SPECIAL NOTICE
Malicious code was found on the site, which has been removed, but would have been able to access files and the database, revealing email addresses, posts, and encoded passwords (which would need to be decoded). However, there is no direct evidence that any such activity occurred. REGARDLESS, BE SURE TO CHANGE YOUR PASSWORDS. And as is good practice, remember to never use the same password on more than one site. While performing housekeeping, we also decided to upgrade the forums.
This is a site for discussing roleplaying games. Have fun doing so, but there is one major rule: do not discuss political issues that aren't directly and uniquely related to the subject of the thread and about gaming. While this site is dedicated to free speech, the following will not be tolerated: devolving a thread into unrelated political discussion, sockpuppeting (using multiple and/or bogus accounts), disrupting topics without contributing to them, and posting images that could get someone fired in the workplace (an external link is OK, but clearly mark it as Not Safe For Work, or NSFW). If you receive a warning, please take it seriously and either move on to another topic or steer the discussion back to its original RPG-related theme.

RPGnow hacked

Started by RPGPundit, January 05, 2007, 05:47:40 PM

Previous topic - Next topic

HinterWelt

Quote from: StuartLogan and I were crazy emphatic about the importance of security when we setup comiXpress.  We weren't going to store credit card data unless we could be 100% sure of the security -- so we decided to work through PayPal for all transactions including credit cards.

I'm pretty surprised at how sloppy and amateurish leaving Credit Card data unencrypted and searchable by Google is.

Almost makes me want to setup an alternative online business. :eek:

But first... I finish the game. :)
Actually, it was an exploit in OSCommerce that did it. The CC# were on a Brazilian hacker's site (presumably the one who did it).

And yes, Your Games Now is set up the same way. We leave the security to the experts. I am setting my own site up on the same principles.

Bill
The RPG Haven - Talking about RPGs
My Site
Oh...the HinterBlog
Lord Protector of the Cult of Clash was Right
When you look around you have to wonder,
Do you play to win or are you just a bad loser?

Blackleaf

Quote from: HinterWeltActually, it was an exploit in OSCommerce that did it. The CC# were on a Brazilian hacker's site (presumably the one who did it).

We used OSCommerce as well (we used another program for another project, but OSC is much easier to work with) and while it does have the option to store CC info locally, we thought that was just asking for trouble... especially if you don't aggressively keep on top of patches.

HinterWelt

Quote from: StuartWe used OSCommerce as well (we used another program for another project, but OSC is much easier to work with) and while it does have the option to store CC info locally, we thought that was just asking for trouble... especially if you don't aggressively keep on top of patches.
Definitely. I normally work in the merchant e-commerce solutions and with data management and I don't think I have heard of any design that stored cc# on site except in the "We absolutely must but we don't like it" category.

Just way too much liability there.

Bill
The RPG Haven - Talking about RPGs
My Site
Oh...the HinterBlog
Lord Protector of the Cult of Clash was Right
When you look around you have to wonder,
Do you play to win or are you just a bad loser?

Dr Rotwang!

Quote from: HinterWeltThe date you need to be most worried about is before August of 2006.
That's me.

QuoteThis only applies to people who used the "Store my CC#" on RPGNow or RPGShop.
That's not me.
Dr Rotwang!
...never blogs faster than he can see.
FONZITUDE RATING: 1985
[/font]

Wil

They were using an open source ecommerce solution? That's bright...

I'm assuming it was some kind of SQL injection vulnerability, which are a lot more common than they really should be.
Aggregate Cognizance - RPG blog, especially if you like bullshit reviews

Hastur T. Fannon

Quote from: WilThey were using an open source ecommerce solution? That's bright...

It is if  (and it's a big if) you keep on top of the patches.  More eyeballs on the code and all that
 

Tyberious Funk

I've purchased from RPGNow in the past.  Using a credit card, too.

My ex-girlfriend's credit card.

Mwah hah hah hah :D

I shouldn't laugh.  I really, really shouldn't.
 

Lawbag

this will either blow over quickly, or be something much bigger

http://gmskarka.livejournal.com/251567.html?nc=9
"See you on the Other Side"
 
Playing: Nothing
Running: Nothing
Planning: pathfinder amongst other things
 
Playing every Sunday in Bexleyheath, Kent, UK 6pm til late...