOM they better dammn be changing those passwords on all the other sites as well. I mean you don't know what kind of databasetype that is being used, what if the hacker thinks up the bright idea to rollback the Server image to revert the changes of the password you did, then he will get the passwords anyway.
Sooo is there any point changing the password you used on the GOM site or is there still shit happening that would cause that new password to be compromised?
I dont know anything about this but is the only proof of this happening that one screenshot? couldnt someone who knows about that stuff easy make a "fake" screenshot?
On August 13 2011 06:08 Integra wrote: what, they used plain text to store the password....... WTF, encryption is a build in feature in PHP and there existst thousands of professionally made salt functions out there. WHY are people so dammn retarded when it comes to security!
After this kind of stupidity, I just stop purchasing/supporting people. ;o Same goes for Sony.
On August 13 2011 06:21 TaKemE wrote: I dont know anything about this but is the only proof of this happening that one screenshot? couldnt someone who knows about that stuff easy make a "fake" screenshot?
There's still no email notification or news on GOMTV.net yet....I feel sorry for all the people who don't know because they don't frequent TeamLiquid.net or PlayXP.
On August 13 2011 06:25 forgottendreams wrote: There's still no email notification or news on GOMTV.net yet....I feel sorry for all the people who don't know because they don't frequent TeamLiquid.net or PlayXP.
Instantly deleted account over this. If they are so fucking incompetent that they store password in plaintext and they don't even have the common decency to communicate about it, then they're not to be trusted with anything any more.
Oh my... I have 3-4 passwords I rotate between depending on how important the data is (from 7 letters to 40 depending on the importance) but I still use the password I had on gomtv for a lot of stuff... Sigh, its gonna take a while to fix all of this. Thank you GOM for storing our personal info in plain text. Retarded.
On August 13 2011 06:59 Titorelli wrote: Guys... it is 7h on a saturday in Korea.... they dont have an emergency anti hacking team that informs ppl on their site
BUT ITS PRIMETIME IN 'MURICA so I fully expect the world to bend over backwards to do everything in favor of what's best for 'MURICA.
just kidding but yeah you make a very reasonable point.
p.s. those of us that are socially-savvy and use facebook to sign in have nothing to worry about, right? (jk about the social savvy part)
Yeah about Keepass... I dont get it. It saves all my passwords and it is itself password protected. But if someone gets that password its the same as having one password for all my accounts lol cause he can just look all of them up in Keepass?
On August 13 2011 07:10 Titorelli wrote: Yeah about Keepass... I dont get it. It saves all my passwords and it is itself password protected. But if someone gets that password its the same as having one password for all my accounts lol cause he can just look all of them up in Keepass?
But how will he get that password? If you are keylogged you are compromised either way. Now if only your GOMtv pass gets hacked everything else is still secure. Of course you could remember each password ....
Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
Chances are most people use the same email for GOM as they do for Battle.net. Now do most people play SC2 and watch GSL? Also, a lot of people keep the same password for both.
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
You use the same password but a different username on different sites?
Why not do it the other way around, then, and be a touch safer?
On August 13 2011 07:33 Razuik wrote: Chances are most people use the same email for GOM as they do for Battle.net. Now do most people play SC2 and watch GSL? Also, a lot of people keep the same password for both.
Yeah I understand the e-mail part.
On August 13 2011 07:33 Resistentialism wrote: You use the same password but a different username on different sites?
Why not do it the other way around, then, and be a touch safer?
My post was just an example. (and as a matter of fact most of my usernames and passwords are different for each site)
I guess my post was more of a rhetorical question. Also if people use the same login/password for a lot of things, it makes sense to change your info.
Sorry it was my fault I assumed EVERYONE used different logins/passwords. D'oh. It definitely is better to be safe than sorry though!
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
You use the same password but a different username on different sites?
Why not do it the other way around, then, and be a touch safer?
Also, you'd be suprised the ammount of information that can gathered about you just by knowing your e-mail, as it's a very insecure protocol.
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
You use the same password but a different username on different sites?
Why not do it the other way around, then, and be a touch safer?
My post was just an example. (and as a matter of fact most of my usernames and passwords are different for each site) I guess my post was more of a rhetorical question.
For most people a search for their gom username and their e-mail yields further information about them and usually enough information to find more accounts. Unless attackers specifically target you, then as long as your e-mail, paypal and battle.net passwords are different then you are not likely to be attacked IMO, but rather safe than sorry. Especially when it doesn't take much to be safe.
Anyone know WHEN the passwords were hacked? I changed my pw about a week or two ago >.<. I'm hoping it was VERY recent, as that would save me a shitton of headaches.
On August 13 2011 07:49 Day[9] wrote: Anyone know WHEN the passwords were hacked? I changed my pw about a week or two ago >.<. I'm hoping it was VERY recent, as that would save me a shitton of headaches.
Well the exploit, I am assuming, has been around since the beginning. So while this particular case was made public now, it could have happened yesterday, the day before, the year before, or again 10 minutes ago.
On August 13 2011 07:49 Day[9] wrote: Anyone know WHEN the passwords were hacked? I changed my pw about a week or two ago >.<. I'm hoping it was VERY recent, as that would save me a shitton of headaches.
from what i understand, mprs is correct. the exploit has been around for awhile but has only been made public now so it could have happened any time. the fact that certain accounts were suddenly misused and hacked doesn't give hard evidence as to when the breach actually took place. we'll probably have to wait for GOMs statement for that
No one should assume anything about when it was hacked/cracked. It's lucky we even know about it as if the user hadn't posted the screenshot no-one would be the wiser. Also, we can't know no one already used the same exploit he did previously.
Anyone who used the same password on GOMTV elsewhere should change it immediatly.
On August 13 2011 07:49 Day[9] wrote: Anyone know WHEN the passwords were hacked? I changed my pw about a week or two ago >.<. I'm hoping it was VERY recent, as that would save me a shitton of headaches.
There isn't a way of telling. The only thing to go off was the post of the image, which was very, very recent. However, this could have happened weeks, possibly months ago, and gone unnoticed. I would take the extra precaution if I were you, but you don't have to worry about any financial information unless your paypal password was the same, ofcourse. Check the sent folder in all your emails and make sure no spam mail got sent. That's when you have to start worrying. And Nice Casting at the Invitational!
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
There is a good chance that the information was stolen for a reason and that whoever did it will be looking to use the information in a specific way. I don't think it would be for credit card numbers etc, because as R1CH said, all transactions on gomtv.net are done through paypal. Personally, I use the same email for gomtv.net and my battle.net account, and I am sure I am not alone. If you also use the same password for both accounts, your battle.net account can be compromised as well (and your email for that matter). With such access to your personal information, somebody who knows what they're looking for can find a lot of information about you and probably get whatever they are looking for, whether it be credit card numbers or whatever.
I don't know if this is related in any way, but I received an email this morning from Blizzard saying they were investigated my battle.net account because they suspect that I have been trying to sell my World of WarCraft account (which has been inactive for months, as in I am not paying for it and cannot play the game). I received this email literally within an hour after reading this thread about GOM being compromised, and I am also on a very new computer which I am very careful with as far as viruses etc. Nor have I been trying to sell my somewhat worthless WoW account... which is also on the same battle.net account as my SC2, lol.
These incidents may be unrelated, I am not sure yet and I'm waiting for Blizzard to give me more information on the situation (which they probably won't). However, my point is that there are ways for people to hurt you even with limited information, unless you are very good about keeping yourself secure by using many different usernames, passwords, and email addresses, for your accounts on battle.net, websites you use, etc.
On August 13 2011 06:08 Integra wrote: what, they used plain text to store the password....... WTF, encryption is a build in feature in PHP and there existst thousands of professionally made salt functions out there. WHY are people so dammn retarded when it comes to security!
Stupider than not encrypting your passwords is allowing SQL injection in the first place.
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
There is a good chance that the information was stolen for a reason and that whoever did it will be looking to use the information in a specific way. I don't think it would be for credit card numbers etc, because as R1CH said, all transactions on gomtv.net are done through paypal. Personally, I use the same email for gomtv.net and my battle.net account, and I am sure I am not alone. If you also use the same password for both accounts, your battle.net account can be compromised as well (and your email for that matter). With such access to your personal information, somebody who knows what they're looking for can find a lot of information about you and probably get whatever they are looking for, whether it be credit card numbers or whatever.
I don't know if this is related in any way, but I received an email this morning from Blizzard saying they were investigated my battle.net account because they suspect that I have been trying to sell my World of WarCraft account (which has been inactive for months, as in I am not paying for it and cannot play the game). I received this email literally within an hour after reading this thread about GOM being compromised, and I am also on a very new computer which I am very careful with as far as viruses etc. Nor have I been trying to sell my somewhat worthless WoW account... which is also on the same battle.net account as my SC2, lol.
These incidents may be unrelated, I am not sure yet and I'm waiting for Blizzard to give me more information on the situation (which they probably won't). However, my point is that there are ways for people to hurt you even with limited information, unless you are very good about keeping yourself secure by using many different usernames, passwords, and email addresses, for your accounts on battle.net, websites you use, etc.
How a site with money transactions can have such bad safety is strange. Passwords in plain text is so 1992.
Have a unigue password for gom, that is now changed. Have gom said anything about the new password being safe, or is it stored in the same idiotic way?
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
There is a good chance that the information was stolen for a reason and that whoever did it will be looking to use the information in a specific way. I don't think it would be for credit card numbers etc, because as R1CH said, all transactions on gomtv.net are done through paypal. Personally, I use the same email for gomtv.net and my battle.net account, and I am sure I am not alone. If you also use the same password for both accounts, your battle.net account can be compromised as well (and your email for that matter). With such access to your personal information, somebody who knows what they're looking for can find a lot of information about you and probably get whatever they are looking for, whether it be credit card numbers or whatever.
I don't know if this is related in any way, but I received an email this morning from Blizzard saying they were investigated my battle.net account because they suspect that I have been trying to sell my World of WarCraft account (which has been inactive for months, as in I am not paying for it and cannot play the game). I received this email literally within an hour after reading this thread about GOM being compromised, and I am also on a very new computer which I am very careful with as far as viruses etc. Nor have I been trying to sell my somewhat worthless WoW account... which is also on the same battle.net account as my SC2, lol.
These incidents may be unrelated, I am not sure yet and I'm waiting for Blizzard to give me more information on the situation (which they probably won't). However, my point is that there are ways for people to hurt you even with limited information, unless you are very good about keeping yourself secure by using many different usernames, passwords, and email addresses, for your accounts on battle.net, websites you use, etc.
The blizzard mail is fake.
No, it is not. It is from a Blizzard email for sure. I would know if it was fake trust me.
On August 13 2011 08:02 Jiddra wrote:password for gom, that is now changed. Have gom said anything about the new password being safe, or is it stored in the same idiotic way?
So far it seems that GOM has not released any statement regarding this compromission. Sun is rising in Korea, so it should not be long before they say something.
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
There is a good chance that the information was stolen for a reason and that whoever did it will be looking to use the information in a specific way. I don't think it would be for credit card numbers etc, because as R1CH said, all transactions on gomtv.net are done through paypal. Personally, I use the same email for gomtv.net and my battle.net account, and I am sure I am not alone. If you also use the same password for both accounts, your battle.net account can be compromised as well (and your email for that matter). With such access to your personal information, somebody who knows what they're looking for can find a lot of information about you and probably get whatever they are looking for, whether it be credit card numbers or whatever.
I don't know if this is related in any way, but I received an email this morning from Blizzard saying they were investigated my battle.net account because they suspect that I have been trying to sell my World of WarCraft account (which has been inactive for months, as in I am not paying for it and cannot play the game). I received this email literally within an hour after reading this thread about GOM being compromised, and I am also on a very new computer which I am very careful with as far as viruses etc. Nor have I been trying to sell my somewhat worthless WoW account... which is also on the same battle.net account as my SC2, lol.
These incidents may be unrelated, I am not sure yet and I'm waiting for Blizzard to give me more information on the situation (which they probably won't). However, my point is that there are ways for people to hurt you even with limited information, unless you are very good about keeping yourself secure by using many different usernames, passwords, and email addresses, for your accounts on battle.net, websites you use, etc.
The blizzard mail is fake.
No, it is not. It is from a Blizzard email for sure. I would know if it was fake trust me.
Whatever click the link or send them some information like they ask then lol.
On August 13 2011 07:29 kwaky wrote: Can someone explain to me why I have to change my password to accounts the hacker doesn't know about? If my GomTV password was pass1234 and I used this password for my teamliquid account, why should I change my teamliquid password? The guy who has my GomTV info doesn't know I browse teamliquid, and even if he did, he doesn't know my TL login name. (teamliquid in this case is just an example)
Of course it is recommended to change passwords to everything to be safe, but technically there is no reason to change any passwords, right? (except for your e-mail, granted you use the same password)
There is a good chance that the information was stolen for a reason and that whoever did it will be looking to use the information in a specific way. I don't think it would be for credit card numbers etc, because as R1CH said, all transactions on gomtv.net are done through paypal. Personally, I use the same email for gomtv.net and my battle.net account, and I am sure I am not alone. If you also use the same password for both accounts, your battle.net account can be compromised as well (and your email for that matter). With such access to your personal information, somebody who knows what they're looking for can find a lot of information about you and probably get whatever they are looking for, whether it be credit card numbers or whatever.
I don't know if this is related in any way, but I received an email this morning from Blizzard saying they were investigated my battle.net account because they suspect that I have been trying to sell my World of WarCraft account (which has been inactive for months, as in I am not paying for it and cannot play the game). I received this email literally within an hour after reading this thread about GOM being compromised, and I am also on a very new computer which I am very careful with as far as viruses etc. Nor have I been trying to sell my somewhat worthless WoW account... which is also on the same battle.net account as my SC2, lol.
