Hi all MTGSalvation members. I regret to inform you that I came by chance upon an unfortunate surprise today.
I discovered my own username, password, and email address posted together on a hacking forum, along with several thousand others. They claimed to be eBay and PayPal account passwords, but I don't recall ever having an eBay or PayPal account with those names (EDIT: Thinking about it, I went through quite a few PayPal accounts in the last year--I may well have at one point had one connected with that email address).
As I looked down the list with horror trying to discover where my password had leaked, I realized that many of the names were Magic-related. Indeed, I recognized several from this very forum.
I won't post a link here in fear it may put compromised members at further risk, but I will provide the link to any mod who sends me a private message.
I don't know how many of the names are from MTGSalvation, but I can tell you I recognized quite a few in even a cursory glance: Names edited to protect the innocent. Nothing against you- just trying to help.
Given the circumstances, I think it'd be adviseable to change passwords. Not all forum members are on the list, so it may just be traders, perhaps all who dealt with a common person who somehow managed to get their passwords (asked them to pay via a phishing link to PayPal?).
I think there should be some sort of investigation into what connects the compromised accounts, and how the passwords ended up leaked. We need to know how this happened and how to avoid this in the future.
Again, change your passwords NOW. The list was posted a few weeks ago, you can only hope your login hasn't been tried yet, or is incorrect on the list.
And yes, no incantatrix for you. Or anyone. That class makes puppies cry. Mostly because they are the former Big Bads who have been Baleful Polymorphed into said puppies. By you. Because you're an incantatrix.
Quote from Yukora »
This is Deraxas we're talking about.
Remember, the girl that just killed an aspect of herself before literally consuming her?
Yeah, I don't see her handling a pissing match in any way other than a duel.
Quote from RedDwarfian »
Yes mistress...
Quote from About epic-level D&D »
There are only so many epic, psuedonatural barbarian/blackguard half-dragon akutenshai vampire balor paragons they can throw at you, right?
Quote from Concerning breeding habits of humans in fantasy games »
I suppose it's true. Though the logistics implied in a human/Great Wyrm Prismatic Dragon pairing makes me shudder.
...Something tells me that even should all arcane casters in the world unite, that the Grease spell would NOT be sufficient.
Since the names do not even appear to match up completely to accounts on this site (they do, after all, claim to be eBay/PayPal accounts), it'll probably be pretty tough to know immediately if you were affected. The only way to be sure would be for you to look through the list for all usernames you use--and that would require users all viewing the list.
Changing your password isn't a bad thing anyway. I'm sure the staff will find a way for all of us to check whether our password was posted, but until then you may just want to change your password just in case.
Changing your password isn't a bad thing anyway. I'm sure the staff will find a way for all of us to check whether our password was posted, but until then you may just want to change your password just in case.
Actually, this site is EXTREMELY low tech. I changed my password one time and I was unable to log on because the I needed to confirm my password change with a link from a confirmation email: one that was never sent and doesn't exist. I don't know if the problem was ever fixed but yeah... changing your password for this specific site isn't a wise idea unless you felt you absolutely had to.
Actually, this site is EXTREMELY low tech. I changed my password one time and I was unable to log on because the I needed to confirm my password change with a link from a confirmation email: one that was never sent and doesn't exist. I don't know if the problem was ever fixed but yeah... changing your password for this specific site isn't a wise idea unless you felt you absolutely had to.
The site is run on vBulletin, which is established stable software. I've changed my password several times (including today) with no issues; your issue was either a spam filter or an unlikely anomaly. An experience like that is no reason not to change your password.
And, of course, remember that if you use the same password for this site and another (especially an online banking or shopping site), you should change that password too. The login might be tried on several sites, criminals are persistent if it means they can take your money!
From what I can tell, the passwords do not appear to match the accounts here as of yet.
I am currently going over the list to discover names I am familiar with. It may take a while but I am doing it.
Posting a list is a bad idea in general. Once I've gone through it I can PM affected users.
