digistump email list hacked?

[William]

Edit: Official response posted below
http://digistump.com/board/index.php/topic,946.msg3409.html#msg3409

I just got a spam email addressed to a unique email I used to sign up to digistump website and get my KS digispark reward. I have exactly one other email addressed to that unique email address, the one to get my KS reward.

Update: Sounds like only 300 emails leaked and no personal information! Great news! Read the official update here:

http://digistump.com/board/index.php/topic,946.msg3411.html#msg3411


I'm very impressed. The report was at 10am on sunday May 5th, the first official response was 11:30am (while he was on vacation no less!) and the breach was diagnosed and closed by 12:30 pm !

[William]

I've delinked the links


relevant bits from headers:

Subject: Alert: Ugrade Your Bell.ca Account
From:  "Support Bell Online - bell_support@ms_bell.ca"

Received: from hostingsmtp09.register.it ([81.88.50.250] helo=hostingsmtp.register.it)
(envelope-from <nobody@opus18.register.it>)
Received: (qmail 19337 invoked from network); 5 May 2013 16:38:56 -0000
Received: from unknown (HELO opus18.register.it)
  by hostingsmtp.register.it with ESMTP; 5 May 2013 16:38:56 -0000
Received: (from nobody@localhost)
   by opus18.register.it (8.14.3/8.12.11/Submit) id r45Gctd3021150;
   Sun, 5 May 2013 18:38:55 +0200


Date: Sun, 5 May 2013 18:38:55 +0200

relevant bits from body:

05 May 2013 Log in Your monthly bill cannot be processed We recently wrote to inform you that your last payment was declined. This is your second notice. We were unable to process your payment for your Bell Service You must update your billing information immediately in order to avoid any interruption to your services. You can update your billing information online simply by clicking link below mybell.bell.ca/Login

Actual link hiding behind above description (warning, DO NOT GOTO THIS LINK its likely malware!) is
www dot bell.ca-update-activation-online-access.cutabovecakes.co.nz

[Mschicker]

I got the same mail. I used a special email address for this forum which was not used anywhere else. So the only reason can be, that someone got it our of the forum. Please beware of the mail, it's harmful.

[William]

I got the same mail. I used a special email address for this forum which was not used anywhere else. So the only reason can be, that someone got it our of the forum. Please beware of the mail, it's harmful.

I never signed up for the forum prior to this, only the digistump fulfillment of the KS reward.


(and the email I used to sign up for the forum just today is a different unique email than the one I originally used for the digistump fulfillment of the KS reward).


Edit : Only a portion of their digistump KS email database leaked. See the official update:
http://digistump.com/board/index.php/topic,946.msg3411.html#msg3411

[digistump]

First of all, I apologize for whatever has happened here - it is ultimately our responsibility to find the right balance of usability and privacy - and something has occurred that has allowed a leak of email addresses.


Thank you William for first reporting this and I apologize for the delay in responding - I am currently on vacation and haven't been connected - that said it has my full attention right now and I will get to the bottom of it and release all the details of what I find.


Starting with what is known:


I too received the spam email on some of my test accounts - this should help me find the source.


We have not shared, sold, given away, etc any information, ever, and never will - we store all data in databases that are not web accessible and can only be accessed locally by our web server. We use standard software installations of widely used and accepted software (such as this SMF forum, and Docuwiki) and use there built in security methods, always opting for the most secure methods possible. We keep our software up-to-date and we are looking at any recent security issues with these software packages right now.


The only third party servers that have seen our email database (and emails only), besides Kickstarter itself, is createsend.com, which we had used to manage our mailing list. They have a good reputation and strict privacy policy - but we are looking into them as a primary interest seeing as they are the one 3rd party holder of data. I have immediately removed all emails from their servers and I am in contact with them.


I'm both surprised and pissed off that this occurred - and I'm sure you all feel the same. Unfortunately, all I can do at this point is apologize and vow to get to the bottom of it and be transparent about the extent and nature of the leak/breach.


I will update with more info as I have it. 

[William]

[size=78%]I'm both surprised and pissed off that this occurred - and I'm sure you all feel the same. Unfortunately, all I can do at this point is apologize and vow to get to the bottom of it and be transparent about the extent and nature of the leak/breach. [/size]


I will update with more info as I have it.

Thank you very much for responding to this quickly, in detail, and transparently.


