In what is becoming an almost daily occurrence, Brian Savage from Fun Publications has sent out another notification email to members of both the G.I. Joe Collectors’ Club and the Transformers Collectors’ Club, strongly encouraging everyone to not only cancel your credit cards, but also consider changing any common usernames or passwords you were using on their website or forums.
I cannot stress enough the importance of following this advice. The full text of the email is below.
As we continue to work on our systems, you will see some of our services go offline and then come back, so please be patient as we preserve data and clone servers and websites.
We are also taking this opportunity to remove all non-essential services from our ecomerce server. So in the short term in the next day or so, the club forums will be discontinued. It will be several days until we are ready to bring them back under an entierly new piece of software. I know alot of you have been asking for this so, we have decided to replace several of our systems with new packages. This means that you will not have access to the forum for a while at all. We do plan to make the old forum viewable (no posts) in the future.
Since we do not know exactly what data was taken, we are recommending that if your have used common logins or passwords with our system and any other system that your change your passwords in those systems immidiately (especially any financial sysstems)! We will be resetting all of the passwords in our system very soon. Please don’t delay in changing your passwords in other locations
In addition, we have found a few recent aticles concerning security issues with other vendors. If you use these services, these issues could possibly impact you. Please read the attached links:
http://www.huffingtonpost.com/2012/02/10/itunes-hack-unauthorized-charges-apple_n_1268593.html
http://www.greenpois0n.co/itunes-accounts-being-hacked-to-steal-money-from-store-credit.html
Thanks for your support in this difficult time. We will continue to work with our vendors to correct the issues and we apologize for any inconvenience this has caused any of our members.
Brian Savage
I found this email from them very interesting. I work in Information Security, specializing in vulnerability management and ethical hacking. This email makes it sound like the forums were running on the same server as their e-commerce.
Forums are fairly high risk, you are allowing strangers to upload content to your server. I’ve never used the Club’s forums, but minimally you have text being uploaded in the form of forum posts. This can open you up to attacks if your software is vulnerable. If you allow graphics as well for Avatars or in signatures, you open yourself up to another whole class of vulnerabilities. I can’t tell you how many vulnerabilities I’ve seen in web software this past year that state something like, “servers may be at risk if they allow user-provided content.” That’s the definition of a forum, and that’s why forums shouldn’t be anywhere near your e-commerce site.
I really wish the club luck. Hopefully they’ve contracted with a company experienced in computer security incident response. They need to try to figure out how the attacker got on their system, get the attacker off and close the holes that were used (and any others that maybe haven’t been used yet but still exist), and then get the system back up and operating. Sometimes there isn’t much that can be done short of nuking the system and starting over from scratch.
On the plus side, it would seem that the goal here was for the attacker to steal some credit card information and make a quick buck. Luckily those attacks generally aren’t as sophisticated as some of the espionage attacks that have come to light over the past few years. If the attacker in this case was hoping to keep hold of the system for the long run, I don’t think you would have seen the credit card fraud show up so quickly.
Good news about the forum software, that forum software was outdated 10 years ago
They should really stop saying stuff like, “iTunes got hacked too!” Clearly not the same situation.
They don’t know what was taken? Maybe they should just assume everything they’ve got stored on their unsecured servers. Why the hell are they even storing complete credit card numbers in the first place much less on the same server as their ridiculously outdated forums?