Have GTA Forums database been compromised?

[glenmcd]

I recently received a spam email with subject "Seriously! I'm just on the lookout for husband!". Attachment: qrrnrm.jpg. Body: "Don't you enjoy my very own image?".

 

Does this ring any bells for you? Coz the email address that this was sent to is one that was provided exclusively to GTA Forums and never at any time to another entity. I have something like four hundred email addresses, each exclusive to some person or organisation that needs "my email address". It's my way of both controlling spam and identifying companies or individuals that compromise the personal information that I trust them with. In this case, I don't know GTA Forums well enough to know for sure that anyone can just go and discover any members email address if they want to. I do know that I joined GTA Forums in 2010 and until now have not posted any messages at all. So I'd imagine that the only way that someone would find my GTA Forums email address is to either find it in my profile, or get it through means that are not acceptable, such as hacking into the site or purchasing private database information, should GTA Forums stoop low enough to do such a thing. Which I seriously doubt.

 

In the past when I've discovered similar things, it's always come back to hackers getting into the site and stealing all personal information of members. Confirmation by members in threads such as this confirmed the compromise, followed by a public apology by the organisation and in most cases a significant change in security procedures. If this is true this time also, then I believe that as members we deserve to have at the minimum, an explanation of when, how and why our personal information has been leaked to spammers (and through whatever number of intermediates).

 

It is extremely easy to find out the scope of this issue. Look in your own email inbox for the above spam. Did you receive it just prior to the date of this post? Was it sent to the same email address that you provided to GTA Forums?

 

 

[Finn 7 five 11]

Go to your profile, look on the right, your email address link is right there, someone could come on and email you from there.

I just sent you an email to tell you that i hacked GTAF.

 

Click "Edit My Profile" ---> Options --->Email settings -----> Tick "Hide email address" box.

 

There you go, no more "hackers" will be sending you emails.

Edited September 5, 2012 by finn4life

[tuff_luv_capo]

I recently received a spam email with subject "Seriously! I'm just on the lookout for husband!". Attachment: qrrnrm.jpg. Body: "Don't you enjoy my very own image?".

 

Does this ring any bells for you? Coz the email address that this was sent to is one that was provided exclusively to GTA Forums and never at any time to another entity. I have something like four hundred email addresses, each exclusive to some person or organisation that needs "my email address". It's my way of both controlling spam and identifying companies or individuals that compromise the personal information that I trust them with. In this case, I don't know GTA Forums well enough to know for sure that anyone can just go and discover any members email address if they want to. I do know that I joined GTA Forums in 2010 and until now have not posted any messages at all. So I'd imagine that the only way that someone would find my GTA Forums email address is to either find it in my profile, or get it through means that are not acceptable, such as hacking into the site or purchasing private database information, should GTA Forums stoop low enough to do such a thing. Which I seriously doubt.

 

In the past when I've discovered similar things, it's always come back to hackers getting into the site and stealing all personal information of members. Confirmation by members in threads such as this confirmed the compromise, followed by a public apology by the organisation and in most cases a significant change in security procedures. If this is true this time also, then I believe that as members we deserve to have at the minimum, an explanation of when, how and why our personal information has been leaked to spammers (and through whatever number of intermediates).

 

It is extremely easy to find out the scope of this issue. Look in your own email inbox for the above spam. Did you receive it just prior to the date of this post? Was it sent to the same email address that you provided to GTA Forums?

Dwight Shrute? Is that you?

[Spider-Vice]

Even if it had been compromised, the hacker would have a hard time putting it on his own website or leaking anything of value. Passwords are encoded so he couldn't do anything, well, except take computer power to decode them, but the Staff would've known immediately and advised everyone to change their passwords. Besides, he could keep it anyway, it would be an old copy. It's not easy to hack one though.

[Crokey]

I'm finding it very hard to think of a diplomatic reply to this topic without it looking like I'm waltzing in here and flaming you, which I'm not, but...

 

Welcome to the Internet, the home of spam. It doesn't matter how many email address you set up, who you let know of that email address, if you even do let anybody know. Your email provider could have what is considered to the best anti-spam filters in the world and guess what spam will get through.

