Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Autohotkey forum emails leaked?


  • Please log in to reply
25 replies to this topic
jonta
  • Members
  • 8 posts
  • Last active: Oct 29 2015 10:38 AM
  • Joined: 10 Jul 2015

Hello Guys

 

I always register all online accounts with an random email address from a service called sneakemail.

So imagine my suprise when I got unsolicited email spam from RuneDreams.com to the email address only given when I signed up for the autohotkey forum.

Something to think about.

Maybe we have approved it via some shady EULA but I do not appriciate it.



jNizM
  • Members
  • 928 posts
  • Last active: Jan 12 2018 09:23 AM
  • Joined: 01 Aug 2012
I got no spam(s) from this mail.


*Btw this is no Ask for Help Topic.
[AHK] 1.1.27.04 x64 Unicode | [WIN] 10 Pro (Version 1709)
My GitHub Profile | Donations are appreciated if I could help you

tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

No we dont share your stuff with anyone ever. bot-nets tend to try every character combo for a known domain spamming till they get a hit. in addition your own device or network could have been compromised. there are many explanations but sharing user emails is not one of them. it is a sad fact of our age that spam is unavoidable


Never lose.
WIN or LEARN.

Mango
  • Members
  • 7 posts
  • Last active: Oct 30 2015 03:31 AM
  • Joined: 03 Nov 2012

I can confirm I've been receiving the same spam from RuneDreams.com, addressed to the unique address I've only ever used with AutoHotkey.  AutoHotkey's email database has definitely been leaked.



tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

spam to 2 separate accounts while suspicious is certainly not proof of anything let alone a leak

 

Our policy is simple we do what we can to protect user data on our servers. that said we are and pretty much always have been under constant bombardment from DDOS and bots attempting to spam. we do not have the means for http encryption nor have we ever. several weeks ago there was a security weakness exploited within IP BOARDS this forum software. there was some defacing done but no evidence was found at the time of compromise to the DB. Not saying it didn't happen but that i didn't find evidence of it.even so additional firewall rules were applied based on logged activity and all DB credentials were changed. in addition the files with the exploit were neutered. the file system got super strict permissions and file changes are logged. We take reasonable measure but we are a low budget outfit of volunteers. we do not promise or guarantee security

 

Given that that was weeks ago and you 2 are the only reports of emails getting similar spam. i suspect it is something else you both have in common. some spyware or cookie based exploit. 


Never lose.
WIN or LEARN.

gjgigol
  • Members
  • 1 posts
  • Last active: Oct 29 2015 04:16 PM
  • Joined: 25 Sep 2014

I had the same thing happen to me.

On Oct. 27th I got an e-mail from RuneDream, sent to an e-mail address I only used once, in this here forum.

 

How many incidents do you need to start taking a look?

You now have three people, all connected to here, and spam coming from the same source. Coincidence?

The only reason I'm suspecting this forum is, I'm using unique e-mail addresses everywhere.

 

Consider this, please: others might be getting RuneDream spam and never make the connection with this forum.

Would you guys at least try checking?

 

Cheers,

Greg



Mango
  • Members
  • 7 posts
  • Last active: Oct 30 2015 03:31 AM
  • Joined: 03 Nov 2012

several weeks ago there was a security weakness exploited within IP BOARDS this forum software. there was some defacing done but no evidence was found at the time of compromise to the DB. Not saying it didn't happen but that i didn't find evidence of it.


If they had access to your web server's file system, they could read surely read your database. Now, you have evidence of it with this thread. It happened. It would be responsible of you to force a password change for everyone, and email all your users and advise them of the breach in case they used the same password somewhere else. Fortunately I use unique passwords for everything too, so this doesn't affect me.
 

Given that that was weeks ago and you 2 are the only reports of emails getting similar spam.


How many of us do you think used unique email addresses to sign up for your forum? Most people wouldn't know how a spammer obtained their address.
 

i suspect it is something else you both have in common. some spyware or cookie based exploit.


