I found my amigaworld.net login information in the huge "Collection #1" leak. It's a combination of email and password I use exclusively here on this site, so it looks like amigaworld.net is compromised or was compromised at some point.

I recommend everyone to update their passwords immediately. The site administrators need to make sure the issue which lead to the leak of user data is resolved and all their users are informed accordingly.

_________________
AMIGA 500/EXT.FLOPPY
AMIGA 1200/030/50MHz/FPU/SCSI
AMIGA 4000/060/50MHz/SCSI/CYBERVISION
AMIGA CD32
AMIGA CDTV
AMIGA T-Shirt
AMIGA Mousepad
Commodore Underwear

@BaldGuy

https://amigaworld.net/modules/news/article.php?storyid=8297

@pavlor

This doesn't sound like they fixed the source of the leak or found the actual problem. So any new password set is in the same danger of getting exposed again and again. Updated hashing can be just a part of the solution.

That's probably where I would start: https://www.cvedetails.com/vulnerability-list/vendor_id-1081/product_id-1876/Xoops-Xoops.html

Also informing the users should be done by e-mail in this case. I didn't visit this site here since months, so I never would see this kind of random news item.

The situation could be handled better by the site administrators, IMHO.

Last edited by BaldGuy on 19-Jan-2019 at 11:16 AM.

_________________
AMIGA 500/EXT.FLOPPY
AMIGA 1200/030/50MHz/FPU/SCSI
AMIGA 4000/060/50MHz/SCSI/CYBERVISION
AMIGA CD32
AMIGA CDTV
AMIGA T-Shirt
AMIGA Mousepad
Commodore Underwear

@BaldGuy

I get at least 10 times the amount of spam emails that I used to get thanks to the AmigaWorld hack

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

You keep stating that the problem is from a hack here, yet I have checked my own credentials against https://haveibeenpwned.com/ and they are not part of the Collection #1 data leak.

There are so many reasons that an e-mail address could have ended up on a spamlist which are not specific to a site or site database hack. Given the prevalence of these spam lists, it is hardly surprising that there has been an increase in spam over the years.

_________________
Test sig (new)

@_Steve_

here is the list with the compromised accounts with the Collection #5, nicely sorted in a single file:


Hashed obviously in this case. I don't want it to make too easy. But most of the logins are available in dehashed form in other files of the dump too. I found them in Collection 1 and Collection 5. Still working on the other dumps.

Also be aware that Troy Hunt's database is currently out-of-date or incomplete. I didn't get a notice for the amigaworld.net email+password combo either and I can't find this leaked password with Hunt's password check API. It's still in the leak obviously. So don't feel sure about anything.

Last edited by _Steve_ on 20-Jan-2019 at 02:42 PM.
Last edited by BaldGuy on 20-Jan-2019 at 08:02 AM.

_________________
AMIGA 500/EXT.FLOPPY
AMIGA 1200/030/50MHz/FPU/SCSI
AMIGA 4000/060/50MHz/SCSI/CYBERVISION
AMIGA CD32
AMIGA CDTV
AMIGA T-Shirt
AMIGA Mousepad
Commodore Underwear

@BaldGuy

GDPR compliance in amigaworld way.

@_Steve_

The password the hackers have obtained was only ever used for AmigaWorld, the username too. The extra email spam is definitely from the AmigaWorld breach. At this point there is no point trying to cover this up. AmigaWorld account details WERE hacked and that is a fact! Sad but true

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

Same here :(

How can I close and delete my account (with the datas) here?

@_Steve_

I checked that and it flagged my email address. Might explain the extra crap I'm getting. But I also from time to time get emails from friends with the common Windows virus.

Last edited by Hypex on 23-Jan-2019 at 12:48 PM.
Last edited by Hypex on 23-Jan-2019 at 12:46 PM.

@BigD

Quote:

BigD wrote: I get at least 10 times the amount of spam emails that I used to get thanks to the AmigaWorld hack

While I don't think anyone is denying the hack took place, I fail to see how the hack is related to an increase in spam. Why to spammers need your password? If they wanted to spam you, they'd just spam you.

If every new spam mail you get contains your password, then fine, it's coming from the hack. If it doesn't, then you're just receiving spam. Use a good spam filter and get over it.