 

I could go an setup another unique email address and do nothing with it, and chances are I'll get at least 1 spam message within a year of not week.

 

Sorry if that seems like a flame, it's not I'm just pointing out the obvious. As even if the Forums database had been hacked, using that info to send out useless spam would be the least of the 'hackers' priorities.

 

An Admin would be able to confirm this, but I very much doubt that this forum would be 'source' of your spam.

[Spider-Vice]

Didn't sound like a flame at all. It's true, any adware can just grab any random website from your history and send you such email. There are bots who clone emails, I could use a bot now and send an email to you with an @gtaforums.com address. It's just a spoofer.

If the database had been compromised we'd have been informed.

[MIKON8ERISBACK]

Before you blame the website, you have to take into account your own failure to properly configure your privacy settings. Only after you sort that issue out can you just point fingers at website owners.

[DataGhost]

Same story here, I have dedicated mail addresses for each site I visit. I just received an e-mail sent from Yahoo (according to the From:, the Received:, the X-Mailer: and some other Yahoo-specific headers). It was sent to some other e-mail address (so mine was probably in BCC, I did confirm that it was the address for this site), it had a Reply-To: header and it had an attachment. All these details make it incredibly unlikely that the mail form this site presents as a means of sending mail to other members was used to send this spam. If anyone can show me how to reveal a "non-hidden" e-mail address, please do. Until then, it is more likely that the database was hacked or leaked.

 

Gareth Croke: good luck sending multiple different people similar e-mails on only the dedicated mail address they use for gtaforums.com and not on any of the other hundreds of mail addresses for other sites. Also, try figuring out [email protected] in just one guess. My mail logs show no attempts for other addresses. The chances of that are astronomical without a database dump or other site leak.

 

Spider-Vice: the admins may not even know about it. I don't know if you know anything about server management but it's not as if there is a special "we have been hacked" light. Usually, these things go completely unnoticed until they start sending out spam to people like glenmcd and me.

 

MIKON8ERISBACK: go find a profile with a non-hidden mail address (default setting, so anyone who just registered will certainly do), tell me the address and how you found it. Until then, I'm sticking with leaked addresses.

[glenmcd]

"Dwight Shrute? Is that you?"

 

And f*ck you too.

 

[fireguy109]

 

If anyone can show me how to reveal a "non-hidden" e-mail address, please do. Until then, it is more likely that the database was hacked or leaked.

 

MIKON8ERISBACK: go find a profile with a non-hidden mail address (default setting, so anyone who just registered will certainly do), tell me the address and how you found it. Until then, I'm sticking with leaked addresses.

It says "click me" next to email under the Communicate tab, and it lets the clicker send you an email. If your email is not hidden anyone who is a member can send you stuff, and IIRC it will come from their email and they can find the email in their "sent" box later - with your email as the address. Even if they can't, all they have to do is send it from their own GTAF account via the "click me" button and you'll still get it.

 

Example - http://www.gtaforums.com/index.php?showuser=728587

Edited September 9, 2012 by fireguy109

[DataGhost]

 

[..]

It says "click me" next to email under the Communicate tab, and it lets the clicker send you an email. If your email is not hidden anyone who is a member can send you stuff, and

Yes, very nice. I got that far already, maybe I was not clear. Anyway, there are some issues with this.

 

 

IIRC it will come from their email

Yes, it probably will. It is completely trivial for anyone to send you an e-mail (given they have your address of course) "from" [email protected] or [email protected] or whatever you like*. But

 

 

and they can find the email in their "sent" box later

nobody is getting any e-mails into my sent-box, EVER, period. Not unless they know where my sent box is and have my username and password, which they don't**. Wouldn't it be great if I sent an e-mail to your bank "from you" telling them to transfer all your money to me and have that mail sitting nicely in YOUR sent-box afterwards? Good luck telling them it wasn't you.

 

 

Even if they can't, all they have to do is send it from their own GTAF account via the "click me" button and you'll still get it.

Yes but I'll get it from either their mail address or a generic gtaforums address, without attachments, without reply-to address and with my mail address in the To: field***. I saw none of this in the mail I received.

 

 

* there are some "boundary" cases in which this will not hold but that is due to spam filtering software and SPF-records, outside the scope of this thread.