These incidents may be unrelated, I am not sure yet and I'm waiting for Blizzard to give me more information on the situation (which they probably won't). However, my point is that there are ways for people to hurt you even with limited information, unless you are very good about keeping yourself secure by using many different usernames, passwords, and email addresses, for your accounts on battle.net, websites you use, etc.
The blizzard mail is fake.
No, it is not. It is from a Blizzard email for sure. I would know if it was fake trust me.
Whatever click the link or send them some information like they ask then lol.
The link that goes to blizzard's website (us.battle.net)? Yeah, I clicked it. Also the email is from blizzard.com, which if you type that in your search bar you will see, goes straight to blizzards site. They did not ask for any personal information at all. They only notified me of the situation and that is it. I'm not stupid.
between this and the whole PSN thing it's clear that password security is something you only care about to the extent that your customer base believes you are handling it responsibly... pretty retarded as it can potentially have devastating effects on a person.
anyway, maybe this is an eyeopener for the (unfortunately) majority of people who just use an easy to remember password for all sites and logins
I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
This. This is why GOM should be ashamed of them selves for not protecting our info
Anyone know how hackers got into GOMtv.net? I'm sort of a nub at this but is it because they use outdated software (I know some forums may still use real old versions of invisionboard or w/e for example which may have security exploits) or because something GOM didn't do?
Basically how do websites protect themselves from getting hacked (well at least easily hacked) and how did GOM get hacked? Just curious.
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
i would say you've probably gotten these emails a lot longer than 1 day, i've had them slamming my spambox for like 5 years now
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
i would say you've probably gotten these emails a lot longer than 1 day, i've had them slamming my spambox for like 5 years now
Same here, got Cursegaming/curse or whatever they're called these days to thank for that.
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
Yeah it does seem like a little bit more then a coincidence, but two cases isn't conclusive by any means. It would be interesting to see how many other people have run into the same incident as us. Also, my situation is just slightly different, my account is under investigation because they suspect I was trying to sell the account, not the items/gold on it (which I think I do have a fair amount of). But if someone was stealing accounts to make money from, I would assume that they would try to sell both the items/gold and the account, so the specific offense probably isn't all that important as the punishment is the same for either.
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
Yeah Blizzard would not ask for personal information like that, as I am sure you know. This may or may not be a result of the gomtv compromise, I wouldn't be surprised either way really. It's worth noting though =).
On August 13 2011 08:25 Goldfish wrote: Anyone know how hackers got into GOMtv.net? I'm sort of a nub at this but is it because they use outdated software (I know some forums may still use real old versions of invisionboard or w/e for example which may have security exploits) or because something GOM didn't do?
Basically how do websites protect themselves from getting hacked (well at least easily hacked) and how did GOM get hacked? Just curious.
Adding to the above - is gomtv.net safe right now? I mean do hackers currently have the ability to install malware on the site and/or exploit anything else besides just stealing usernames and passwords?
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
i would say you've probably gotten these emails a lot longer than 1 day, i've had them slamming my spambox for like 5 years now
No, This is a new email account, I acquired it less than 2 weeks ago and the spam litteraly started a few hours ago! And the username they are calling me by in the emails is the same username I have on GomTV.Net and not my wow account!
Is gomtv.net safe right now? I mean do hackers currently have the ability to install malware on the site and/or exploit anything else besides just stealing usernames and passwords?
Well the reason I'm asking is because I know of other sites (mainly MMO fansites for example) which were compromised and had malware installed on it so if any javascripts were enabled, your computer would have likely been infected with some malware.
Is this threat a possibility with gomtv.net or is it just only an issue of taken usernames and passwords?
Again sort of a newb in terms of this stuff so I'm not sure if what happened can resort to this but I want to make sure.
On August 13 2011 08:25 Goldfish wrote: Anyone know how hackers got into GOMtv.net? I'm sort of a nub at this but is it because they use outdated software (I know some forums may still use real old versions of invisionboard or w/e for example which may have security exploits) or because something GOM didn't do?
Basically how do websites protect themselves from getting hacked (well at least easily hacked) and how did GOM get hacked? Just curious.
Adding to the above - is gomtv.net safe right now? I mean do hackers currently have the ability to install malware on the site and/or exploit anything else besides just stealing usernames and passwords?
They basically did 2 things wrong. Firstly they stored the passwords unencrypted which is a big no no. They should never actually know your password. Just an encrypted version. This is so even if someone breaks their security (if you can imagine), then they can't get your pass.
Secondly their database was vulnerable to a very common type of attack known as sql injection. Basically you send a query that contains instructions and trick the database into executing those instructions which may for instance be "list all usernames and passwords". This is a common issue and usually easily preventable.
Both are very basic mistakes.
It's very unlikely they can install malware. At worst they can hijack accounts on gom and read your e-mail id, username, password and what you have bought on gom.
There is no reason to believe gom is safe at this point so changing passwords will probably not help, and either way the attackers have likely saved the passwords to a file already on their own systems.
You should change your password on any other service that has/had the same password as one you have ever used on gomtv.
Thanks for the explanation rasnj. Ever since I played FFXI and seen so many sites compromised and have malware installed on them (MMO sites are always popular sites for target since MMO accounts can be worth a lot in cash value) I've been paranoid about this stuff so thanks for the explanation.
I really don't understand how somebody can write a website that stores passwords as plain text. It's not like it's hard to encrypt it.
Also, does anybody know if GOM saves some kind of password-change history? I have used another password (which I use for other purposes too) a while back, could the crackers have had access to that?
On August 13 2011 09:38 Lorizean wrote: I really don't understand how somebody can write a website that stores passwords as plain text. It's not like it's hard to encrypt it.
Also, does anybody know if GOM saves some kind of password-change history? I have used another password (which I use for other purposes too) a while back, could the crackers have had access to that?
I don't think anyone can answer that for you with certainty, so I would assume that yes they could have access to that. Hopefully GOM will have an official announcement about it sometime very soon to notify everyone about exactly what happened so that we can take the necessary precautions to keep our stuff safe. Until then, however, I would assume the worst just in case.
On August 13 2011 09:38 Lorizean wrote: I really don't understand how somebody can write a website that stores passwords as plain text. It's not like it's hard to encrypt it.
Also, does anybody know if GOM saves some kind of password-change history? I have used another password (which I use for other purposes too) a while back, could the crackers have had access to that?
I dobut they have a history of earlier passwords, nothing on the page suggests that it exists, what would even be purpose of that, it makes no sense to have one. There is however a chance that the hacker got access to a admin password, That way he could access the database backup rollback function (if such is supported by the table being used). That way he could simply rollback the database to a earlier datapoint and get any previous password you had before you changed it. It's prolly pretty safe though if you changed your password. Not much else you can do anyway.
On August 13 2011 09:38 Lorizean wrote: I really don't understand how somebody can write a website that stores passwords as plain text. It's not like it's hard to encrypt it.
It's not that hard to do better than plaintext, but simple hashing (with or without salt) isn't enough anymore. Too many people have bruteforce password cracking devices (commonly called graphic cards) nowadays, so you should do something like Key Stretching to delay that, and that is something you rarely see done.
On August 13 2011 09:38 Lorizean wrote: Also, does anybody know if GOM saves some kind of password-change history? I have used another password (which I use for other purposes too) a while back, could the crackers have had access to that?
There is a simple guideline: If you don't know, assume the passwords are comprimised. The hole in the page isn't likely to be new, so there could be lots of people with access to the database from lots of dates in the past, there is no need for a "history" database. Your passwords should be considered compromised.
Reposting what I posted on the last thread in hopes that the guy who wrote the question will see it:
On August 13 2011 09:38 Lorizean wrote: I really don't understand how somebody can write a website that stores passwords as plain text. It's not like it's hard to encrypt it.
Also, does anybody know if GOM saves some kind of password-change history? I have used another password (which I use for other purposes too) a while back, could the crackers have had access to that?
I dobut they have a history of earlier passwords, nothing on the page suggests that it exists, what would even be purpose of that, it makes no sense to have one. There is however a chance that the hacker got access to a admin password, That way he could access the database backup rollback function (if such is supported by the table being used). That way he could simply rollback the database to a earlier datapoint and get any previous password you had before you changed it. It's prolly pretty safe though if you changed your password. Not much else you can do anyway.
oh god, gom just pulled a sony with plaintext user/pass combos =/. Hell of a way to store those... I'm glad i used the facebook signin since that seems more secure for the moment.
it's a much bigger issue for sony than it was for GOM. ie. there was millions more accounts on sony psn than there was on GOM... in any case you should never be using the same password for every site because the fact is that any forum admin can grab your password information.
wow good thing i use different passwords for all websites but they got my email which i have lots of accounts on FML oh well its just forums accounts that i am inactive in other websites. mostly stupid "get beta access" websites
I just got a password recovery email on my gomtv email.
It's a legit WoW website link.... funny part is there was only a WoW trial on said email account. I kept my WoW account and Master's sc2 account on a different email....
*sigh*
Good job GOMTV. Now I'm going to be sent spam emails on top of legitimate emails of people trying to get into my email account with the legitimate recovery method. Oh, I'm also lucky that said email password is significantly different than the one I use for GOM.
Thank you R1CH for suggesting KeePass in recent history.
My parents alerted me that the email I use for GOM had sent them some spam emails (I also used the same password for GOM and that email address) Thankfully it's not my "official" email.
Just logged in on my hotmail havent logged in for 6days which i use for gomtv and i have no contacts because its just for accounts and i have Viagra Emails,illegal pills, Free money,Click this link and get a Free ¤32äa" Bnet wtf(not my sc2bnet) and all this shit spam O_o fucking hell there are tons of them the scary part is i have never registered my email to bnet so no clue how i get that. This is also the first time i have ever received so many spam emails.
First time this has ever happend to me. I never click on suspicious links I have learned from my own brain.
These emails have been sent 2days ago I guess they love me with all these shit spams
I have to admit i laughed when i saw Viagra emails and "illegal pills"
On August 13 2011 11:59 Mawi wrote: Just logged in on my hotmail havent logged in for 6days which i use for gomtv and i have no contacts because its just for accounts and i have Viagra Emails,illegal pills, Free money,Click this link and get a Free ¤32äa" Bnet wtf(not my sc2bnet) and all this shit spam O_o fucking hell there are tons of them the scary part is i have never registered my email to bnet so no clue how i get that. This is also the first time i have ever received so many spam emails.
First time this has ever happend to me. I never click on suspicious links I have learned from my own brain.
These emails have been sent 2days ago I guess they love me with all these shit spams
I have to admit i laughed when i saw Viagra emails and "illegal pills"
The bnet email will probably be a phishing scam. They're super common because of the value of stolen wow items/accounts.
Facebook for the win!!!!??? I don't use facebook other than for GomTV, but shit i suppose it paid off. This is insane, is nowhere on the internet safe????
oh cheers three telescopes it made me less scared than I was hehe . I thought it could be a phishing scam but don't want to risk clicking on those emails.
Well off topic - Does anyone know if gmail offers a premium service or any service where you can get your real name, ID, etc attached to your account so that you can recover it if stolen? Gmail is a good email service and I wouldn't mind paying some $ for a premium version with more benefits.
I didn't lose an email or anything (my GOMTV password is different from my regular email) but with this happening a lot I wouldn't mind better email security >.>.
One thing I'm worried about is that I use several gmail accounts and I'm afraid of getting locked out (according to their ToS, they can terminate gmail accounts without warning for any reason). I at least assume if there exists a premium service then maybe that would less likely happen.
So let's say I use my gomtv.net password for my email, online banking, school stuff, facebook, teamliquid, paypal, battle.net, my SC2 account, and just about every other site I have an account for. So far I haven't experienced anything fishy.
On August 13 2011 12:32 SoLaR[i.C] wrote: So let's say I use my gomtv.net password for my email, online banking, school stuff, facebook, teamliquid, paypal, battle.net, my SC2 account, and just about every other site I have an account for. So far I haven't experienced anything fishy.
What to do?
Change passwords on all them asap. While you haven't been hit yet, it's likely to occur sometime in the future. Someone who has the passwords may think about selling them to a third party or maybe even just posting on a public site just for the heck of it or they haven't finished checking all of them on email.
So it's likely going to happen eventually so it's best to change passwords ASAP.
If you're having trouble thinking of passwords - Just randomly think of random combos of letters and numbers and write them on a paper in a safe place (don't store on computer if possible).
On August 13 2011 12:32 SoLaR[i.C] wrote: So let's say I use my gomtv.net password for my email, online banking, school stuff, facebook, teamliquid, paypal, battle.net, my SC2 account, and just about every other site I have an account for. So far I haven't experienced anything fishy.
What to do?
Ask yourself this question:
What would you do if you lost access to all of those sites, right now?
Change your passwords, right now. Your bank may not reimburse you for unauthorized transactions if you don't, since you're not taking appropriate action in response to a potentially leaked password.
On August 13 2011 12:32 SoLaR[i.C] wrote: So let's say I use my gomtv.net password for my email, online banking, school stuff, facebook, teamliquid, paypal, battle.net, my SC2 account, and just about every other site I have an account for. So far I haven't experienced anything fishy.
What to do?
Change passwords on all them asap. While you haven't been hit yet, it's likely to occur sometime in the future. Someone who has the passwords may think about selling them to a third party or maybe even just posting on a public site just for the heck of it or they haven't finished checking all of them on email.
So it's likely going to happen eventually so it's best to change passwords ASAP.
If you're having trouble thinking of passwords - Just randomly think of random combos of letters and numbers and write them on a paper in a safe place (don't store on computer if possible).
God damnit GOM
This password is stored in my muscle memory and everything..
On August 13 2011 12:32 SoLaR[i.C] wrote: So let's say I use my gomtv.net password for my email, online banking, school stuff, facebook, teamliquid, paypal, battle.net, my SC2 account, and just about every other site I have an account for. So far I haven't experienced anything fishy.
What to do?
Change passwords on all them asap. While you haven't been hit yet, it's likely to occur sometime in the future. Someone who has the passwords may think about selling them to a third party or maybe even just posting on a public site just for the heck of it or they haven't finished checking all of them on email.
