Jump to content

Tip.it gets hacked and doesn't send email users?


noble_aloof

Recommended Posts

edit: title: "send an email to users"

 

I haven't played runescape (or accessed these forums) in months upon months. I use a wide range of passwords on all of my online accounts and the only two that matched were my tip.it password and facebook password. Last night, after a day spent visiting a college, I was alerted that someone from the UK tried to access my facebook account. Minutes later, I was being harassed by a teenager from the UK on twitter, who told me to check my direct messages. Our exchange went on for hours and he told me his friend had put a RAT (remote access trojan) on my computer and that if I did not comply with his requests he would steal my parents banking information and completely take control of my computer. This struck me as odd since I haven't even downloaded a file in months, use noscript for browsing, and don't even torrent. But sure enough, he knew my facebook password, email address, IP address, and some contact information. I was legitimately intimidated (not knowing my tip.it pass was the same or that tip.it was hacked) so I shut off my computer, removed the ethernet cable, and changed all of my passwords from a different computer. His only request was that I send him my runescape password. I began to question him intensely and his story slowly began to fall apart and I realized this password was the only one he knew, although I had entered several over the past few days. He threatened to DDoS me but after a while it became apparent that his power was limited. I finally got him to send me evidence that made me breath a sigh of relief- he typed "noble_aloof ########@comcast.net" which made me then realize (because of the underscore and old email address) that tip.it was clearly breached at one time, and that is a very old email address only used by my myspace, facebook, and tipit accounts. These kids had access to what seemed like a username and password list from tip.it, or that one is publicly available somewhere.

 

My problem is that its widely known that most people don't use a wide range of passwords online, and had I been more stupid (used one general password) and had these "hackers" used more common sense, they could have easily compromised more of my accounts if my passwords matched. Quite frankly if they didn't contact me on twitter I'd be pretty scared right now. I'm enraged that Tip.it could allow something like this to happen and not send emails or frequent urgent warnings to users telling them to change their passwords after a breach has been detected. I'm guessing this event happened months ago but the administrators of this site should be ashamed for not being more proactive about this issue, however long ago it may have occurred. I'm sure there was some type of alert on the forums but that does not help protect inactive users.

[size="5"][font="Georgia"][b]Staking:[/b][/font][font="Palatino Linotype"][color="#FF0000"][/color][color="#FFFF00"][/color][color="#00FF00"] 4+ mil[/color][/font]
[font="Georgia"][b]Current Status:[/b][/font][font="Palatino Linotype"][color="#FF0000"][/color][color="#0000FF"] Training defense [/color][/font][/size]
Link to comment
Share on other sites

How long ago did this occur? If I was sent emails informing me of it I guess I'll have less reason to be angry but it being an old email account I accessed it maybe once a month.

[size="5"][font="Georgia"][b]Staking:[/b][/font][font="Palatino Linotype"][color="#FF0000"][/color][color="#FFFF00"][/color][color="#00FF00"] 4+ mil[/color][/font]
[font="Georgia"][b]Current Status:[/b][/font][font="Palatino Linotype"][color="#FF0000"][/color][color="#0000FF"] Training defense [/color][/font][/size]
Link to comment
Share on other sites

There was emails sent out, all forum passwords were forcibly reset once control was regained, the forum AND the main website had big announcements about the issue and offering advice to users about ensuring they changed other passwords etc.

 

Not really much more tip.it staff could've done in dealing with the aftermath of the issue.

Plv6Dz6.jpg

Operation Gold Sparkles :: Chompy Kills ::  Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA Rewards

Dragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue

Link to comment
Share on other sites

Hi there,

 

I am truly sorry that your personal privacy was put at danger due to the events here at Tip.It. Obviously it is never our intention to have the information stored here at Tip.It available to anybody else - this is against our Privacy Policy. I'm sure you are probably aware that the accessing of this information was a criminal act and not something we would willingly allow to happen if we had a choice in the matter. What actually happened, long story short, was that the hackers had access to the server for a limited amount of time in which they were probably able to download the entire forum user database. We are not able to tell exactly what was downloaded from our site, but we can safely assume they took anything containing user information that they could get their hands on.

 

At the time, our primary focus was of course re-gaining full control over our server which we accomplished pretty quickly, but the inevitable had already been done by the time we had it back. As Hedgehog mentioned, we did have notices for our regular users plastered all over the front page and our forums, but it was a bit of an oversight to not send out a group email to all of our users explaining the situation. I actually can't remember if we did or didn't make an attempt to send out an email, but I would not be surprised if it was indeed an oversight. If this event could be replayed, we would certainly have done that. I make no excuses for the fact that we did not do this back when it was relevant and unfortunately it was a costly mistake in some ways.

 

On behalf of the admin team I am very sorry this has caused grief for you and I hope that not too much damage has been done as a result. Sadly, this isn't a whole lot else we can do at this point to aide the situation. The criminal act of stealing our database is, in this case, comparable to that of a hit and run car accident in that it is hard to pin responsibility on anybody in particular besides the criminals. While we definitely accept that we are trusted to keep the information users give us safe, it was honestly just a bit out of our hands that these things happen. Our security wasn't exactly lax and it was the little things that enabled them to get into our server, not gaping, obvious and inviting security holes.

 

If you have any further questions, feel free to get in touch with me or any administrator via private message.

 

Kind regards,

 

Cowman_133

Tip.It Administrator

1.png
generic_signature.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.