** For 99% of people, they will, since 99% use hotmail, gmail, yahoo etc. and use the same password (as their mailbox password) for each site. In that case the forum software *MIGHT* log into their account (quite trivial, really) and send the mail from there, in which case it will end up in the sent-box. This does not happen in practice and thankfully most websites use a one-way hash function on passwords so they "don't know them". Still, on every log-in the password is sent to them again and boy, could I do a lot of damage with that by injecting some code into a fairly large site. By the way, if it wasn't clear by now, I use different passwords for each site as well.

*** Unless the mail form is vulnerable to header injection, which it probably isn't but I haven't tried (else there is a good chance that the site will not be reachable because of the insane amount of spam that will be sent through that form very quickly afterwards). Still, I saw no easy evidence for header injection in the mail I received.

Edited September 9, 2012 by DataGhost

[Andrew]

Hmm, this topic smells fishy.

[fireguy109]

What I mean is that if it was sent through the "hacker"'s email via the forum, when the "hacker" logs into their email account they will find the email they sent you in their sent box. The email in the sent box will have your email address as the destination address. I'm just throwing out some possibilities.

[DataGhost]

 

Hmm, this topic smells fishy.

Yeah, so, any ideas? You have the logs, I guess. The e-mail originated from 27.130.114.173 (Thailand). As you can see in the headers (I cut out the irrelevant ones):

 

Return-Path: <[email protected]>X-Original-To: [MY EMAIL ADDRESS]Delivered-To: [MY EMAIL INBOX]Received: from nm34-vm5.bullet.mail.bf1.yahoo.com (nm34-vm5.bullet.mail.bf1.yahoo.com [72.30.239.77])by [MY MAIL SERVER] (Postfix) with SMTP id 9E8E161327for <[MY EMAIL ADDRESS]>; Sat,  8 Sep 2012 12:12:32 +0200 (CEST)Received: from [98.139.212.148] by nm34.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2012 10:10:01 -0000Received: from [98.139.212.220] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2012 10:10:01 -0000Received: from [127.0.0.1] by omp1029.mail.bf1.yahoo.com with NNFMP; 08 Sep 2012 10:10:01 -0000Received: (qmail 23958 invoked by uid 60001); 8 Sep 2012 10:10:01 -0000Received: from [27.130.114.173] by web142502.mail.bf1.yahoo.com via HTTP; Sat, 08 Sep 2012 03:10:01 PDTX-Mailer: YahooMailWebService/0.8.121.416Date: Sat, 8 Sep 2012 03:10:01 -0700 (PDT)From: Lefty Conner <[email protected]>Reply-To: Lefty Conner <[email protected]>

 

the e-mail never left the yahoo.com domain before reaching MY mail server directly. Additionally, there was a Domainkeys header which turned out to be genuine. While that, in itself, does not mean too much, combined with the fact that there do not seem to be any forged Received: headers it seems that it, in fact, did originate from the Yahoo web mail service and not from this board's email functionality. I don't think these headers are going to help you much but maybe the source IP may be of some help.

 

 

What I mean is that if it was sent through the "hacker"'s email via the forum, when the "hacker" logs into their email account they will find the email they sent you in their sent box. The email in the sent box will have your email address as the destination address. I'm just throwing out some possibilities.

What I mean is that that just does not happen. I know what you mean and I think that should be clear from my post. Additionally, if it really were the case, I'd have an extra e-mail sitting in my inbox, but I don't. If you don't believe it, give me two of your e-mail addresses, I'll send you an e-mail from address A in the mailbox of address B without any sent message in A's sentbox. I wouldn't be able to delete it from your sentbox without your password, right?

It's nice that you're "just throwing out some possibilities", don't get me wrong, but please only do so if you know what you're talking about or with something sensible to back it. This is a bit like saying "maybe your bike has a flat tire" when someone's car won't start.

[Tsuroki]

Is the email address you're referring to a unique combination of letters and numbers, or is it something that could be hit on relatively easily with a brute force or dictionary attack? I'm not ruling out our system being compromised, but if the source and destination servers were both Yahoo, I'm wondering if this is a case of spammers throwing sh*t against a wall and seeing what sticks.