So it's likely going to happen eventually so it's best to change passwords ASAP.
If you're having trouble thinking of passwords - Just randomly think of random combos of letters and numbers and write them on a paper in a safe place (don't store on computer if possible).
God damnit GOM
This password is stored in my muscle memory and everything..
If you've been using it for that long it's probably high time you changed it anyway.
I think this topic should be put on Featured News so it can be seen on the home page (so more people know to change their passwords on their email or other sites if they use the same email on all sites).
Thank you for the heads up on this! This is insane that this data wasn't encrypted..... with all the data pilfering lately companies really need to concern themselves with protecting their users a lot better than they have been.
On August 13 2011 03:14 R1CH wrote: There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.
There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.
Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.
If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.
On August 13 2011 12:46 bwally wrote: Good thing I haven't been supporting GOM the last few GSL, idiots.
Oh come on. GOM has been producing excellent content. Just because their IT department sucks doesn't mean you should hate on GOM.
Sony had the exact same problem and they're worth orders of magnitude more than GOM as a company.
Sony didn't store passwords in plaintext.
You have no idea how bad this from a security standpoint.
Sony did store their passwords in plain text. Why would you post an outright lie... unless they retracted their first public statement.
Edit: They did retract what they said, though admitted to using a very crackable hash format. Either way Sony has much more money than GSL and still messed up. Also how hard is it to change your password?
On August 13 2011 12:46 bwally wrote: Good thing I haven't been supporting GOM the last few GSL, idiots.
Oh come on. GOM has been producing excellent content. Just because their IT department sucks doesn't mean you should hate on GOM.
Sony had the exact same problem and they're worth orders of magnitude more than GOM as a company.
Sony didn't store passwords in plaintext.
You have no idea how bad this from a security standpoint.
Sony did store their passwords in plain text. Why would you post an outright lie... unless they retracted their first public statement.
Edit: They did retract what they said, though admitted to using a very crackable hash format. Either way Sony has much more money than GSL and still messed up. Also how hard is it to change your password?
1. I don't have a password with GOM 2. It's not about how easy it is to change my password (though you have to realize that people often reuse passwords across dozens of sites). It's the principle of making such a fundamental mistake when dealing with sensitive customer information.
On August 13 2011 12:46 bwally wrote: Good thing I haven't been supporting GOM the last few GSL, idiots.
Oh come on. GOM has been producing excellent content. Just because their IT department sucks doesn't mean you should hate on GOM.
Sony had the exact same problem and they're worth orders of magnitude more than GOM as a company.
Sony didn't store passwords in plaintext.
You have no idea how bad this from a security standpoint.
Sony did store their passwords in plain text. Why would you post an outright lie... unless they retracted their first public statement.
Edit: They did retract what they said, though admitted to using a very crackable hash format. Either way Sony has much more money than GSL and still messed up. Also how hard is it to change your password?
1. I don't have a password with GOM 2. It's not about how easy it is to change my password (though you have to realize that people often reuse passwords across dozens of sites). It's the principle of making such a fundamental mistake when dealing with sensitive customer information.
Same username Same Password Person who has that information knows what sites you use that username and password on. Very unlikely.
2. Yes, it is irresponsible, but the level of encryption that most databases use is weak, so anyone can get you info anyway.
One for forums One for esites like newegg, gomtv, steam etc where money trades hands One for real money sites like my bank or credit card One for login's to computer/phone and other hardware
On August 13 2011 12:46 bwally wrote: Good thing I haven't been supporting GOM the last few GSL, idiots.
Oh come on. GOM has been producing excellent content. Just because their IT department sucks doesn't mean you should hate on GOM.
Sony had the exact same problem and they're worth orders of magnitude more than GOM as a company.
Sony didn't store passwords in plaintext.
You have no idea how bad this from a security standpoint.
Sony did store their passwords in plain text. Why would you post an outright lie... unless they retracted their first public statement.
Edit: They did retract what they said, though admitted to using a very crackable hash format. Either way Sony has much more money than GSL and still messed up. Also how hard is it to change your password?
1. I don't have a password with GOM 2. It's not about how easy it is to change my password (though you have to realize that people often reuse passwords across dozens of sites). It's the principle of making such a fundamental mistake when dealing with sensitive customer information.
Same username Same Password Person who has that information knows what sites you use that username and password on. Very unlikely.
2. Yes, it is irresponsible, but the level of encryption that most databases use is weak, so anyone can get you info anyway.
No, this goes beyond most things. Having security holes in their databasing is one thing, an amateur error that is rather embarrasing but understandable. The sheer incompetence shown by a site as professional as Gom by not even hashing their passwords is mindblowing. This is the sort of thing that often merits immediately sacking all responsible and writing a long-winded apology letter on their front page.
I immediately changed that password and my Paypal to be safe. I should be okay as I used a unique email for that and had already changed any passwords like that one to other password because my Bnet account was compromised a few months back so I should be fine.
can't login to change the password. ahwell, we'll see how this plays out. Maybe they'll gift us all a free season ticket, due to their minimal password security
Seems like there are something going on at GOMTV right now (probably to fix this problem) because I can't login right now on either my old or new password.
wow i was talking with my mom earlier in the day (like 12 hrs ago) and she was telling me some Korean gaming network was compromised. I laughed and was like "if it was something relevant i would have herd about it by now, plus the koreans dont really have a gaming network that is big enough to be something we would hear about." thinking in my head something like PSN or something.
Well this just sucks luckily all my stuff was done through twitter but im still going to be changing all my passwords!
hmm, really unfortunate but I dunno if I was compromised or not. I created the account way back and can't even remember the password used. Last time I tried logging in, I couldn't remember my pass so I clicked the "forget password button" and got an email. I tried logging in using my email and the password and it took me to the password page. I tried putting in a new password but it kept on erroring or something, so, I either gave up and used my fb or tried to get the email resent and tried again with no luck. So, my question is: If I couldn't change the password then, does that mean that I'm pretty safe or is it possible that the next pass actually got put into the text but the website was acting up?
Storing passwords in plain text.... that's so ridiculous. If you actually make people pay for something you offer on your site, learn to give them a fuckin reliable service.
Oh wait no, the "honour" system in Korea will save us
Thankfully I don't use the same password for my important stuff as I do on random websites, so I'm usually safe when this happens (unless people REALLY want to log into my different profiles on different forums). But please GOMTV, plaintext?!
I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
I made like a bajillion accounts while trolling Artosis when they were still doing post match interviews, and I can't remember all of the accounts I made
On August 13 2011 18:32 danteafk wrote: using unique passwords for each websites. who does this ? doing this you would have like 1000 passwords you need to remind of.
@gomtv.net: profile modification is not available at this moment
just dl the keepass thing and you'll be able to store as many as you want without memorization...
Just got a message when trying to log into the email i used for gom telling me they think my account has been compromised, i do not use the same password for gom and my email. Looks like someone might be using the info this sucks, what the hell gom. I would advise changing other passwords not the gom one as people have mentioned since gom has not tightened their security as far as i know
So my best bet is to leave my gom pass the same since they havent fixed the issue yet, and just change my other passes? i should be safe that way right? even if they know my gom pass, and email address, as long as i change passwords elsewhere, im good right??? right!!!!?!?!?!?!?
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
Yes, I like this program A LOT. Thank you for posting keepass!
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Use the portable version + usb stick. Problem solved.
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Keepass can export the passwords into a HTML file that you can print out, for example. Keep that safe (if you have someone going through your private things, you have bigger concerns than your GomTV.net password).
And backup the file to a USB drive and/or an external HD.
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
regularly backup your keepass, as you should do with all important stuff?!?
Funny, that so many ppl on a gaming website (so ppl who sit at the computer all day long) never heard about the fact that you should have different passwords for all websites^^
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Yes, just use any site's name/organization/whatever as basis and do a uniform transformation. For example switching first and second letter, that way you're get the passwords for the following sites: teamliquid: etamliquid gomtv: ogmtv ebay: beay
If you want to add complexity, you can consider adding the same symbols before or after it every time. For example: teamliquid: 1"3etamliquid gomtv: 1"3ogmtv ebay: 1"3beay
I used Facebook to log into GomTV, and I just got an email saying someone tried to change my password. I think I should be fine, but I'm changing it just in case. Others beware
If you're a Mac or Windows user annother alternative is 1Password. While it costs money it also brings browser plugins for most common Browsers to automatically fill the login forms. This way you can disable the browsers password saving function, which is quite insecure too. You can save the keychain file on dropbox f.e. if you need your password chain on different computers (PC, Laptop).
I'm not affiliated with them in any way, just a happy customer.
On August 13 2011 19:26 eteran wrote: If you're a Mac or Windows user annother alternative is 1Password. While it costs money it also brings browser plugins for most common Browsers to automatically fill the login forms. This way you can disable the browsers password saving function, which is quite insecure too. You can save the keychain file on dropbox f.e. if you need your password chain on different computers (PC, Laptop).
I'm not affiliated with them in any way, just a happy customer.
LastPass is about the same, also providing extensions for all browsers to automatically store & fill username / password fields. It's free.
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Yes, just use any site's name/organization/whatever as basis and do a uniform transformation. For example switching first and second letter, that way you're get the passwords for the following sites: teamliquid: etamliquid gomtv: ogmtv ebay: beay
If you want to add complexity, you can consider adding the same symbols before or after it every time. For example: teamliquid: 1"3etamliquid gomtv: 1"3ogmtv ebay: 1"3beay
I've done something similar but if someone finds out i use ogmtv for gomtv he might just try afcebook for facebook etc. doesn't sound safe imo.
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Yes, just use any site's name/organization/whatever as basis and do a uniform transformation. For example switching first and second letter, that way you're get the passwords for the following sites: teamliquid: etamliquid gomtv: ogmtv ebay: beay
If you want to add complexity, you can consider adding the same symbols before or after it every time. For example: teamliquid: 1"3etamliquid gomtv: 1"3ogmtv ebay: 1"3beay
I've done something similar but if someone finds out i use ogmtv for gomtv he might just try afcebook for facebook etc. doesn't sound safe imo.
that stuff is done with bots, although i guess they could program it that way, i doubt they do a password annalysis
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Yes, just use any site's name/organization/whatever as basis and do a uniform transformation. For example switching first and second letter, that way you're get the passwords for the following sites: teamliquid: etamliquid gomtv: ogmtv ebay: beay
If you want to add complexity, you can consider adding the same symbols before or after it every time. For example: teamliquid: 1"3etamliquid gomtv: 1"3ogmtv ebay: 1"3beay
I've done something similar but if someone finds out i use ogmtv for gomtv he might just try afcebook for facebook etc. doesn't sound safe imo.
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
There is a very usefull print tool on KeePass that allows you to print all your PW database.
Or you could also save them on a Flash Drive like darkness said.
On August 13 2011 18:18 nexitustl1 wrote: I like to thank R1CH for posting the http://keepass.info/ for anyone who wants a super easy way to keep super important accounts secure with easy to access long strong passwords that are encrypted (in the program) use this!
I'm already changing all my important stuff using this ty!
same here. i'm looking for a way to come up with a unique password for every website that i can still remember though. keepass can generate some random pw but if for some reason i lose my data (maybe hdd crash or whatever), i'll not be able to remember my pw. any ideas guys? :/
Yes, just use any site's name/organization/whatever as basis and do a uniform transformation. For example switching first and second letter, that way you're get the passwords for the following sites: teamliquid: etamliquid gomtv: ogmtv ebay: beay
If you want to add complexity, you can consider adding the same symbols before or after it every time. For example: teamliquid: 1"3etamliquid gomtv: 1"3ogmtv ebay: 1"3beay
I've done something similar but if someone finds out i use ogmtv for gomtv he might just try afcebook for facebook etc. doesn't sound safe imo.
I do like your suggestion, thanks! Just wanted to know if the other method is safe aswell, since i've already done that and just sticking with it would save me a bit of work.
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
You think that's real ?
First the link is from the US battle.net site (I have the same mail and my account is from EU) and there's a reference in the url and the e-mail name as well is quite phony.
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
You can confirm that you are the original owner of the account to this secure website with: <mod edit: url removed>
Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
This is a scam. Don't fall for it. "battle.net-bizzard.battle-net-logie.net"
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
You can confirm that you are the original owner of the account to this secure website with:
Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
You can confirm that you are the original owner of the account to this secure website with: <mod edit: url removed>
Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
That email is not from Blizzard. Don't give them any info! Look at the url: battle-net-logie.net, instead of battle.net.
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
You can confirm that you are the original owner of the account to this secure website with:
PHISHING LINK
Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
Dude remove the phishing link. It may be marred with spelling errors, and in a post about hacking, so that only an idiot would actually click on it, but I guarentee you that that idiot reads TL.
edit: and as I post lots of people quote the same link. >.<
It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. Illegal gold trading
It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.
You can confirm that you are the original owner of the account to this secure website with: : < Login to your account, In accordance following template to verify your account.
* Account name * Account password * First and Surname * Secret Question and Answer Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
I wouldn't press that link :<. something linking to battle.net-bizzard doesn't sound legit ^^;
Changed it. Luckly i got several passwords that i use for different things and it aint so hard to remember.
Like i use :
1 word twice for stuff that isn't important ( link a forum account ) but needs 8 characters like : treetree ( tree is a random word i just used ) And if i need it to be more save i mix in 2 digit like tree37tree But for even more important stuff i use another password again like house37car
Just use words that you won't forget like brothers name then digit then mom's name or something like that
I actually forgot my password for my GOM account. Just to be safe I changed the password for my e-mail. Strange, I keep getting an error when changing my password on GOM. It is saying that I cannot update my profile at the moment.
They most likely blocked that option, so nobody can steal your account and then will reset all the passwords and send us email or something. If they are at least a little bit sane.
Still can't believe, that anyone in this day and age would store passwords in plain text...
sigh. fuck me i think i use the same pw for almost everything. never had any problems. FU gom. Passswords in clear text.... REALLY? It's fucked up, it takes a few seconds to setup basic encoding on any website....
edit: i use a diff one for sensitive things, like my email and paypal. still annoying.