I haven't used my AutoHotkey email since 2012 when I signed up for this forum. It's long since been deleted from my email trash. Literally the only record of it anywhere is on your servers - and with my email provider, but jonta and I use different email providers, so there's no commonality there.
 

Would you guys at least try checking?


I'm not sure there's much to check, unless they log all database queries and still have the log. The evidence is pretty clear that the emails were exposed during the hack. The question is whether the admins will do the right thing before too many of the passwords the hacker obtained are brute forced and used.

Mango
  • Members
  • 7 posts
  • Last active: Oct 30 2015 03:31 AM
  • Joined: 03 Nov 2012
Here's report number four, assuming this isn't one of you guys with a different nick: http://ahkscript.org...hp?f=17&p=55485

tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

forcing a password change for a forum that is being archived by the end of the year because of passwords that cannot be decrypted Its a one way salted hash seems a bit extreme wouldn't you think?

the username over there seems highly suspect. like trolling.

the problem with this entire line of thought is that it assumes that wordlisting for known providers isnt being used. and there is only the absense of evidence that it is more than autohotkey users being spammed by this . 

 

I dont think any of this warrants any response other than an announcement page that SOME users have seen spam to email accounts used only for registration here. Changing passwords here as a response is meaningless. 


Never lose.
WIN or LEARN.

joedf
  • Administrators
  • 986 posts
  • AutoHotkey Foundation
  • Last active: Jul 18 2017 06:01 PM
  • Joined: 20 May 2012
Currently not home, away on travel.
Posting this to follow topic. Will read when possible.
Why ahkscript.org? - autohotkey.com is outdated

Jackie Sztuk _Blackholyman
  • Spam Officer
  • 3757 posts
  • Last active: Apr 03 2016 08:47 PM
  • Joined: 28 Feb 2012
I'm not saying it did not happen, I have also gotten this spam BUT to an email I have never used with anything that has anything to do with AutoHotkey...

So to me it is not unique to AutoHotkey emails
Helping%20you%20learn%20autohotkey.jpg?d

[AHK] Version. 1.1+ [CLOUD] DropBox ; Copy [WEBSITE] Blog ; About

tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

Thanks Jackie; i think that makes the point that i was going for. SPAM is almost never an indication of a data-breach.SPAM is welllll SPAM an attempt to get you to click something you shouldnt. it has NOTHING to do with where you have or have not used an email address


Never lose.
WIN or LEARN.

Mango
  • Members
  • 7 posts
  • Last active: Oct 30 2015 03:31 AM
  • Joined: 03 Nov 2012

That means nothing. All it indicates is that the spammer has obtained emails from more than one source.

The hacker did not say, "hey, I'm going to hack AutoHotkey's forum, and send this specific spam to their members only so it's easy for them to track where the spam is coming from".  They hacked you, then added the emails they found to what is no doubt an already large list.

 

And no, this isn't a dictionary attack on my domain.  My AutoHotkey address is the only address currently receiving spam.  The symptoms - particularly the timing of your hack - are far too specific to be caused by anything else.  Your site was hacked, and the hacker is now spamming your customers.  Whether you want to admit it or not, that is what happened.



tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

um ok your the expert then we will address the issue internally. 

like i said i am willing to post an announcement but nothing else is necessary from our users. there is no threat from this outside of some spam. Spam is a certainty in this age we live in. we didn't cause it.


Never lose.
WIN or LEARN.

Mango
  • Members
  • 7 posts
  • Last active: Oct 30 2015 03:31 AM
  • Joined: 03 Nov 2012

Here's a scenario for you:

 

Let's say a user picked an easy password when they signed up for your forum, and re-used that password for their email.  Obviously, you shouldn't do that.  But if someone did, the hacker could brute the password, gain access to the user's email, and reset their passwords for whatever they like.

 

That's why reputable companies actively warn users after they discover a breach.

 

Users reporting the problem in this and the other thread:

 

jonta
Mango
gjgigol
anotherautohotkeyuser
guest3456
gregster