If anyone has a password issue then email me at [email]shaara_song@nospamfortheloveofgodyahoo.com[/email] I'm sure you know what part to ditch out of that.
And yes, no incantatrix for you. Or anyone. That class makes puppies cry. Mostly because they are the former Big Bads who have been Baleful Polymorphed into said puppies. By you. Because you're an incantatrix.
Quote from Yukora »
This is Deraxas we're talking about.
Remember, the girl that just killed an aspect of herself before literally consuming her?
Yeah, I don't see her handling a pissing match in any way other than a duel.
Quote from RedDwarfian »
Yes mistress...
Quote from About epic-level D&D »
There are only so many epic, psuedonatural barbarian/blackguard half-dragon akutenshai vampire balor paragons they can throw at you, right?
Quote from Concerning breeding habits of humans in fantasy games »
I suppose it's true. Though the logistics implied in a human/Great Wyrm Prismatic Dragon pairing makes me shudder.
...Something tells me that even should all arcane casters in the world unite, that the Grease spell would NOT be sufficient.
Why did I receive this news though a Gmail account? Thank you for letting me know and I'm glad I came to this sub-forum (it took me awhile for where to look). But I thought it was just spam. (not that there was a fishing link attached). I'm just curious why annoucements aren't sent from mtgsalvation.com?
Not sure how relevant it is at all, but a few weeks ago I got an email from WIFOM.net telling me someone was attempting to reset my password there. I didn't think much of it, and left a note over there. After I heard about this, I went to see if that thread had been responded to and see the entire site is now down for security issues.
Again, no clue if that is relevant at all, but I figured I would throw it out there.
I just PMed all the admins about this and didn't bother checking the forums since I checked my email first. I thought it was a hoax... until I saw this is for real.
AoK has notified me my password has been breached I have changed my password.
Just to let you guys know, I have not done ANY trading or any kind of buying/selling here.
I just PMed all the admins about this and didn't bother checking the forums since I checked my email first. I thought it was a hoax... until I saw this is for real.
AoK has notified me my password has been breached I have changed my password.
Just to be clear: A notice has gone out to all registered users via e-mail that their information may be at risk.
We have not yet been able to positively confirm that anybody's password on this site has actually been misused, but still strongly recommend that everyone change their password here to something that isn't used elsewhere.
Private Mod Note
():
Rollback Post to RevisionRollBack
I am no longer on MTGS staff, so please don't contact me asking me to do staff things. :|
I don't have any hard numbers on this, but I'm targeted more often than a black guy driving a beat-up sedan with a broken tail-light and no license plate, and Cy's well aware of that.
Why did I receive this news though a Gmail account? Thank you for letting me know and I'm glad I came to this sub-forum (it took me awhile for where to look). But I thought it was just spam. (not that there was a fishing link attached). I'm just curious why annoucements aren't sent from mtgsalvation.com?
I also thought it was spam. Could you consider emailing them out again, from MTGsalvation, and encourage people to change their MTGS password and any other passwords that match it. But please don't use the word 'Urgent!' in the subject line - that's what made me think it was spam in the first place.
I just PMed all the admins about this and didn't bother checking the forums since I checked my email first. I thought it was a hoax... until I saw this is for real.
AoK has notified me my account has been hijacked I have changed my password.
could someone message me the URL of the list? Im kind of worried about what may be up there.
Oh yeah, Charlie already said, 'username, password, and email'.
Quote from sentimentGX4 »
Actually, this site is EXTREMELY low tech. I changed my password one time and I was unable to log on because the I needed to confirm my password change with a link from a confirmation email: one that was never sent and doesn't exist. I don't know if the problem was ever fixed but yeah... changing your password for this specific site isn't a wise idea unless you felt you absolutely had to.
Right, lol.
Extreme lols.
If you provided a valid email and let it through, it should be fine. The site is high-tech enough.
I discovered my own username, password, and email address posted together on a hacking forum, along with several thousand others.
Thousands?
Hacking forum? So, plenty of guys out there engage in black-hat hacking other sites?