I can't believe there are still websites that store passwords in plain text. What a ridiculously amateur mistake to make.
And of course at the moment it's not possible to modify profiles, so we can't change our passwords, but that's pretty logical given that someone just stole login information for the site. I imagine they'll have to send e-mails out with unique links to unlock our accounts and force a simultaneous password change or some such, since otherwise whoever got our account information could just log in and change our password to lock us out.
On August 13 2011 20:43 AmericanUmlaut wrote: I can't believe there are still websites that store passwords in plain text. What a ridiculously amateur mistake to make.
And of course at the moment it's not possible to modify profiles, so we can't change our passwords, but that's pretty logical given that someone just stole login information for the site. I imagine they'll have to send e-mails out with unique links to unlock our accounts and force a simultaneous password change or some such, since otherwise whoever got our account information could just log in and change our password to lock us out.
You won't get locked out coz you can still use the "Forgot password" feature.
On August 13 2011 20:45 zYwi3c wrote: If i changed my password 2/3 days ago, before GOM was compromised. Can they still check what password i had before that ?
Do you really wanna take that risk? It's better safe than sorry.
On August 13 2011 20:43 AmericanUmlaut wrote: I can't believe there are still websites that store passwords in plain text. What a ridiculously amateur mistake to make.
And of course at the moment it's not possible to modify profiles, so we can't change our passwords, but that's pretty logical given that someone just stole login information for the site. I imagine they'll have to send e-mails out with unique links to unlock our accounts and force a simultaneous password change or some such, since otherwise whoever got our account information could just log in and change our password to lock us out.
You won't get locked out coz you can still use the "Forgot password" feature.
This is a good point. It still makes sense that they've locked account information, though, until they can force mass password resets to prevent malicious tampering.
And to zYwi3c: There's nothing in the OP that indicates when the intrusion into GOM's system took place. In your situation, I would assume that both the old password and the new password have been comprimised.
On August 13 2011 20:43 AmericanUmlaut wrote: I can't believe there are still websites that store passwords in plain text. What a ridiculously amateur mistake to make.
And of course at the moment it's not possible to modify profiles, so we can't change our passwords, but that's pretty logical given that someone just stole login information for the site. I imagine they'll have to send e-mails out with unique links to unlock our accounts and force a simultaneous password change or some such, since otherwise whoever got our account information could just log in and change our password to lock us out.
You won't get locked out coz you can still use the "Forgot password" feature.
Nice workaround, though you can't change the temporary password to a password of your choosing until the modify profile option is available again
Well it is not thee same pw I use for banking or my mail account. So I guess there is no problem cause I don't buy or sell stuff via Internet except via amazon.
so I'm sitting at amazon and I am waiting for the fucking captcha to load but it doesn't... cause fml
i am linking with facebook but i think i had an account before who not worked always hm better change all pass ... thx gom .... damn if you need programmer hire me i can make it save for you xD
I have to admit I'm a bit lazy with my passwords, and I have tiers of passwords depending how important the website is. Unfortunately I had overstated GOMs security and should have had it at the bottom.
gomtv knew about the vulnerability since the first GSL. Someone made a forum post about this during the very first events and said it is easy to get passwords etc and that they are stored in plaintext. Post was quickly deleted from the forums and i assumed the issue will be fixed asap but obviously not.
I think there should be public outroar about this, they had all the time in the world to fix this issue but instead just hoped nothing would happen. They have shown their technical abilities to be far lacking in other aspects as well so i guess this and future incidences are to be expected
On August 13 2011 19:26 eteran wrote: If you're a Mac or Windows user annother alternative is 1Password. While it costs money it also brings browser plugins for most common Browsers to automatically fill the login forms. This way you can disable the browsers password saving function, which is quite insecure too. You can save the keychain file on dropbox f.e. if you need your password chain on different computers (PC, Laptop).
I'm not affiliated with them in any way, just a happy customer.
LastPass is about the same, also providing extensions for all browsers to automatically store & fill username / password fields. It's free.
""Network traffic anomalies" to and from the databases of the LastPass password management service have caused the company to suspect that intruders could have harvested personal information – including some customers' master passwords."
Stay away from stuff which saves your stuff online.
On August 13 2011 20:51 Scabou wrote: Profile modification is not available at the moment. Please try again at a later time.
Cool story...
Yeah.
It's fucking ridiculous. I can't change the password knowing some fuckin hackewrs might have it right at this moment.It's really pisses me off!
What's the big rush? Scared someone is going to login to your GomTV account and WATCH SOME VODS!? OH DEAR GOD.
As long as your Paypal/e-mail passwords don't match your GomTV password, you're fine. I'm not even bothering to change my password because it's exclusive to GomTV.net.
I´ve always used my twitter account to watch GSL, does anyone know if this affected that aswell? Probably didnt but even if I´ve already changed the passwords. Easily done since I use a lot of different passwords for different things.
On August 13 2011 21:53 Slakter wrote: I´ve always used my twitter account to watch GSL, does anyone know if this affected that aswell? Probably didnt but even if I´ve already changed the passwords. Easily done since I use a lot of different passwords for different things.
On August 13 2011 03:14 R1CH wrote:Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based..
On August 13 2011 20:51 Scabou wrote: Profile modification is not available at the moment. Please try again at a later time.
Cool story...
Yeah.
It's fucking ridiculous. I can't change the password knowing some fuckin hackewrs might have it right at this moment.It's really pisses me off!
They already have it, if you change it, they will still have the old one and they might also get the new one. That's why you're not allowed to change it. GOM must fix the exploit, else it's useless changing pw.
I am always hesitant to make accounts for random websites and really didnt want to make one for gom but it was the only way to watch GSL after gom prohibited restreams.
At least now I know I wasn't being overly paranoid.
Awesome. This is definitely the first thing I wanted to read this morning -.- Thanks for the heads up guys. Hopefully GOM gets their shit together. Nothing we can do until they fix it at any rate.
On August 13 2011 20:51 Scabou wrote: Profile modification is not available at the moment. Please try again at a later time.
Cool story...
Yeah.
It's fucking ridiculous. I can't change the password knowing some fuckin hackewrs might have it right at this moment.It's really pisses me off!
What's the big rush? Scared someone is going to login to your GomTV account and WATCH SOME VODS!? OH DEAR GOD.
As long as your Paypal/e-mail passwords don't match your GomTV password, you're fine. I'm not even bothering to change my password because it's exclusive to GomTV.net.
It's been like that since the beginning... they changed minor things during the first few months from sept 2010 and up... that's it...
kinda surprised they didn't bother to at least not do what sony did... with plain text...
looks like that guy has a hex editor in the background and some kanji program with at least 7000+ characters
any chance they'll change their vods to use hi10? a 350 mb h264 video could be as small as 100-120mb... while they're at it...
My email got hacked like a few days before this was posted. It kept sending ad emails to my friends on my contact list. Anyway, I'm just glad to know I didn't get a virus. ><"
On August 13 2011 08:18 warbean wrote: I also just got this email from Blizzard for my WoW account that has been inactive for 9 months now. Looks like somehow got into my character and got himself banned. I use the same email for GomTv and Battle.net, although I usually sign in through SNS Twitter. Seems to be too much of a coincidence.
English speaking customers: Please refer to the start of this mail Para los clientes españoles: Por favor vayan hasta el fin de este email
***Notice of Account Closure***
Account Name: WARBEAN1
Reason for Closure: Terms of Use Violation -- Exploitative Activity: Abuse of the Economy
This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for "real-world" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.
Even if this is the result of account sharing, the account owner can still be held responsible for the penalty because of the impact it had on the game environment.
We've found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455
The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://us.blizzard.com/company/legal/index.html. Note that additional Terms of Use violations may result in more severe actions against this account, up to and including permanent closure.
Customer Services Blizzard Entertainment http://us.battle.net/wow/en/ -------------------------------------------------------
***Notificación de Clausura de Cuenta***
Nombre de Cuenta: WARBEAN1
Razón por la Clausura: Violación de las Condiciones de Uso – Actividad Explotadora: Abuso de la Economía
Esta cuenta fue clausurada porque uno o más personajes se identificaron comerciando, o contribuyendo al comercio de, la propiedad dentro del juego (objetos u oro) por moneda “real.” Este proceso de comercio negativamente impacta al ambiente de World of Warcraft por detraer del valor de la economía dentro del juego.
Aunque esto sea a resultado de la compartición de la cuenta, el dueño de la cuenta aun puede ser responsable por la penalización debido al impacto que tuvo en el ambiente del juego.
Hemos conseguido que el comportamiento superior muchas veces sea directamente relacionado a los grupos responsables por comprometer las cuentas de World of Warcraft; nosotros tomamos estos asuntos muy seriamente. Para mejor entender nuestra posición sobre la actividad explotadora y los riesgos involucrados, por favor revise este artículo: (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=25455).
La actividad explotadora que ocurrió en esta cuenta está en contra de las Condiciones de Uso de World of Warcraft. Le pedimos que se tome un momento para revisar estos términos: (http://us.blizzard.com/company/legal/index.html). Note que cualquier violación adicional de las Condiciones de Uso pueden resultar en más severas medidas en contra de esta cuenta, hasta e incluyendo la clausura permanente.
Si cree que su cuenta haya sido comprometida, por favor abra una petición dentro del juego o llene el formulario de contacto por email: (https://us.blizzard.com/support/webform.xml?locale=es_MX). Nuestro equipo de soporte le asistirá lo más pronto posible. Si no puede acceder a su cuenta debido a un cambio de contraseña, por favor visite nuestro sitio de Asistencia de Ingreso aquí: (https://us.battle.net/account/support/password-reset.html).
Para cualquier disputa sobre esta medida, o para más información sobre la Actividad Explotadora, por favor visite la página de contacto y Preguntas Frecuentes (FAQ) aquí: (http://us.blizzard.com/support/article.xml?locale=es_MX&tag=exploitfaq).
I've just recieved emails, note not email but EMAILS from Blizz as well. They all seem to be fake though. they are all claiming various stuff, like I have to give away my bank account info to prove that i am the holder of the wow account etc. My information has been leaked, that's for sure.
i would say you've probably gotten these emails a lot longer than 1 day, i've had them slamming my spambox for like 5 years now
I'm getting emails from games I don't even play, my Bulk is 50% noreply@blizzard.com ,WoWAccountservices@blizzard.com or WoWAccountAdmin@Blizzard.com.
While I'm glad, that my gomtv-password wasn't used on any other website, I have to wonder how little GOM seems to care for their users' privacy. Storing passwords in plain text just isn't acceptable. Neither is hardcoding login-credentials for your database in the vod-viewer of your website. (If this is in fact how the data 'theft' occurred)
But for the most part I'm disappointed in their failure to acknowledge the leak and inform their users about it. As far as I know, there is no official statement on the homepage as of yet and I have received no email either. Timing is crucial for users, who made the ill-advised choice of using their gomtv-mail-pw-combination on sites like paypal, amazon etc. as well.
Leaks will always happen. How damaging they are, depends on the effort necessary to obtain the data (i.e. how much thought and work the company invested in their security-mechanisms) and the manner in which the company deals with the incident (i.e. fixing the vulnerability and inform their user-base about their compromised accounts). At the moment, GomTV scores an "unprofessional"-rating under both aspects.
On August 13 2011 21:53 Slakter wrote: I´ve always used my twitter account to watch GSL, does anyone know if this affected that aswell? Probably didnt but even if I´ve already changed the passwords. Easily done since I use a lot of different passwords for different things.
On August 13 2011 03:14 R1CH wrote:Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based..
Read the first post.
I skimmed through it, thanks for pointing that out!
the system let me change my password, but the password I changed it to, plus the password I used to use, now both dont work. I suggest not changing your password until GOM gives word now, as I am locked out of my account.
On August 13 2011 23:28 skAnarky wrote: the system let me change my password, but the password I changed it to, plus the password I used to use, now both dont work. I suggest not changing your password until GOM gives word now, as I am locked out of my account.
You have to verify the change of the password via email. You got one from Gom after changing the password. I forgot it the first time and was like "wtf?" because no password worked.
On August 13 2011 23:46 ondik wrote: FUCK I used the same mail I used for my bnet account. Luckily passwords for my e-mail and for my bnet acc are all different, am I 100% safe?
You have to verify the change of the password via email. You got one from Gom after changing the password. I forgot it the first time and was like "wtf?" because no password worked.
I hit the verification link in the email unfortunately.
On August 13 2011 23:28 skAnarky wrote: the system let me change my password, but the password I changed it to, plus the password I used to use, now both dont work. I suggest not changing your password until GOM gives word now, as I am locked out of my account.
Was you new password maybe very long? My original password on GOM was 17 characters, but apparently they truncated it to just the first 16. So while I entered (not my real password of course): Icecream57Browser the password ended up being: Icecream57Browse So if your new password was longer than 16 characters try logging in with just the first 16 characters.
"Profile modification is not available at the moment. Please try again at a later time" What the hell is this -_-
Good thing I changed most of my passwords after I thought I had a trojan/keylogger on one of the computers I use. My GOM password is now mostly associated with just random internet stuff, and not anything important like Emails, Steam, Facebook, etc.
Ya godamnit, I changed every single password to every forum/game site, grr, I'm really glad my credit card that was registered with most of them expired on the 31st
On August 14 2011 01:42 deek wrote: in the year 2011 web developers still store passwords as plain text... I really do wonder where these people learn to code. =/
Should be safe i use twitter to sign in
The sad thing is that at work we store all passwords as plaintext, too. I wanted to change it when i started until i noticed that about 15 legacy systems rely on that -.- Annoys me every time i open the database. The system is just 4 years old :-/
Really big oversight by GOM, they shouldn't make the same mistake as my company and hire the cheapest programmers they can find.