 

Disclaimer: I am by no means proficient in any of this stuff, I just try to follow along as best I can.

(We have smarter engineers and web devs than I who handle the systems here. I'm just a chimp.)

[DataGhost]

Is the email address you're referring to a unique combination of letters and numbers, or is it something that could be hit on relatively easily with a brute force or dictionary attack? I'm not ruling out our system being compromised, but if the source and destination servers were both Yahoo, I'm wondering if this is a case of spammers throwing sh*t against a wall and seeing what sticks.

 

Disclaimer: I am by no means proficient in any of this stuff, I just try to follow along as best I can.

(We have smarter engineers and web devs than I who handle the systems here. I'm just a chimp.)

I'm migrating to a system where I append some random letters and numbers to each address, this one is still using the "old" way. The same thing happened some time ago with a company and they refused to believe me for exactly the same reason, regardless of my "evidence". It could be possible to do a dictionary attack on it but there are some flaws in that. First it's important to emphasize that when I say "MY server" I really mean "MY own mailserver hosted and managed completely by me" and not Yahoo or any other online mail service. I have full access to all the logs of what comes in and what goes out. In the logs from last month until now, I only saw on one attempt from the From:-address in question and all attempts to deliver mail to non-existing mail addresses were directed at 8 unique mail addresses, none of which match my unique-address-per-site format. In order for this to have been a real brute-force dictionary attack on this address, I'd have to have a whole lot of unique non-existing addresses in my logs, at least more than zero.

 

So that leaves us at a one-shot hit on my end and someone else complaining about practically the same thing, only days apart. What are the chances on that? Keep in mind that over 99% do not use a system like this and won't have any idea where to start, they just don't care or they don't even see it because it ends up in their spambox. I am certain that more than just the two mails in this topic were sent out. An additional 60-70% (wild guess) of the people who ARE using this system won't notice either because it's filtered by their spam filtering software and/or because they don't check their spambox regularly. My spam filter does not filter, it marks. I just have it all end up in my mailbox so I can decide to have a look at it or not, which works like a charm. I get almost no spam and hope to keep it that way.

[SARDYNA108]

I just found almost exactly same email in my inbox...

[BobFixett]

I have just received some similar spam to an email address that I created for gtaforums and gtagarage only. Like DataGhost, I also have my own email server and can be sure it is not a dictionary attack.

 

 

Return-Path: <[email protected]>Received: from <MYSERVER>by mtain-mk02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 35BBB38000095for <MYEMAIL>; Sat, 29 Sep 2012 07:12:05 -0400 (EDT)Received: from sbcglobal.net (19.140.167.190.d.dyn.codetel.net.do [190.167.140.19] (may be forged))by <MYSERVER> (8.14.3/8.14.3/Debian-5+lenny1) with SMTP id q8TBBx2t020321for <MYEMAIL>; Sat, 29 Sep 2012 11:12:03 GMTReceived: from mx.reskind.net [199.76.12.84] by external.newsubdomain.com with ESMTP; Sat, 29 Sep 2012 15:58:09 +0500Message-ID: <[email protected]>Date: Sat, 29 Sep 2012 15:43:43 +0500From: "Victoria" <[email protected]>MIME-Version: 1.0To: <MYEMAIL>Subject: hebloContent-Type: text/plain;charset="iso-8859-1"Content-Transfer-Encoding: 7bitx-aol-global-disposition: SX-AOL-REROUTE: YESx-aol-sid: 3037ac1d62865066d72531b9X-AOL-IP: <MYSERVER>X-AOL-SPF: domain : sbcglobal.net SPF : noneX-Antivirus: avast! (VPS 120928-1, 28/09/2012), Inbound messageX-Antivirus-Status: CleanHello,Im off early on Friday and would love to hit a happy hour.Any polite, interesting, handsome, employed men like to make a date out ofit?? you can find my pix right here:http://<SPAMURL>

 

 

 

[Mr. Reaper.]

Everyone that's reported this has there Email Viewable to the public on their profiles.

 

It's mostly a just spam-bot on this site.

[BobFixett]

I might be wrong, but there doesn't seem to be a way to view member email addresses.

Can you tell what my one is?