Quote from Binary »
Just to be clear: A notice has gone out to all registered users via e-mail that their information may be at risk.
We have not yet been able to positively confirm that anybody's password on this site has actually been misused, but still strongly recommend that everyone change their password here to something that isn't used elsewhere.
There is the possibility that someone out there has the information, but has yet to post it.
I also thought it was spam. Could you consider emailing them out again, from MTGsalvation, and encourage people to change their MTGS password and any other passwords that match it. But please don't use the word 'Urgent!' in the subject line - that's what made me think it was spam in the first place.
Lol, yes.
Maybe send a PM to each member too.
That may be a little gratuitous, especially to those who've changed their password (but if it works, it works).
So, this site, did it actually say mtgsalvation.com passwords or something, or is it, like, everything?
Um, ... whatever of the wiki? (Seriously?)
is there a place where i can personally see the hijacked screen names and such?
i would feel much better if i could personally see that my name isnt on it
For the safety of those whose passwords were displayed, it is not a good idea for anyone to see the list other than staff. That includes all 'i don't feel safe' cases. What stops a random person from hijacking your account and getting you banned.
For the safety of those whose passwords were displayed, it is not a good idea for anyone to see the list other than staff. That includes all 'i don't feel safe' cases. What stops a random person from hijacking your account and getting you banned.
Agreed, though as a VCL for the WotC I would be interested to see the list and see if it matches up with names I recognize from there (since we don't know where was hacked). If you don't want to trust me, please send the link to either Solice or Michelle at WotC (I have e-mail addresses if you need them).
you should find another way to send that email. it went straight to my spam folder on yahoo.
If worse comes to worse, perhaps a reset policy could be set up?
You know, like write your username and MTG Salvation, and some ID confirming your identity. Though, this itself is probably going to cause problems.
For the safety of those whose passwords were displayed, it is not a good idea for anyone to see the list other than staff. That includes all 'i don't feel safe' cases.
Agreed, considering passwords and emails are on the same page, as detailed by Hunted_Charlie.
Hi all MTGSalvation members. I regret to inform you that I came by chance upon an unfortunate surprise today.
I discovered my own username, password, and email address posted together on a hacking forum, along with several thousand others. They claimed to be eBay and PayPal account passwords, but I don't recall ever having an eBay or PayPal account with those names (EDIT: Thinking about it, I went through quite a few PayPal accounts in the last year--I may well have at one point had one connected with that email address).
As I looked down the list with horror trying to discover where my password had leaked, I realized that many of the names were Magic-related. Indeed, I recognized several from this very forum.
I won't post a link here in fear it may put compromised members at further risk, but I will provide the link to any mod who sends me a private message.
I don't know how many of the names are from MTGSalvation, but I can tell you I recognized quite a few in even a cursory glance: Names edited to protect the innocent. Nothing against you- just trying to help.
Given the circumstances, I think it'd be adviseable to change passwords. Not all forum members are on the list, so it may just be traders, perhaps all who dealt with a common person who somehow managed to get their passwords (asked them to pay via a phishing link to PayPal?).
I think there should be some sort of investigation into what connects the compromised accounts, and how the passwords ended up leaked. We need to know how this happened and how to avoid this in the future.
Again, change your passwords NOW. The list was posted a few weeks ago, you can only hope your login hasn't been tried yet, or is incorrect on the list.
https://twitch.tv/annorax10 (classic retro speedruns & occasional MTGO/MTGA screwaround streams)
https://twitch.tv/SwiftorCasino (yes, my team and I run live dealer games for the baldman using his channel points as chips)
Okay, now I am officially pissed. Not at anyone here unless they're the guilty one.
HuntedCharlie, thank you.
Announcement going up.
"I am in the arcane, and the arcane is in me."
Official Matron Mother of Clan Planar Chaos
Awesome Avatar and signature by DarkNightCavalier
Deraxas, Dark Maiden of Shimia,, still oddly obsessed with a mindmage.
Changing your password isn't a bad thing anyway. I'm sure the staff will find a way for all of us to check whether our password was posted, but until then you may just want to change your password just in case.