I noticed I couldn't log in to my PayPal earlier and had to reset the password, then I stroll to team liquid and find this ...... thanks R1CH for showing me the error in my ways in using the same passwords and emails xD
On August 14 2011 02:43 Finrod1 wrote: How stupid are they? I want a reperation payment by gom, asap. Does anyone know how the chances are for a class-action lawsuit against gom?
That's a pretty ugly idea, man. Ask for a refund or whatever, but class action lawsuits don't help you, hurt the defendant, and make some lucky lawyer rich.
I appreciate the crash course in internet security from poppa r1ch!
Right, thanks for the headsup but apparently now I can't login anymore because "the auth system is not working" and my account still needs verification. Yes, I have an email but that simply repeats the cycle. >.< Hoping they'll fix it soon!
On August 14 2011 02:43 Finrod1 wrote: How stupid are they? I want a reperation payment by gom, asap. Does anyone know how the chances are for a class-action lawsuit against gom?
That's a pretty ugly idea, man. Ask for a refund or whatever, but class action lawsuits don't help you, hurt the defendant, and make some lucky lawyer rich.
you shouldnt take him serious. he lives in germany and here we dont ever get paid reparations from things like this (why should you? your internet personality was hurt or what? dont make me laugh, you hurt your "internet personality" with shitty statements like that much more...). here its not like in the states. enterprises in germany dont get sued for high exaggerated reparation sums to discourage future offendings like in the states, here they will only get sentenced to the sum that makes up for the damage that has been done. he perhaps is too young to know that. but noone is too young to post their bs in the internet -.-
fail by gom, but even more fail by the people that use the same passwords for things like paypal or for your email account. Still think that people are making too big deal out of this even though it sucks, if you are too lazy to manage your passwords correctly then you had it coming.
On August 14 2011 04:03 Hipsv wrote: Hmm that's also scary that they have a vulnerability for a SQL injection, because it means they have shoddy coding on their website.
Didnt the FBI or CIA or someone just get broken into with a basic SQL as well? During that stupid Lulzsec campaign.
On August 14 2011 02:58 StimMarine wrote: Why hasn't there been an official response from GOMTV?
Seriously. You would think they would know it's important to let your users know that they need to change their passwords before their accounts get stolen...
On August 13 2011 03:14 R1CH wrote: There appears to be zero security on the passwords as they were stored in plain text (really GOM?).
Ouch. It looks like GOMTV have pulled off a Sony here (although at least Sony did encrypt their sensitive information.)
Besides, aren't there data protection laws preventing you from storing sensitive information without encryption or similar security measures? I mean IANAL (I Am Not A Lawyer) and I know absolutely jack shit about the state of data protection legislation in South Korea but wouldn't that have effectively made GOMTV's actions illegal?
If what R1CH said about how GOMTV have stored their passwords is the case then Gretech could potentially be in a lot of deep shit right now. It's especially scary because Blizzard have officially endorsed them and the GSL in Korea.
On August 14 2011 02:58 StimMarine wrote: Why hasn't there been an official response from GOMTV?
Seriously. You would think they would know it's important to let your users know that they need to change their passwords before their accounts get stolen...
The fact that GOMTV haven't informed their customers is rubbing even more salt into the wound.
On August 14 2011 04:03 Hipsv wrote: Hmm that's also scary that they have a vulnerability for a SQL injection, because it means they have shoddy coding on their website.
Didnt the FBI or CIA or someone just get broken into with a basic SQL as well? During that stupid Lulzsec campaign.
Kind of, but nothing of importance was compromised. The real CIA/FBI/Military info is stored on a secure server. I would assume via SIPRnet or a higher security clearance source. Something that is NOT available using a 'typical' internet connection.
On August 14 2011 02:58 StimMarine wrote: Why hasn't there been an official response from GOMTV?
Seriously. You would think they would know it's important to let your users know that they need to change their passwords before their accounts get stolen...
Honestly at this point I think they're just hoping if they say nothing less people will notice.
Hmm, I think GOMTV just removed the thread about this matter on their boards, I can't find it anymore, and I'm guessing no official word has been said from them yet?
Why in the world are people changing their GOMTV passwords before we even have confirmation that the exploit has been fixed? Am I the only one facepalming at all the posts saying that people have changed their GOM passwords?
What worries me isn't that they were compromised...but the fact that information was stored in plain txt and that Gom hasn't issued any kind of statement yet. Shit happens, but that's unacceptable.
On August 14 2011 05:08 Rorak wrote: Hmm, I think GOMTV just removed the thread about this matter on their boards, I can't find it anymore, and I'm guessing no official word has been said from them yet?
Also, Rich, I'm disappointed in you. Why would you recommend keepass instead of lastpass? Is it because keepass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
got KeePass as well, seems awesome so far... I recommend setting up a backup in a dropbox and maybe a few different hard drives too, as if you lose your database its gonna cause you a lot of hassle!
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Open source is required for anything like this.
So you trust a single person (the developer) to your passwords. Isn't that better than having to navigate through folders and transferring your passwords on usb every time you want to log into facebook?
It seems like you're overcomplicating things for no reason.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Open source is required for anything like this.
I still use lastpass despite it being sort of compromised some weeks ago, but even then the passwords that may or may not have been taken were still encrypted and people with lengthy passes would take forever to decrypt nonetheless. And since then I changed my own lastpass master pass to be something convoluted and over 20 alphanumeric.
As to the issue of it being sent to the dev, don't know anything about that, though it's a possibility with just about any of these password services that can remain as a risk.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
I just tried watching the second game from a match and it asked me to login, when I did it asked me to create a new password. The new password requires a length of at least 8 characters, a capital letter, and an alpha-numeric character.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Open source is required for anything like this.
I still use lastpass despite it being sort of compromised some weeks ago, but even then the passwords that may or may not have been taken were still encrypted and people with lengthy passes would take forever to decrypt nonetheless. And since then I changed my own lastpass master pass to be something convoluted and over 20 alphanumeric.
As to the issue of it being sent to the dev, don't know anything about that, though it's a possibility with just about any of these password services that can remain as a risk.
Makes me glad I log in to GOM via facebook.
The people who hacked into lastpass (potentially, not certain if they even did) were only in long enough to get like 20 passwords from their database. Lastpass is pretty secure.
ok so i cant even log into my gom account anymore, i could last night, but now its saying
"You have not verified your account. To complete sign up process, please check your verification email" which i have not received, it then says "Sorry, Wrong access". I dunno whats going on, last night i could log in just fine even though i couldnt change my pass, but now i cant even log in.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Yeah, I'll put my trust in the company that made my info publicly available in the first place, sounds like a legit plan to me...
Simply setup a dropbox (or external SVN, which I personally prefer) and keepass becomes just as portable as lastpass. In any case, I think such password management is really a must nowadays, just as this whole story demonstrates.
On August 14 2011 07:28 slicknav wrote: I just tried to watch some VOD's since my account seems to fine, I was asked to change my password, so it seems like they fixed it?
The real question is if they changes something in their system...
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Yeah, I'll put my trust in the company that made my info publicly available in the first place, sounds like a legit plan to me...
You're right, GOM literally posted thousands of passwords in public.
Come on dude I was just saying there's no point in entering new passwords if the exploit still existed since your new passwords would be compromised as well. You thought trying to stop people from getting their new passwords stolen until they fixed it was shady.
This is the reason why I don't use PayPal, why I don't do any form on online banking or billing, and why I fabricate a lot of information on accounts that I sign up for. The Playstation 3 deal taught me a lesson. Always always always lie on the internet when you're filling in forms, only change it to the truth when you want warranty or something sent to you.
I find it unbelievable that companies can just store information in a txt file. It's like they just open up Notepad and then a fuck was not given on that day. Completely unacceptable and irresponsible.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Yeah, I'll put my trust in the company that made my info publicly available in the first place, sounds like a legit plan to me...
You're right, GOM literally posted thousands of passwords in public.
Come on dude I was just saying there's no point in entering new passwords if the exploit still existed since your new passwords would be compromised as well. You thought trying to stop people from getting their new passwords stolen until they fixed it was shady.
No, I thought being unable to access my profile was shady, and it is. I don't really like being completely locked out of my personal info. based on the oversight of some random company. But hey, that's just me.
I know how to handle myself online and nothing of mine is compromised, I just don't like being locked out of my own profile when I've paid for services with said site.
We regretfully inform you that approximately at 2 AM KST, Aug.12th, there has been an attack against our web site, GOMTV.net.
We have found that some of the user information from GOMTV.net has been compromised from the attack. We suspect that the following information might have been exposed: name, location (country), e-mail address, GOMTV.net nickname and password.
We deeply apologize for the inconvenience and concern caused by the intrusion.
Since we use PayPal’s service to handle payments, we do not store nor have any payment related information on our site including your credit card numbers and bank account details.
We strongly encourage you to change your GOMTV.net password and if you have been using the same password for other web sites, we suggest changing the passwords for those sites as well.
Users who have signed up with Facebook or Twitter do not have to worry about changing their passwords as they did not have to enter separate passwords at the time of sign up.
As soon as we discovered the sign of intrusion we have conducted a complete investigation into the incident and have also taken steps to enhance security and strengthen our network system in order to provide you with better protection of your personal information.
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
If you have any concerns or questions please feel free to contact us at support@gomtv.net.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Yeah, I'll put my trust in the company that made my info publicly available in the first place, sounds like a legit plan to me...
You're right, GOM literally posted thousands of passwords in public.
Come on dude I was just saying there's no point in entering new passwords if the exploit still existed since your new passwords would be compromised as well. You thought trying to stop people from getting their new passwords stolen until they fixed it was shady.
No, I thought being unable to access my profile was shady, and it is. I don't really like being completely locked out of my personal info. based on the oversight of some random company. But hey, that's just me.
I know how to handle myself online and nothing of mine is compromised, I just don't like being locked out of my own profile when I've paid for services with said site.
Blizzard locks your account when it's been hacked until they fix it. Paypal locks your account when it's been compromised until they fix it. Banks lock your accounts when they've been compromised until they fix it. It's a required step to stop further damage until it's fixed, nothing shady about that.
I have to say I'm happy how this was handled by GOM. 1-2 days notice is better than none at all - many companies will actively try to cover up or downplay such attacks or claim that sensitive data was never stolen.
On August 14 2011 06:08 Zyxds wrote: Well, GOM doesn't allow you to change profile info all of a sudden. Seems kinda shady to me.
Seems like its a smart idea until they get it fixed, otherwise you'd be sending all your new passwords to the same people who exploited this the first time. But hey, shady sounds evil, so we'll go with that.
Yeah, I'll put my trust in the company that made my info publicly available in the first place, sounds like a legit plan to me...
You're right, GOM literally posted thousands of passwords in public.
Come on dude I was just saying there's no point in entering new passwords if the exploit still existed since your new passwords would be compromised as well. You thought trying to stop people from getting their new passwords stolen until they fixed it was shady.
No, I thought being unable to access my profile was shady, and it is. I don't really like being completely locked out of my personal info. based on the oversight of some random company. But hey, that's just me.
I know how to handle myself online and nothing of mine is compromised, I just don't like being locked out of my own profile when I've paid for services with said site.
Blizzard locks your account when it's been hacked until they fix it. Paypal locks your account when it's been compromised until they fix it. Banks lock your accounts when they've been compromised until they fix it. It's a required step to stop further damage until it's fixed, nothing shady about that.
Had I been notified by GOM before said action had taken place (i.e. an e-mail similar to what R1CH had gotten, I would be satisfied.) I don't like being locked out of MY OWN accounts due to a companies incompetence.
I don't like being left in the dark when it's my info. at stake.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Open source is required for anything like this.
I still use lastpass despite it being sort of compromised some weeks ago, but even then the passwords that may or may not have been taken were still encrypted and people with lengthy passes would take forever to decrypt nonetheless. And since then I changed my own lastpass master pass to be something convoluted and over 20 alphanumeric.
As to the issue of it being sent to the dev, don't know anything about that, though it's a possibility with just about any of these password services that can remain as a risk.
Makes me glad I log in to GOM via facebook.
The people who hacked into lastpass (potentially, not certain if they even did) were only in long enough to get like 20 passwords from their database. Lastpass is pretty secure.
Your post shows the exact reason why Lastpass cant work, even if they only got 20 passwords.. Its 20 passwords to paypal/banks/battlenetaccounts etc, Last pass will store the info in their database with an ecryption key, but the problem is anyone else can get the encryption key as its in their program. Its like having a shop with everyones information for free if u can break into the shop, history has shown us even those in Internet Security have lax security
To attempt it with KeePass would require the hacker to break into your computer first, and thats very unlikely to happen unless you were personally targeted, because developing a worm that searched for users who ran KeePass and had an exploit available for them to access is too much time, when they could break into Lastpass and steal thousands of important user names and passwords
We have identified a potential breach of our forum user database that occurred Friday morning, Aug 12. We have reset your forum password as a precaution, in the event that any encrypted forum user passwords were compromised.
When you next try to login to the forums, your old password will not work. Click the "I've forgotten my password link" underneath the login boxes, and follow the steps to setup a new password for your account.
We recommend you do not use your old password or a password you have used for other sites. Further, if your old forum password was used for any other online purposes, we recommend changing the password on those accounts as well.
Also, Rich, I'm disappointed in you. Why would you recommend keypass instead of lastpass? Is it because keypass is open source? You can't use it from multiple computers. I think it's better to use lastpass.
Lastpass could be sending your passwords to the developer. In fact the same mechanism as your comic: cool free application that gets a lot of downloads and then they have your information.
Open source is required for anything like this.
I still use lastpass despite it being sort of compromised some weeks ago, but even then the passwords that may or may not have been taken were still encrypted and people with lengthy passes would take forever to decrypt nonetheless. And since then I changed my own lastpass master pass to be something convoluted and over 20 alphanumeric.
As to the issue of it being sent to the dev, don't know anything about that, though it's a possibility with just about any of these password services that can remain as a risk.
Makes me glad I log in to GOM via facebook.