_________________
RobTheNerd.com | InstallerGen | SMBMounter | Atoms-X

@Daedalus

Quote:

While I don't think anyone is denying the hack took place, I fail to see how the hack is related to an increase in spam.

Because a lot of them used my AmigaWorld nickname to start the message and the tenfold increase happened at the same time other people here reported the email pointing out our password had been hacked giving the AmigaWorld email. I have a Spam filter but it no longer catches everything post-AmigaWorld hack and yes I keep tagging the ones that get through as Spam.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

Well, maybe it's just me, but I've never once made the assumption that either my email address or my username were considered private on any website I've ever set up an account on. They're the public parts of the accounts that are associated with them, with the password making up the private part that isn't public.

Spam that uses your password to convince you that the sender has your credentials is what was reported by other users, and what makes such information valuable. Usernames and email addresses are often simply scraped by scripts without anything dodgy going on. It would be very strange for a spammer to *not* use the additional leverage of your password if they had access to it.

_________________
RobTheNerd.com | InstallerGen | SMBMounter | Atoms-X

@Daedalus

The fact remains that AmigaWorld is the weak point in all my online dealings. I DO consider my email private and resent it being part of a list gleaned from AmigaWorld servers.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@Rose

It is always amusing how people jump to their own conclusions or put words into someones mouth.

Any issues we have faced here have been handled fully in compliance with GDPR rules.

_________________
Test sig (new)

@BigD

Quote:

BigD wrote: @Daedalus I DO consider my email private

Well then don't use it for public accounts on random websites. Simple.

I've set up email addresses before which have received spam before ever having been used for *anything*. Such spam can therefore only occur because spammers are generating email addresses on the fly and testing them to see which ones exist, or because the email server itself had some sort of leak. Getting access to a full list of usernames and passwords isn't the easiest way of obtaining a list of addresses.

_________________
RobTheNerd.com | InstallerGen | SMBMounter | Atoms-X

@Daedalus

Quote:

Getting access to a full list of usernames and passwords isn't the easiest way of obtaining a list of addresses.

And yet that's what they decided to do with the AmigaWorld hack. Look I don't disagree with you that SPAM comes from all manor of sources it's just that in this case I received a big jump in junk email when AmigaWorld was hacked. There has been a slight upgrade in the hashing procedure used to protect our information going forwards but beyond that we are left wondering what ancient vulnerabilities are left hidden under the hood of this site. Maybe AmigaKit got it right be completely upgrading their site and leaving the Classic web users behind?

Last edited by BigD on 23-Jan-2019 at 10:28 AM.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

But why would they go to such lengths just to get a list of spam addresses when they don't need to? You do realise that the email addresses most likely aren't encrypted at all, right? Because they're not considered a security issue, being public knowledge and all that.

Totally unsure what the relevance is of an aesthetic upgrade of a different website - security of user accounts has nothing to do with how flashy a page looks, but how well the back-end is developed and maintained. Two mostly separate disciplines which would typically be handled by different people with different skill sets.

_________________
RobTheNerd.com | InstallerGen | SMBMounter | Atoms-X

@Daedalus

Quote:

Totally unsure what the relevance is of an aesthetic upgrade of a different website -

Using newer technologies is inherently 'safer' than technologies that are limited to allow Classic Amiga browsing, are a few iterations of encription standards behind and therefore more easy to forcibly hack with modern computer power. I'd say that is very relevant and I'd expect emails to be encripted on ALL forums / customer databases.

For interest, do you list your email and mobile number on a public Facebook / LinkedIn page or regularly fly around with those details on a banner streaming out behind your private plane? That would be dumb although I guess self promotion and 'getting your name out there' is very important in the 21st century

Last edited by BigD on 23-Jan-2019 at 11:58 AM.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

Quote:

Using newer technologies is inherently 'safer' than technologies that are limited to allow Classic Amiga browsing, are a few iterations of encription standards behind and therefore more easy to forcibly hack with modern computer power.

With AmmiSSL 4 available that is not really the reason. The primary issue is that older CMS like the XOOOPS version in use potentially have vulnerabilties that script hackers can take advantage of but the newer CMS where these might be fixed do not support non CSS based layouts, so would require a lot of work to be viewable in AWeb or iBrowse.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad