Jump to content
IGNORED

VG+ hacked


Nate Dogg III
 Share

Recommended Posts

RapidShare have taken down the file, but I downloaded it last night and I'm on the list.

The file has names, phone numbers, date of birth and md5 hashed password. It does NOT have address details.

If anyone wants me to check if they are on there then PM me your name or email address and I'll check and send you your data.

Message sent. And thank you Sir!

Link to comment
Share on other sites

Just checked out my account and it's my old, old, old address and phone number as well as an old password that I don't use too often. I went through and changed nearly all of my accounts to unique passwords a while back, although there are still a few that haven't yet been updated.

Link to comment
Share on other sites

There's nothing to investigate. It's more likely they're taking legal advice on how fucked they are (which, generally speaking, is very).

I would expect any decent web site to investigate how they were hacked, what data got stolen, and whether anything has been left behind which still compromises the site. That may not be a trivial set of tasks and may affect the statement.

Link to comment
Share on other sites

Just got an e-mail from them.

Dear Videogamesplus.ca customer,

Please be advised that we are currently investigating a security issue. As a safety precaution we are recommending all customers please login to their accounts and change their passwords.

Follow the instructions below to change your password :

1) Log in

2) Go to Edit Account

3) Under the password type the new password

4) Under the Confirm Password type the new password again and then Continue to save changes.

The site is secure and we will have more information shortly.

Sorry for any inconvenience this has caused.

Link to comment
Share on other sites

I would expect any decent web site to investigate how they were hacked, what data got stolen, and whether anything has been left behind which still compromises the site. That may not be a trivial set of tasks and may affect the statement.

It will certainly affect the wording of the statement.

Link to comment
Share on other sites

The file with the 21,000 people in it is in the office, if you want checked pm me and I'll check it first thing in the morning.

It seems security on VG+ was pretty shit, see here for details: http://www.bordersdown.net/showthread.php?112569-Have-you-been-hacked-into-%28videogameplus-ca%29/page12

Fortunately I haven't been able to find anything credit card related.

I can tell you all when you joined their website though, your full address details and the last time you logged into their website.

The back-up file is an entire dump of their website source.

Might be better removing the links I suppose.

The file that was linked I have has no address details, there might be another file but it wasn't the pastebin one.

Link to comment
Share on other sites

I last used the site in 2009... until a few days ago.

I updated my details with them on Saturday - putting in my current CC details and address - to pre-order some Vita stuff. The hack apparently took place on the Friday, but seeing as I'm in Australia, the dates might still match up due to time zones.

Link to comment
Share on other sites

I last used the site in 2009... until a few days ago.

I updated my details with them on Saturday - putting in my current CC details and address - to pre-order some Vita stuff. The hack apparently took place on the Friday, but seeing as I'm in Australia, the dates might still match up due to time zones.

Exactly the same here, except I'm not in Australia so the time difference is obviously smaller. I also changed both my email address and my password on the 14th... which is either the worst possible timing or absolutely perfect timing.

I'm scared to check tbh! I've changed the password again anyway. Bloody hackers.

Link to comment
Share on other sites

https://agilebits.com/onepassword

There are other similar alternatives. This one does cost money.

I use the Windows app, the Mac app, the iPhone and iPad apps, and the browser plug-ins, at home and at work. It syncs everything via Dropbox so they are all up-to-date, but you can use wi-fi.

Basically it lets you generate a unique one-time alphanumeric gibberish password for every different site you use. It fills them in for you with a browser plug-in. They all are encrypted and protected by a single password (the only password you have to remember from now on). It will also save your credit card details and address and whatnot, and fill them in for you when you're shopping online.

There are a few annoyances (there are no browser plug-ins allowed on iPhones, so you need to copy and paste from the app, and it stumbles over filling in credit card start dates in some webforms) but I used to worry about being hacked, especially when I started running this place and had all your names and addresses and whatnot, and now I don't (much).

But what happens if onepassword gets hacked? ;)

Link to comment
Share on other sites

But what happens if onepassword gets hacked? ;)

It's a client app, rather than a server app. So it's as safe (or as unsafe) as your PC + their encryption measures + your password strength. I do use DropBox too to synch across my devices at multiple locations, but I think that's pretty safe, and you don't need to.

Obviously there is a risk of putting all your eggs in one basket, but you're doing that anyway if you share passwords (or passwords plus guessable unique additions) between sites.

I think it's the least risk for me (given that forgetting passwords is now becoming an danger for me). I think local, or specific targetted threats to me are unlikely, but I have to assume that hackers have multiple versions of my website passwords in their possession by now.

If they hack my PC and install a keylogger, they own everything anyway, so I'm no worse off.

Link to comment
Share on other sites

Thanks to The Bag (good show, old bean), my details are confirmed in the leak. However, I'd say that the hash that represents the password field is not a straight encryption using MD5, so to some extent (unless they've pilfered the salt and algorithm too) the passwords are safe from a dictionary attack. That plus the lack of widespread prevalence of the file itself makes me a little bit more confident, although of course I've changed passwords on the few sites which shared that one.

The ecommerce software videogamesplus.ca use seems to be OsCommerce, which is one of the shittiest ecommmerce packages you could imagine. This could sink VGP, frankly.

Link to comment
Share on other sites

The ecommerce software videogamesplus.ca use seems to be OsCommerce, which is one of the shittiest ecommmerce packages you could imagine. This could sink VGP, frankly.

:lol: :lol:

Hoy shit... I wouldn't reccomend that hump of shit to anyone, let alone anyone with any sort of significant business interest in their e-commerce store. Now to be fair, the last I looked at OsCommerce was about two years ago, but back then it was a hideously bloated piece of software, which was riddled with security holes, and it looks as though it's not improved much if VGP's recent woes are anything to go by.

Link to comment
Share on other sites

VG+'s website in general has always been dog shit. I've always hated how they hide games behind their arbitrary genres. Same shit the UK PSN store did for ages. Just give me a list of new games and one on sales, by platform and a decent search function. I don't want to play some shitty meta game of guess which door the game you want is hiding behind.

Link to comment
Share on other sites

The file has names, phone numbers, date of birth and md5 hashed password. It does NOT have address details.

See, this is why I stopped using Play. Went to update CC details after many years of use, and they asked for my DOB 'for credit card authorisation'; couldn't update my CC record without updating my main record with DOB.

Right. You want me to give you my name, CC information AND DOB - a key piece of information required by banks, etc. for *me* to verify/validate *my* identity?

(Heck, to spoof Verified by Visa, you only need CC number, name on card, and DOB)

Customer lost.

How many other sites out there *force* you to give them a DOB? I have a credit card, I'm over 18; that's all they need to know.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.