The people who hacked into lastpass (potentially, not certain if they even did) were only in long enough to get like 20 passwords from their database. Lastpass is pretty secure.
Your post shows the exact reason why Lastpass cant work, even if they only got 20 passwords.. Its 20 passwords to paypal/banks/battlenetaccounts etc, Last pass will store the info in their database with an ecryption key, but the problem is anyone else can get the encryption key as its in their program. Its like having a shop with everyones information for free if u can break into the shop, history has shown us even those in Internet Security have lax security
To attempt it with KeePass would require the hacker to break into your computer first, and thats very unlikely to happen unless you were personally targeted, because developing a worm that searched for users who ran KeePass and had an exploit available for them to access is too much time, when they could break into Lastpass and steal thousands of important user names and passwords
20 secure passwords that potentially could've been stolen. There was no evidence that anything was stolen, only that there was an unusual amount of bandwith at a weird hour.
I don't know much about the encryption algorithm they use at lastpass, but let's put it this way. This is not a college student project. They do not reuse the same exact encryption key on every user. I suspect the use something like rainbow encryption tables http://en.wikipedia.org/wiki/Rainbow_table. The hackers were not able to get the encryption key... and they can not get the encryption keys.
Lastpass can not access your passwords so hackers can't either.
Your Security Is Our Priority
LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy. Availability
You need to always have access to your data, we've accomplished this in multiple ways, first we have 2 data-centers in production service, second we store your encrypted data on your local PC when you login, so that if LastPass.com can't be reached, you can still login to the add-on and get to your accounts. The website is usable without the add-on installed (the Encryption and Decryption happens in JavaScript which you can see happen on some forms), but we take advantage of faster encryption available in the add-ons if they're available. We also have a mobile site m.lastpass.com if you're on your phone. Security
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either.
https://lastpass.com/whylastpass_technology.php?fromwebsite=1 I think what the bolded part means is that lastpass uses private decryption keys on the client side. Like when the developer at lastpass looks at the passwords in their tables, they are all encrypted passwords. The developer doesn't know how to decrypt the passwords, only you have the decryption key.
In other words, if the passwords were secure enough (not a dictionary word), the encryption would've saved the users even if they were stolen. If they weren't, well then it'd be easier to just hack paypal or your bank account and these idiots should stop using "password" as their primary password for everything.
The passwords are all stored in huge gigabyte large files filled with garbage, and when 20 of them are transferred, the server automatically detects the hack and shuts down.
In addition, lastpass doesn't normally store information on banking accounts or paypal accounts because the paypal and banks sites tell lastpass not to.
I'll end my long post like this: Lastpass probably isn't infinitely secure. The worst thing that could happen is that the primary developer is really evil. But it is more secure than just about anything else out there including your banks sites and paypal.
Keepass is open source. There are many concerns about open source being unsecure. http://www.internetnews.com/skerner/2010/03/is-open-source-software-more-s.html You made the claim that someone could potentially create a worm to take passwords from keepass. Well someone could (and you say they wouldn't), but it'd be significantly easier to create keylogger malware or something similar. If someone gets access to your computer through a virus, your computer is no longer yours, so I seriously doubt keepass is any safer than lastpass in that respect.
I couldn't even create a GOMTV.net username/password in the early days when I wanted to watch SC2 games. Because I couldn't, I was forced to sign-up on twitter - just so I could watch GOMTV.
So I suppose things are totally safe on my end here? And yes I use different passwords for everything.
So GOMTV is safe now right (or at least they're trying to fix the security holes atm?). Also only thing compromised are user info, the site itself (like admin password, etc) isn't compromised right?
On August 14 2011 08:17 Zinnwaldite wrote: how do i find out my nick? i can't sign in with my password and need to know the nick to reset.. *_*
though i think the nick is right,, it's just not working,,
Same with me dude! I think we got hacked and they changed our nicknames because you can do that i think.
I sent them an email with a few details for them to give me my accounts back, i suggest you do the same.
support@gomtv.net
Just had a response and they said this;
Dear User:
Your nickname has not been modified by anyone. At the moment we have similar problem with users e-mail containing under scroll. ( _ ) This will be fixed momentarily
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
Apart from GOM's apology I would personally like to apologize for the inconvenience and concern we have caused you.
Please, if you have not yet, visit GOMTV.net to change your GOM password. Clicking sign in and entering your ID (e-mail address) and old password will direct you to change your password.
If you have been using the same password for other web sites, please change the passwords for those sites as well.
Hang on, what the hackers got are hashed and salted passwords, right?? I mean no fucking moron would be stupid enough to save passwords in plaintext. Seriously if they did then they should be sued into the fucking ground because that would be such utter stupidity on a level I just don't understand.
On August 14 2011 07:49 R1CH wrote: I have to say I'm happy how this was handled by GOM. 1-2 days notice is better than none at all - many companies will actively try to cover up or downplay such attacks or claim that sensitive data was never stolen.
That's true.
We need to uncover who was really behind these attacks. Was it Kespa? (Sc1 Elitists?)
Was it just some hacker trying to make a buck getting E-mails for spam and/or passwords that might correlate with peoples Paypal account.
We may never know. But lets hope they find out who committed this attack against their website. It was bad enough the security of their site was severely lacking; i hope they can find out who did this and bring them to justice for an attack on E-Sports.
Long Live GomTv and the GSL for their Great contribution to E-Sports for SC2 Thank you.
Sucks having to change all of my passwords and everything but i cant really say im upset because i enjoy watching koreans play while tastosis talks about random stuff, livin the good life.
On August 14 2011 08:51 D_K_night wrote: The ironic thing in all this, is this:
I couldn't even create a GOMTV.net username/password in the early days when I wanted to watch SC2 games. Because I couldn't, I was forced to sign-up on twitter - just so I could watch GOMTV.
So I suppose things are totally safe on my end here? And yes I use different passwords for everything.
Lol. When GSL started last summer i found that most days that foreigners were playing it was inpossible to log in with gomtv user/pass, so i switched to twitter auth which was more likely to work.
I sent GOM an email asking for further details. I got a pleasantly quick reply and looks like they're patching things up nicely.
Dear User:
1. Yes, we have re-designed our site over the 24hours. 2. Yes, there are no more plain text in our server. 3. Yes, SQL injection attacks are no more a threat to us.
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
This has nothing to do with premium tickets. Anyone who has a GOM account that did not sign up via facebook or twitter had their password leaked.
You likely have a GOM account, the question is how did you sign up.
We regretfully inform you that approximately at 2 AM KST, Aug.12th, there has been an attack against our web site, GOMTV.net.
We have found that some of the user information from GOMTV.net has been compromised from the attack. We suspect that the following information might have been exposed: name, location (country), e-mail address, GOMTV.net nickname and password.
We deeply apologize for the inconvenience and concern caused by the intrusion.
Since we use PayPal’s service to handle payments, we do not store nor have any payment related information on our site including your credit card numbers and bank account details.
We strongly encourage you to change your GOMTV.net password and if you have been using the same password for other web sites, we suggest changing the passwords for those sites as well.
Users who have signed up with Facebook or Twitter do not have to worry about changing their passwords as they did not have to enter separate passwords at the time of sign up.
As soon as we discovered the sign of intrusion we have conducted a complete investigation into the incident and have also taken steps to enhance security and strengthen our network system in order to provide you with better protection of your personal information.
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
If you have any concerns or questions please feel free to contact us at support@gomtv.net.
On August 14 2011 10:51 Cashmere wrote: I sent GOM an email asking for further details. I got a pleasantly quick reply and looks like they're patching things up nicely.
Dear User:
1. Yes, we have re-designed our site over the 24hours. 2. Yes, there are no more plain text in our server. 3. Yes, SQL injection attacks are no more a threat to us.
We greatly appreciate your patience and understanding and we pledge to work harder to bring you a better and greater service experience.
Thank you
GOMTV.net
That is good to hear. This should probably be added to the OP just so a few less people freak out about it.
My battle.net E-Mail is the same as the one I use on GOM, and someone just tried to reset my battle.net account password. I would suggest changing your battle.net password too, or attaching an authenticator.
Thank God I just use a different password for everything.
Funnily enough, I signed up with the same password that got leaked from PSN because I typed it in without thinking when signing up late at night. No additional information for you, hackers!
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
This doesnt make any sense. 1) The GSL has had tons of amazing games, for a pretty low price. 2) Purchasing GSL premium ticket does not mean anything was stolen from you 3) How does not purchasing the premium ticket reward you now?
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
You must be...retarded? No personal credit card/paypal/anything information is stored on their site. You could have bought every premium ticket ever nothing would happen.
GOM made a huge and unfortunate mistake that caused inconvenience among many users, to which they apologized and already made then necessary security changes. GOM has been amazing to SC2 so far and we should continue to support them.
So technically the only accounts on sites or such that are compromised are those where I use my email and that particular password both at the same time?
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
Of course you haven't. This has absolutely nothing to do with money.
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
What's with the saving passwords in plain text? I thought Sony tought everyone that its a really really bad idea. Yet is not the last retard born... I'm getting tired of changing my passwords all the time because someone were lazy and forgot to add like 20 lines of code.
It saddens me to witness how many people fail to grasp the basic concept of internet security.
* People attempting to changes their passwords WHILE the database is being compromised. * People complaining about the database being locked whilst this actually serves as protection for them. * People who use different passwords for different services, and thus are totally unaffected, yet still acting like this is the end of the world. * People who actually use the same password for everything. Really? Those people still exist? * Aforementioned people changing all the passwords to their other accounts and yet still continuing to use a single password.
This thread is one huge, tragic reminder of how daft and hopeless people in general can be.
On August 14 2011 12:51 Weson wrote: What's with the saving passwords in plain text? I thought Sony tought everyone that its a really really bad idea. Yet is not the last retard born... I'm getting tired of changing my passwords all the time because someone were lazy and forgot to add like 20 lines of code.
I think its because well hackers simply never bothered to hack game related companies. When there was almost no risk to get hacked ppl simply don't bother with security. After this whole Sony fiasco hackers suddenly started attacking a lot of sites and well it seems the security plain sucks since they never thought it could happen.
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
How exactly are you rewarded? By others people security info stolen? That is just beyond sad.
This is another example of the reason to have at least two passwords (perhaps more) for your accounts you don't care if they get compromized (like GOMTV) and accounts that you do (like anything to do with money).
I don't blame Gom (although passwords should not be stored in plain text in general). In fact, they did something right by having payment via PayPal. Internet security is simply to complicated for every small shop to do it right. (Even big shops have issues). So, I'm sorry this happened, but not at all surprised.
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
You sound like a dick and probably are one.
great post... with such hostility...
It's a good thing he waited longer before he put any money into the system since earlier on they had security issues ( which had come to past eventually ).
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
How exactly are you rewarded? By others people security info stolen? That is just beyond sad.
Since he's not an early bird, he doesn't experience the bugs in the old system. It's like getting one of those early ipod things but then the next one has all those problems eliminated ( + significantly larger hdd size ) or most of it and improved upon.
On August 14 2011 12:51 Weson wrote: What's with the saving passwords in plain text? I thought Sony tought everyone that its a really really bad idea. Yet is not the last retard born... I'm getting tired of changing my passwords all the time because someone were lazy and forgot to add like 20 lines of code.
I think its because well hackers simply never bothered to hack game related companies. When there was almost no risk to get hacked ppl simply don't bother with security. After this whole Sony fiasco hackers suddenly started attacking a lot of sites and well it seems the security plain sucks since they never thought it could happen.
It's possible that sony is just a big target and gom is highly unlikely to get attacked since it's less known.
Unfortunately I can confirm that my login information was used on August 10th (2 days prior to their claim that accounts were hacked) to access my xBox live account with the same login information as my GomTV account. Then, on that account, purchases were made worth ~$125. I would advise anyone that doesn't take this issue seriously to reconsider, as the information was distributed and used for malicious purposes.
My real point here, much like the previous post, is to note that if you use the same password for accounts which have access to stored credit card information, change the login and passwords! When these lists of information are sold, the account information is run on hundreds of sites to see if they can log into any of them, and if so, certain steps are taken to make a financial gain of that information. I never expected GomTV to disregard security and am disappointed in the hoops I had to jump through to restore my financial situation.
Damn it Gom. If I had any alternative to watching the GSL (without staying up until 4:30am...) I would have angrily gone to a competitor. Fix this now.
too bad i had to change all my passwords. I loved that password. put so much thought into it and used it for a lot of stuff
fare thee well perfect password. far thee well...
hope this doesn't mess with the site visits too much though. still love ya gom
Edit: wow, this seriously messed with some people. that's too bad. maybe this isn't so easily forgivable. i mean, i'm fine, but that's really too bad for some. Gom should take this really seriously.
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
This made zero sense... What does this have to do with you paying or not, you still had an account. If you payed or did not pay the outcome would be same. What effort did you make, according yourself you did nothing! What reward did you get, that the website got hacked or what? how can this possible be a rewarding experience for you?
On August 14 2011 10:47 Meta wrote: Once again I'm glad I've never paid for a premium ticket to watch the GSL. From day 1 I've maintained that it's a waste of money, and I'm glad I've finally been rewarded for my efforts.
This made zero sense... What does this have to do with you paying or not, you still had an account. If you payed or did not pay the outcome would be same. What effort did you make, according yourself you did nothing! What reward did you get, that the website got hacked or what? how can this possible be a rewarding experience for you?
he probably thinks that the hackers got credit card info from the people that paid for membership. to anyone that thinks this, they were at least smart enough to equip that with another sites more trusted security (paypal i think), so no ones credit card info was leaked directly from the site.
I had the same passwords in BNET and GOMTV. Today I cant log in to neither of them, I've just changed my password in both using password reset..
I don't know if my BNET account was compromised... because I didn't receive a mail informing a password change.. but I tried mine and it said it was wrong.
I fixed it using password recover and change to a new one.. but I'm not really sure if they accessed my acount.