I appreciate the info, and I'm glad to hear that the emails haven't been sold to anyone.


I've reported similar breaches in other forums before (I use unique emails for everything so its easy for me to tell when something happens) and usually there's not even an official acknowledgment a problem.


If you need the full email I received, let me know (I only posted excerpts so as to not give away the unique email, and I didn't want the link to be clickable in the forum) and maybe we can figure out a way to get it forwarded to you.

[digistump]

We've both found the issue and the extent and nature of the leak.


The attackers used an SQL injection attack against a specific portion of our forum software (we have notified the creators of this code both so they can fix and we can find out exactly what plugin/modification contributed the bad code) - and through that attack gained access to a subset of our mailing list table and a subset of the forum members table. The mailing list table was a compilation of Kickstarter backers and direct customers who signed up for our quarterly email list and was incomplete at the time (we've yet to send any emails to our lists). The two tables consisted of about 3,200 records. Of those 3,200 less than 300 appear to have been compromised - likely far less than that, as the attackers seem to have been frustrated by our additional security (namely our use of fail2ban and tools working with it) to detect and block repeated access to the same resources and quit their attack about 5 minutes after starting having only access 300 or less records and copied an unknown portion of that.


Due to the nature of this attack we have a clear log of all tables that were accessed - while we can only estimate the number of records accessed - we can clearly see that only the forum members table and the mailing list table was accessed. The mailing list table contained only email addresses with no other identifying information (this was by design). The forum members table contained one way encrypted passwords as well, but no attempt was made to access them. No passwords (which are all stored as one way hashes to begin with). names, addresses, or any other info was compromised. We do not ever store payment info on our servers, so that could not have been compromised either.


We have taken additional steps to detect this type of attack - and we have at this point disabled or evaluated all plugins or 3rd party code that could be susceptible to this type of attack (and rechecked all of our custom code). We do evaluate code for these vulnerabilities before installing as well, and of course our custom code is written to prevent this type of attack. Obviously this particular piece of code was not evaluated thoroughly and that is something we regret deeply - we will redouble our efforts to fully evaluate third party code and reduce the usage of complex third party code within our site. When practical we always prefer to write simple, standards compliant, secure code rather than use complex third party code.


We are thankful that the security measures we had employed, as well as the segmentation and protection of personal data did work to reduce the size and severity of this breach - but greatly regret that any breach occurred  and give our full commitment to ensuring it does not happen again.


We welcome any comments, suggestions, or venting of frustration! We share in the frustration, even after an entire career in web development, SPAM sometimes beats even our careful security measures.


We hope that by being transparent and upfront about this issue and our solutions everyone will continue to visit and use this site.


Again, our sincerest apologies for this issue.

[digistump]

For those interested the attack originated from this ip: 64.20.39.210
on this network: http://www.nocdata.com/

[digistump]

This has also been posted to the homepage: http://digistump.com/

[William]

Wow, that's incredibly fast work and great news about the size and severity of the breach!


Since its only a small number of emails that leaked, its not a big deal for me personally, I can disable that particular unique email I used.


But I was wondering, any plans to send out a newsletter or any other emails to the KS list?


I'd like to give you guys a new unique email that hasn't leaked, so I can continue to receive any future emails (although the only email I got from you in the first place was the digistump one with the KS pledge order info) . Given the care you've taken with the personal info (the precautions you described were much better than I expected), the speed and transparency of your response, I still trust you guys with my email


Should I just put an email addy in the front page newsletter signup bit?

[digistump]

William - and anyone else with the same question - if you have disabled the email you've provided us and would like to provide a new one to receive our email announcements when we start to send them - you can use the newsletter sign-up box on the left hand side at http://digistump.com


And yes - we will start actually using the mailing lists to send quarterly (and weekly if you sign up) emails soon - we just strongly believe in only sending mass emails when we have a lot to say - rather than sending lots of little ones and becoming spammers ourselves (can you tell we really hate spam too?)!


Our first quarterly email should go out in the next few weeks to announce our next Kickstarter, some new products, and some new services - so we think it is worth signing up for!


Thanks,
Erik

[William]

I removed guesses/speculation from my other replies in this thread and replaced them with the facts now that they've been determined.

Our first quarterly email should go out in the next few weeks to announce our next Kickstarter, some new products, and some new services - so we think it is worth signing up for!


Thanks,
Erik

Awesome! Just signed up!