Actually, this site is EXTREMELY low tech. I changed my password one time and I was unable to log on because the I needed to confirm my password change with a link from a confirmation email: one that was never sent and doesn't exist. I don't know if the problem was ever fixed but yeah... changing your password for this specific site isn't a wise idea unless you felt you absolutely had to.
And, of course, remember that if you use the same password for this site and another (especially an online banking or shopping site), you should change that password too. The login might be tried on several sites, criminals are persistent if it means they can take your money!
Magic Rules Advisor
How Creatures Die
Targets | Triggered Abilities | Priority and the Stack | Older Articles
I am currently going over the list to discover names I am familiar with. It may take a while but I am doing it.
Posting a list is a bad idea in general. Once I've gone through it I can PM affected users.
If anyone has a password issue then email me at [email]shaara_song@nospamfortheloveofgodyahoo.com[/email] I'm sure you know what part to ditch out of that.
"I am in the arcane, and the arcane is in me."
Official Matron Mother of Clan Planar Chaos
Awesome Avatar and signature by DarkNightCavalier
Deraxas, Dark Maiden of Shimia,, still oddly obsessed with a mindmage.
10.) No taxing cards.
If i wanted to pay 1 more on my Fresh Volunteers, then id just have played Pearled Unicorn.
Thanks for the info, Charlie.
Again, no clue if that is relevant at all, but I figured I would throw it out there.
AoK has notified me my password has been breached I have changed my password.
Just to let you guys know, I have not done ANY trading or any kind of buying/selling here.
Just to be clear: A notice has gone out to all registered users via e-mail that their information may be at risk.
We have not yet been able to positively confirm that anybody's password on this site has actually been misused, but still strongly recommend that everyone change their password here to something that isn't used elsewhere.
Anywho.. changed and a BIG thank you for the heads up.
UUU Azami, Lady of Scrolls
RRR Diaochan, Artful Beauty
UR(U/R) Tibor, Lumia, & Melek (WIP)
Mafia Stats
I also thought it was spam. Could you consider emailing them out again, from MTGsalvation, and encourage people to change their MTGS password and any other passwords that match it. But please don't use the word 'Urgent!' in the subject line - that's what made me think it was spam in the first place.
Maybe send a PM to each member too.
Oh yeah, Charlie already said, 'username, password, and email'.
Right, lol.
Extreme lols.
If you provided a valid email and let it through, it should be fine. The site is high-tech enough.
Thousands?
Hacking forum? So, plenty of guys out there engage in black-hat hacking other sites?
There is the possibility that someone out there has the information, but has yet to post it.
Lol, yes.
That may be a little gratuitous, especially to those who've changed their password (but if it works, it works).
So, this site, did it actually say mtgsalvation.com passwords or something, or is it, like, everything?
Um, ... whatever of the wiki? (Seriously?)
i would feel much better if i could personally see that my name isnt on it
For the safety of those whose passwords were displayed, it is not a good idea for anyone to see the list other than staff. That includes all 'i don't feel safe' cases. What stops a random person from hijacking your account and getting you banned.
The MirroCube - 420 card Mirrodin themed cube
And if I've offended you, I'm sorry, but maybe you need to be offended. But here's my apology and one more thing...
There were over 9000 accounts listed?
Agreed, though as a VCL for the WotC I would be interested to see the list and see if it matches up with names I recognize from there (since we don't know where was hacked). If you don't want to trust me, please send the link to either Solice or Michelle at WotC (I have e-mail addresses if you need them).
You know, like write your username and MTG Salvation, and some ID confirming your identity. Though, this itself is probably going to cause problems.
Check your spam folders, anyhow.
Agreed, considering passwords and emails are on the same page, as detailed by Hunted_Charlie.
No, because passwords and emails are on the same page.
Just change your password for the sake of it and security.
Probably not; 4chan's not a "hacking forum", is it?
"Several thousand others".
Mi blog: http://japoniano.blogspot.com/