Passwords stored in plain text? wtf? Did they get a 10 year old to write their login system? Even basic piece of crap frameworks hash your passwords by default.
It's a miracle it doesn't happen earlier btw, non sanitized input = ownage, leaving your Postgre unpatched and most likely opened to the world = pure ownage ... In the end do not get mad at the hacker / scriptkiddie /, especially when we talk about site where payed services are available leaving such blatant security holes is totally unacceptable. Now for the serious part : A simple 'sorry' from GOM is not enough, because people may loose important data if using the same mail/pass combo on other sites. As paying customers we have the right to demand something in return, like Sony did without ppl asking for it, but i doubt if GOM will. I guess at least a free season / HQ + VODs / is in order - for all users, and we must demand for that ! Anyway it would be in their benefit, more viewers and they can stream the HQ with ads version so it won't be a total loss.
The 'sorry' just sounds like sarcasm to me considering the gross negligence of their mistake.
Bye gomtv! I won't continue to trust your mediaplayer either since my firewall/av didn't like it anyway. Maybe this is an unreasonable reaction from my side .. but someone who lacks that much sense for customer security certainly won't become a chance to have a program run on my computer.
Sloppy move GOM. I am reluctant to do business with companies who cannot protect personal data. Clear text passwords? You may as well make your luggage combination '12345'. Thanks for the heads up, R1CH.
I had the same passwords in BNET and GOMTV. Today I cant log in to neither of them, I've just changed my password in both using password reset..
I don't know if my BNET account was compromised... because I didn't receive a mail informing a password change.. but I tried mine and it said it was wrong.
I fixed it using password recover and change to a new one.. but I'm not really sure if they accessed my acount.
I contacted blizzard suport and they answer me in 15 minutes at this hour! Fantastic.
Well, my bnet account wasn't accessed for anybody except me :D. So, it was not compromised.
But I will keep changin all my passwords (BECAUSE I DONT REMEMBER WHAT PASSWORD I WAS USING ON GOM! THE ONE I HAD STORED IN FIREFOX WAS OLD and I kept logged in by cookies... This is really anoying).
Really Gom? Require us to use 8+ character alphanumeric passwords and you don't even hash/salt them? What's the point of a secure password if you're gonna store them in plain text. Require us to use the player and also require us to register just to take our passwords, that's probably the reason for storing them in plaintext in the first place, what the fuck >:O
Damn, I used my secondary password on GOM so its not that of a big deal but still I have to change my backup email account and my China Bnet account password. Thanks for the head up R1CH!!
Trying to log into gomtv.net right now brings up a change password screen, with the caption "Protect Your Valuable Personal Information. Information that hasn’t been modified for a long period of time could be exposed to and abused by others."
Considering they don't mention the exploit at all, this is very disingenuous. I mean, "oh, we didn't make a mistake. It's just that you haven't changed your password in a long time..."
On August 14 2011 14:42 ABCSFirebird wrote: The 'sorry' just sounds like sarcasm to me considering the gross negligence of their mistake.
Bye gomtv! I won't continue to trust your mediaplayer either since my firewall/av didn't like it anyway. Maybe this is an unreasonable reaction from my side .. but someone who lacks that much sense for customer security certainly won't become a chance to have a program run on my computer.
Considering that there media player is a rip-off of ffmpeg, you can pretty assume that as a rule they aren't too competent on the technical side of things.
On August 14 2011 12:27 Rylaji wrote: So technically the only accounts on sites or such that are compromised are those where I use my email and that particular password both at the same time?
Wow I am so glad I used Twitter to sign up for this...one good thing about this whole "unified" log-in thing FB and Twitter are starting to do, I guess. Though I do have to ask...why did the OpenID initiative start losing ground? After I got one I started to see it pop up everywhere. I guess Facebook's log-in started to take over and seem more appealing. Bummer.
On August 14 2011 18:40 TheShadowZero wrote: Wow I am so glad I used Twitter to sign up for this...one good thing about this whole "unified" log-in thing FB and Twitter are starting to do, I guess. Though I do have to ask...why did the OpenID initiative start losing ground? After I got one I started to see it pop up everywhere. I guess Facebook's log-in started to take over and seem more appealing. Bummer.
The problem with this is that if facebook gets compromised, it's insta-access to all other websites. If you have one login per site, if it gets compromised, in theory only this site is compromised - though using one password for everything kind of defeats it again.
Whenever you get an email telling you to change your password go to the site by typing the URL manually or using a bookmark, never by following a link in the email. The risk of getting taken by some fishing scam is far too great.
Hi, I'm using keepass for almost two months (as R1CH suggested in some older thread, thanks btw) and have random password for each site. The thing is, email used in logging on gomtv is used for few more sites. Should i take any extra security steps (I changed gomtv password) and is spamming my email the worst thing that can happen (doubt someone would brute-force email)? Thanks!
This is quite bad, I work in IT security and I have sent an emai lto GomTv discussing this issue.
I have asked the following questions :
For complete transparency, and as a user, I would like you to answer the following questions for me : - Are passwords actually stored in plain text? - How many user accounts have been compromised (how many user accounts in the DB) - What are the steps you are taking for this not to happen again.
To my pleasant surprise, they did reply within one hour with the following : "Dear Jeremy.
1. No they were not plain text. But there was a part of section where it was plain text. We are investigating how that had happened.
2. We are under investigation.
3. As soon as we found out about the hacking we have brought a team to re-build for better security of our system. For it not to occur again as a support team we do not have solid answer for you yet. But from what we heard we will be bringing teams to test our server(security) regularly.
Thank you for your time to take interest in our situation. And we apologize for the incident.
GOMTV.net"
I am not sure I understand answer 1, "They are not plain text but yeah they are" is a bit concerning, question 2 they completely avoided and answer to 3 means support does not have much more information than we do.
All in all,as has been said before, you should : - Change GomTV password as soon as possible - Change your password on any website / service where you used the same password (facebook, twitter, gmail, TL, forums, anything) - Credit card and bank details are SAFE as they do not process the payments themselves (they go through Paypal).
Unfortunately these issues with user data security are not limited to GomTV (hello Sony), and as such it is very important not to reuse passwords over several sites.
Websites programmers should really start to take this stuff seriously - got like a 100 different accounts(most of them not active) on various sites around the web, and seems like a get an email every other week, or read somewhere on the web, that I have to change my password on this and that site, because they have had a breach.
On August 14 2011 21:33 R3N wrote: I use the same password (with or without numbers) for EVERYTHING (mail, forums, games etc.) since 9-10 years back. I ain't going to change it.
I ***REALLY*** hope I wasn't hit
You really, really should (MUST). At least for everything involving your bank account (obviously), social network accounts (social contacts can be exploited) and your mail account (for password recovery). Bots can be used to automatically exploit your logins in which case something bad is bound to happen.
On August 14 2011 21:16 Flwz wrote: This is quite bad, I work in IT security and I have sent an emai lto GomTv discussing this issue.
I have asked the following questions :
For complete transparency, and as a user, I would like you to answer the following questions for me : - Are passwords actually stored in plain text? - How many user accounts have been compromised (how many user accounts in the DB) - What are the steps you are taking for this not to happen again.
To my pleasant surprise, they did reply within one hour with the following : "Dear Jeremy.
1. No they were not plain text. But there was a part of section where it was plain text. We are investigating how that had happened.
2. We are under investigation.
3. As soon as we found out about the hacking we have brought a team to re-build for better security of our system. For it not to occur again as a support team we do not have solid answer for you yet. But from what we heard we will be bringing teams to test our server(security) regularly.
Thank you for your time to take interest in our situation. And we apologize for the incident.
GOMTV.net"
I am not sure I understand answer 1, "They are not plain text but yeah they are" is a bit concerning, question 2 they completely avoided and answer to 3 means support does not have much more information than we do.
All in all,as has been said before, you should : - Change GomTV password as soon as possible - Change your password on any website / service where you used the same password (facebook, twitter, gmail, TL, forums, anything) - Credit card and bank details are SAFE as they do not process the payments themselves (they go through Paypal).
Unfortunately these issues with user data security are not limited to GomTV (hello Sony), and as such it is very important not to reuse passwords over several sites.
It could be multiple files compromised, and the plain text file being preeetty important.
However, I gotta admit, Gom's pretty good if they were to answer a these questions with pretty good transparency in such short time to you.
Man what is with all this plain text password catastrophes. I work in the IT line myself and it's really not much effort to implement at least a half-decent encryption.
On August 15 2011 00:17 Shootist wrote: Man what is with all this plain text password catastrophes. I work in the IT line myself and it's really not much effort to implement at least a half-decent encryption.
As i always say: 99% of the programmers have no clue about anything and shouldn't work in that section... sadly they do -.-
On August 15 2011 00:17 Shootist wrote: Man what is with all this plain text password catastrophes. I work in the IT line myself and it's really not much effort to implement at least a half-decent encryption.
I dunno, that one function call is a bit of a doozie.
On August 15 2011 00:17 Shootist wrote: Man what is with all this plain text password catastrophes. I work in the IT line myself and it's really not much effort to implement at least a half-decent encryption.
Encryption is already implemented on mysql database or on google
On August 14 2011 21:33 R3N wrote: I use the same password (with or without numbers) for EVERYTHING (mail, forums, games etc.) since 9-10 years back. I ain't going to change it.
I ***REALLY*** hope I wasn't hit
You were.
On August 15 2011 00:46 Trigger1101 wrote: Is it safe to buy now ?
It was always safe to buy. Bank information is not stored on the site. It is all done via Paypal. If paypal gets hacked on the other hand...
are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
Ehmz, I hope for your sake that you are just trolling... If not, this situation clearly hasn't taught you anything. I advise you to read through this thread a bit more...
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
Well, I wake up this morning to see that someone bought $110 worth of microsoft points on my xbox live account. I guess that's what I get for keeping cc information saved on my XBL account. time to get this shit reversed...
Fuck. Time to go running around changing pws for a few sites just in case they try those too.
So I am a bit confused now. Gom encourages us to change the PW but some people keep saying that it is still not safe. I dont want to have to change all PWs again when I do it now. Can anyone confirm it is safe now?
Checked my massive list of firefox saved passwords, and the gomtv one is indeed my base password for around 1300 others, but, it's paired with my "smurf" email account I use for shit I don't trust. :D Turns out I was a noob when I signed up for GOM, and didn't know what it was.
Changed my password anyway, according to XKCD's password entropy guide.
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
Bad strategy bro.
Really GOM? lol thanks RICH
why the heck would GOM ask us to change our password again if it still isnt being secured?
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
Bad strategy bro.
Really GOM? lol thanks RICH
why the heck would GOM ask us to change our password again if it still isnt being secured?
Yes, they said that security measures has been made. But you still need an unique password for Paypal and each important site like that. Gom is maybe more secure now, but we don't know if it won't be hacked again (like any other site could be).
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
On August 15 2011 02:09 hiturheartx wrote: are the new passwords GOMTV told us to change into going to be safe? because all my important account details such as my email, paypal etc are all using the same 'new' password that i just made.
How rude of you to come into this thread and troll people who actually made a mistake using the same passwords and had stuff stolen because of this, you come in here trolling like this, very very rude. Also for the slim chance you are being serious, you are just dumb.
changed my GOMtv password this morning after I received and email and read this thread i already cant remember what i changed it to .. :< farewell best memorable password ever! ;__;
On August 15 2011 02:43 Sewi wrote: So I am a bit confused now. Gom encourages us to change the PW but some people keep saying that it is still not safe. I dont want to have to change all PWs again when I do it now. Can anyone confirm it is safe now?
Yeah is it safe?
Also @hiturheartx - You should always use different passwords for each site.
Maybe you can use the same password for lesser important sites (like GOMTV or just forums where there's no major risk if you lose the accounts) but at least use unique passwords for sites like paypal, your email addresses, etc.
Also this sort of thing sadly happens very frequently. I remember when "Mozilla" (yes, them >.<) accidentally uploaded account name and password database of Firefox Addon accounts in a public place where it could be downloaded by everyone.
Yes so if Mozilla screws up like that, other major companies can screw up (We already have GOMTV, Sony, EA and Bioware, etc all have had these same problems). It really is unfortunately but it happens quite often .
Yep that was when I first learned to never use the same password for sites ever again.
On August 15 2011 03:15 Asday wrote: Checked my massive list of firefox saved passwords, and the gomtv one is indeed my base password for around 1300 others,
1300?! I've been saving passwords in Mozilla/Firefox for 10 years, and I only have ~100 saved, most of which are for sites I haven't loaded in a long time.
On August 15 2011 03:15 Asday wrote: Checked my massive list of firefox saved passwords, and the gomtv one is indeed my base password for around 1300 others, but, it's paired with my "smurf" email account I use for shit I don't trust. :D Turns out I was a noob when I signed up for GOM, and didn't know what it was.
Changed my password anyway, according to XKCD's password entropy guide.
Lol, at the picture. Couldn't you theoretically just make the password guessing script try out combinations of dictionary words? I figure this would vastly decrease the number of possible passwords.
edit: no that's stupid. There still might be a way to do it though. Like make the script not try any combinations of letters unless they are dictionary words. It'd at least increase efficiency slightly.
Well, guess that was a forced password overhaul for me (I use a few passwords for quite some sites). Of course I deleted my Gomtv account since it wasn't a paid account and I didn't watch much gomtv anyway..
Hopefully GOM has done their share of damage control and learned their lesson from this. Sucks when things like this happen but storing information in plain text is kind of outrageous, especially with the recent hackings of multiple industries (PSN, Bioware, etc.). Guess Gom will just have to step up their security in case someone tries again. Thanks for the heads up R1CH!
On August 14 2011 21:16 Flwz wrote: This is quite bad, I work in IT security and I have sent an emai lto GomTv discussing this issue.
I have asked the following questions :
For complete transparency, and as a user, I would like you to answer the following questions for me : - Are passwords actually stored in plain text? - How many user accounts have been compromised (how many user accounts in the DB) - What are the steps you are taking for this not to happen again.
To my pleasant surprise, they did reply within one hour with the following : "Dear Jeremy.
1. No they were not plain text. But there was a part of section where it was plain text. We are investigating how that had happened.
2. We are under investigation.
3. As soon as we found out about the hacking we have brought a team to re-build for better security of our system. For it not to occur again as a support team we do not have solid answer for you yet. But from what we heard we will be bringing teams to test our server(security) regularly.
Thank you for your time to take interest in our situation. And we apologize for the incident.
GOMTV.net"
I am not sure I understand answer 1, "They are not plain text but yeah they are" is a bit concerning, question 2 they completely avoided and answer to 3 means support does not have much more information than we do.
All in all,as has been said before, you should : - Change GomTV password as soon as possible - Change your password on any website / service where you used the same password (facebook, twitter, gmail, TL, forums, anything) - Credit card and bank details are SAFE as they do not process the payments themselves (they go through Paypal).
Unfortunately these issues with user data security are not limited to GomTV (hello Sony), and as such it is very important not to reuse passwords over several sites.
I would read 1 as the passwords were encrypted in storage, but they may have logged log in to a flat file or something similar
Anyone else suddenly have the GOM toolbar without installing it today? I came back from work and it was suddenly there when I opened firefox. No one else uses my computer as I just live with my girlfriend and she got back from work later than me. I've disabled it cos I don't trust it and when I go to uninstall it, it asks if I want to let some weird filename have access to my computer.
On August 15 2011 18:52 BuzZoo wrote: Anyone else suddenly have the GOM toolbar without installing it today? I came back from work and it was suddenly there when I opened firefox. No one else uses my computer as I just live with my girlfriend and she got back from work later than me. I've disabled it cos I don't trust it and when I go to uninstall it, it asks if I want to let some weird filename have access to my computer.
Maybe you should scan your PC for virusses! That is not normal oO
On August 15 2011 18:52 BuzZoo wrote: Anyone else suddenly have the GOM toolbar without installing it today? I came back from work and it was suddenly there when I opened firefox. No one else uses my computer as I just live with my girlfriend and she got back from work later than me. I've disabled it cos I don't trust it and when I go to uninstall it, it asks if I want to let some weird filename have access to my computer.
Maybe you should scan your PC for virusses! That is not normal oO
I don't even think, that it's so bad, that they got hacked... It's just, that they did not have the passwords encoded... I mean really? A lot of companys get hacked, but their information is usually useless, cause it would take to long to encrypt the information.
wow they have a terrible system -.- when I saw that thread I immediatetly changed the password on gomtv and was kinda curious why gom didnt have any information on their site.
now i logged in and the system wanted me - the already changed password - again -.- good that the system is crappy anyway because i could change it and change it back..
good thing i use a unique pass on my email even if something else gets hacked my mail will be safe, it's kinda unsettling though seeing the info get stolen
On August 14 2011 21:16 Flwz wrote: This is quite bad, I work in IT security and I have sent an emai lto GomTv discussing this issue.
I have asked the following questions :
For complete transparency, and as a user, I would like you to answer the following questions for me : - Are passwords actually stored in plain text? - How many user accounts have been compromised (how many user accounts in the DB) - What are the steps you are taking for this not to happen again.
To my pleasant surprise, they did reply within one hour with the following : "Dear Jeremy.
1. No they were not plain text. But there was a part of section where it was plain text. We are investigating how that had happened.
2. We are under investigation.
3. As soon as we found out about the hacking we have brought a team to re-build for better security of our system. For it not to occur again as a support team we do not have solid answer for you yet. But from what we heard we will be bringing teams to test our server(security) regularly.
Thank you for your time to take interest in our situation. And we apologize for the incident.
GOMTV.net"
I am not sure I understand answer 1, "They are not plain text but yeah they are" is a bit concerning, question 2 they completely avoided and answer to 3 means support does not have much more information than we do.
All in all,as has been said before, you should : - Change GomTV password as soon as possible - Change your password on any website / service where you used the same password (facebook, twitter, gmail, TL, forums, anything) - Credit card and bank details are SAFE as they do not process the payments themselves (they go through Paypal).
Unfortunately these issues with user data security are not limited to GomTV (hello Sony), and as such it is very important not to reuse passwords over several sites.
I would read 1 as the passwords were encrypted in storage, but they may have logged log in to a flat file or something similar
I'm a web application developer, and that sounds pretty plausible. Passwords are generally posted in plain text when you log in to a site, then they're used to generate a hash that is compared to the hash stored in the database - if the hashes are identical, then the password is (considered to be) correct. I could imagine a situation where someone writes a sloppy transaction log that stores posted values and that log is accessed by an intruder. It at least sounds more plausible than a site as big as Gom storing passwords in plain text.
My passwords generally evolve, and the password I used on GoM was my password from about 2 years ago... I had a hard time tracking down any useful site I still used it for, but yikes. No encription or anything on the GOM site?
Make sure you change the password to your email address too, I'd say a lot of people used the same password for their gom account as their email address, if you use that email on Ebay/Amazon/Paypal login change that too.
Hackers already have your password on file (a long with a million others) and will probably be shooting it around forums and such, so its not like changing it on GOM will help that much.
Fucking GOM, companies that aren't proactive about their security never will be, even if they patch all their current problems, because they don't know crap about security their coders will just create more holes for breaches as they keep making their crap media player. So I will never trust them in the future.
On August 15 2011 19:21 Velr wrote: 21 failed login attemps on my e-mail account. But last login still 10 days ago so i seem to be fine.
Fun times.
Did you really think they want your account details so they can log into GOM?
According to their response, they had only just hired a team to test it occasionally.
On August 16 2011 04:38 sluggaslamoo wrote: Fucking GOM, companies that aren't proactive about their security never will be, even if they patch all their current problems, because they don't know crap about security their coders will just create more holes for breaches as they keep making their crap media player. So I will never trust them in the future.
It's unfortunate that they only have like 6 options in their media player for renderer options ( a few VMR7/9's / overlay mixer, but no option to use madVR as a video renderer ), and it also doesn't work with vsfilter either.
Hmm, just received an e-mail asking me to verify my new battle.net account registered to my e-mail I used to register with GOM. My real battle.net account uses a smurf e-mail.
On August 16 2011 07:43 Sokalo wrote: Hmm, just received an e-mail asking me to verify my new battle.net account registered to my e-mail I used to register with GOM. My real battle.net account uses a smurf e-mail.
Greeeat.
Same, which is really interesting. The email account I use for GOM is different than that of Battle.net, yet I got an email from Blizzard saying that my account has been locked until I verify who I am.
On August 15 2011 18:59 kyophan wrote: I think the answer is probably not necessary, but just to make sure. Is it recommended that I get a new main email?
Yep it's not really needed. Just make sure you password is unique to that email only and make sure it's long and contains a combo of numbers and letters.
Though I recommend using or creating an email solely for lesser important sites like forums and GOMTV for example. Like my previous post, so far this has happened to - GOMTV, Sony, Bioware, EA games, Mozilla (they accidentally uploaded passwords/account info somewhere based on firefox addon accounts >.<), etc.
You can create one email for talking with friends only (but said email is not registered to any site or forum). The reason for this is typically sometimes friends may actually do a reply all or whatever instead of using BCC causing all "their" friends or contacts to see your email. Basically a lot of people will know your email address and the more you have, the more chances someone may try to steal it (This is just to be extra safe or paranoid if you want as the chances of people trying to get into your email are probably low and the chances of them succeeding are much lower if you use a unique long password. This is just to be safe).
Create one main/important email all the important things like bank, paypal, battle.net, etc. You can additionally also add things like Steam account, or EA Games and/or Playstation Network or if you can just create another email for those.
Finally a third(or fourth if you're doing the latter of the above) email for stuff that isn't as important like GOMTV, forums, etc. That is if you lose that email, no major damage would be done and nothing too valuable would be lost.
Yeah I know it's overkill and typically one or two emails is enough but if you want to be extra safe, I'd suggest at least having one email dedicated to stuff that isn't as important like forums or the like. This will be your "throw away email" (if it gets hacked or lost, nothing too bad would happen since it's not your main email).
It's a good system and most email providers do not really care if you make multiple accounts and use them.
Finally of course use all different passwords for everything.
Also remember to log into every email you have at least once every two weeks or so.
Most email providers have a term where if your account is inactive for a certain amount of time (I think Yahoo for example is 2 or 3 months and gmail is maybe 9 months), it gets deleted due to inactivity. So log onto your account at least once every two weeks or so (make sure to do a quick memory scan with anti virus software[avast for example has it if you set up a memory scan] or super antispyware, malware bytes, windows defender, etc just in case before logging on all your email).
On August 15 2011 18:59 kyophan wrote: I think the answer is probably not necessary, but just to make sure. Is it recommended that I get a new main email?
Yep it's not really needed. Just make sure you password is unique to that email only and make sure it's long and contains a combo of numbers and letters.
Though I recommend using or creating an email solely for lesser important sites like forums and GOMTV for example. Like my previous post, so far this has happened to - GOMTV, Sony, Bioware, EA games, Mozilla (they accidentally uploaded passwords/account info somewhere based on firefox addon accounts >.<), etc.
You can create one email for talking with friends only (but said email is not registered to any site or forum). The reason for this is typically sometimes friends may actually do a reply all or whatever instead of using BCC causing all "their" friends or contacts to see your email. Basically a lot of people will know your email address and the more you have, the more chances someone may try to steal it (This is just to be extra safe or paranoid if you want as the chances of people trying to get into your email are probably low and the chances of them succeeding are much lower if you use a unique long password. This is just to be safe).
Create one main/important email all the important things like bank, paypal, battle.net, etc. You can additionally also add things like Steam account, or EA Games and/or Playstation Network or if you can just create another email for those.
Finally a third(or fourth if you're doing the latter of the above) email for stuff that isn't as important like GOMTV, forums, etc. That is if you lose that email, no major damage would be done and nothing too valuable would be lost.
Yeah I know it's overkill and typically one or two emails is enough but if you want to be extra safe, I'd suggest at least having one email dedicated to stuff that isn't as important like forums or the like. This will be your "throw away email" (if it gets hacked or lost, nothing too bad would happen since it's not your main email).
It's a good system and most email providers do not really care if you make multiple accounts and use them.
Finally of course use all different passwords for everything.
Also remember to log into every email you have at least once every two weeks or so.
Most email providers have a term where if your account is inactive for a certain amount of time (I think Yahoo for example is 2 or 3 months and gmail is maybe 9 months), it gets deleted due to inactivity. So log onto your account at least once every two weeks or so (make sure to do a quick memory scan with anti virus software[avast for example has it if you set up a memory scan] or super antispyware, malware bytes, windows defender, etc just in case before logging on all your email).
What about having a catch all address? :p
i have gomtv@..., teamliquid@..., blizzard@..., paypal@..., twitter@... and a lot more.
It's a nice way to trace where the spam comes from. For example i recently received a mail that my ddo@... address that i only used for dungeons and dragons online for about half an hour was used to register a WoW account on SEA, so now i know that D&D Online has a leak and can't be trusted anymore.
It never hurts to have more emails ( one for each webpage/forum you visit ) with different accounts and passwords since you'll get less spam on your more important emails.
My e-mail and facebook password were changed, the IP address that logged in was from south korea South Korea (219.248.84.141). They weren't the same PW as my gom account which is rather unsettling. I could have a virus? but it seems too suspicious to be a coincidence.
Someone actually hacked into my neteller account and tried to change the password. Atleast Neteller is a secure bank and cut him off cause the intruder used a different IP. This shows again how your email account really can be a weak link in your personal defence.
On August 16 2011 18:16 YokaY wrote: My e-mail and facebook password were changed, the IP address that logged in was from south korea South Korea (219.248.84.141). They weren't the same PW as my gom account which is rather unsettling. I could have a virus? but it seems too suspicious to be a coincidence.
That's not good. Were the passwords short or long and how similar are they to the GOM account?
Read the comments on this story. For the most part, if a hacker has access to your system, they have access to whatever method you use to decrypt, so it's kind of pointless.
Read the comments on this story. For the most part, if a hacker has access to your system, they have access to whatever method you use to decrypt, so it's kind of pointless.
Unless there is no way to decrypt it (or at least no way to decrypt it in 10000 years). Which is the right way to go about password protection.
Store an encrypted password E. When user enters password P you perform encryption on P and compares the result with E. This is the accepted method for password protection.
This is done either by having several passwords map to the same encrypted string (ala md5), or have a type of encryption where decryption is a very hard computational problem that would take millions of years with millions of supercomputers. Or a combination.
This is a huge business, it's unacceptable to have plain-text password on their server like this. This is an example where a company neglect technology and they are going to loose a lot of customer because of this. I won't make any more purchase on their website. I'll just watch match 1 of each serie and not risk my info.
Read the comments on this story. For the most part, if a hacker has access to your system, they have access to whatever method you use to decrypt, so it's kind of pointless.
Wouldn't fault GOM for storing passwords in plain text? Are you kidding me?
Passwords are--or always should be hashed whenever a new user register. The password should NEVER be stored, and only resulting "digest" of the cryptographic hash function is stored. When a user authenticates, their input should be passed through the same hash function and compared to the hashed entry in the database.
On August 13 2011 03:29 zeru wrote: On August 13 2011 03:28 sermokala wrote: How is my teamliquid information stored? the TL wizard keeps a magic barrier up 24/7.
I forgot that I used the same password for my twitter account and it was hacked two days ago. Thanks a lot Gom for storing plain text passwords... great job and no compensation, really?
I didn't use the same password, but a part of it, on my battle.net account. Tonight my bnet account got taken over. Seems like they are not working just on matching stuff automaticly, but are trying to figure out stuff themself.
So be aware, even if you changed all your passwords, it might still happen. It took them until now to get to me.
PS. No, I haven't had any strange things happen to me outside of the gom thing, and I have never been hacked before this.