Flippa Got Hacked. Your Account Got Compromised. Days Ago. Got the notification?

**Clinton** · July 20th, 2010, 4:52 AM

Word on the street is that Flippa got hacked (headsup, Flipfilter) about a week ago. Nice image of the Flippa admin screen at the is-hacked.com link. The alleged sequence of events is

1. Flippa Got Hacked (no big deal in itself) by Adam
2. Adam was kind enough to tip Flippa off about the vulnerability
3. Flippa fixed it (pretty quickly)

But if Adam's claims are true and everybody's accounts at Flippa have been compromised, why didn't Flippa tell its members? Maybe they think he's got only a list of email addresses. Isn't that still good reason to put out a press release and apologise profusely to your users?

The hack certainly ruined Lucas Chan's day (developer at Slippa). He says on Twitter (15th July):

@ISHACKED Thanks for your email. Have notified our dev team. We're on it. Will get back to you properly when near a computer.

And on the 16th

On average there is 1 day per year when I decide I hate the interwebs. That day is today. Looking forward to tomorrow when love resumes.

And now that the flaw has been fixed, why is Flippa threatening to sue Adam if he releases a video of how it was done?

Luke / Dave, care to shed some light on this?

Flippa’s Dave Slutzkin and Lucas Chan were notified to the breech within hours of when it was found, minutes after recording the video (out soon)
With the amount of web developers on SitePoint and Flippa it can almost be guaranteed we we’re not the only ones to know about this MASSIVE VULNERABILITY, as it was too easy to access their users information for it to only be us nice guys to have found it.

The advice around is to change all your passwords, not just the passwords for Flippa and Sitepoint, but for Google Analytics, Escrow.com and any other account you used at Flippa (teach you to trust someone else with your GA/escrow or other login!)

**hooperman** · July 20th, 2010, 5:10 AM

Originally Posted by Clinton

And now that the flaw has been fixed, why is Flippa threatening to sue Adam if he releases a video of how it was done?

I'm stunned by Flippa's reaction (though I shouldn't be, going by their past actions).

Flippa can be forgiven for getting hacked, but attempting to cover up like this is not the best way forward (assuming the is-hacked reports are true).

Adam really took the "How to get the most out of Flippa" blog post to heart

**benitez17** · July 20th, 2010, 5:45 AM

I wonder if they are legally required to notify users of this breach because of the potential for identity theft. The risk of being sued by a user who had their linked PayPal account compromised and didn't know about this issue should be enough for them to notify the users, even if they don't feel like they are morally obligated to do so.

I'm not stunned by their reaction. They have a history of covering up any potential problems by deleting posts at SP and censoring comments at the Flippa blog, and they enable scammers by obfuscating information for sellers at Flippa (taking away the links to past auctions is just one example). Because of that, I certainly wouldn't expect them to have the courage to publicly announce that the site had a problem.

Fortunately, the username and password combination I use there is unique, and the only thing I have linked to that account is a throwaway email (plus my phone number, which is already public information). I still appreciate the notification, because I'll be sure to avoid providing them with any other personal information in the future, since there is no way to know if they really fixed this problem or not.

**Clinton** · July 20th, 2010, 6:16 AM

A little sniffing around and I find that Flippa did make a post about "Security Vulnerabilty Found and Fixed". Funny thing is that blog post has gone walkabouts in the great Australian wilderness.

Fortunately for you lot, I found a cached copy.

It starts off by saying that no financial details were compromised as they don't store these. Yes, that was my first worry - would people find out how much I paid for sites?! Then they say no passwords were compromised; their explanations is that as Flippa admins can't access them so the hacker couldn't have either.

Then the really interesting bit. They disclose that Adam was able to log in as another Flippa user and used that mechanism to log in as an admin user. So, presumably, he could have logged in as anyone! (If he logs in as me, doesn't he have access to my password and/or to changing it?)

Anyway, access apparently gave him free control of the following admin functions: dispute resolution, adding credits to accounts, moderating auction comments, banning and suspending users, lifting bans and suspensions etc. He also got access to a full list of member names and corresponding email addresses.

So no major compromise of the system then.

Having fixed the vulnerability, we’re now in the process of conducting a full security audit of the entire Flippa website marketplace system, to ensure that this doesn’t happen again. We’re completely committed to ensuring the safety of our users and the integrity of our system.

**hooperman** · July 20th, 2010, 6:26 AM

The Google cache of that page shows that the post got tweeted 3 times! Damn those autotweets.

**Thomas** · July 20th, 2010, 7:28 AM

Wow - that's a big exploit. The Flippa list itself would be worth a fortune. One quick email -> squeeze page -> opt in

- sounds like a lot of damage could have been caused if they wanted to. I for one would not want people sniffing around my auctions - lucky I don't link any accounts like GA or Escrow up, wouldn't trust anyone with that!

IMO a public announcement is essential, deleting/hiding/covering it up is not going to do them any favours (especially with those of us who buy/sell regularly).

**Clinton** · July 20th, 2010, 9:10 AM

meathead1234, good point about the marketing opportunities of that list.

To several people who corresponded with me via PM at Sitepoint (and DP - Ajeet, you'll remember what may have seemed like paranoia at the time), I suggested the conversation be moved to email because I didn't trust Sitepoint to not sneak into my PM box.

I had no reason to suspect that they were the snoopy type, but I'm natually suspicious and reckoned there was no need to leave it to trust.

Today I discover that Sitepoint's sister site actually has a built in mechanism for admins to log in to users' accounts and (probably) read their PMs. Ouch!

**hooperman** · July 20th, 2010, 9:21 AM

Is that legal? It's a shock, whether legal or not.

**Clinton** · July 20th, 2010, 11:25 AM

First, consider the implications.

If admins had access to your PMs, hackers likely did too.

It may be worth going through your messages to see if there's any sensitive information you ever gave anyone by PM (or information you didn't want Flippa to see).

Are you sure you never sent another Flippa user a login of any type, a password, or other information that could prove dangerous in the wrong hands? Time to trawl through old PMs now.

Thanks, Flippa, nice one!

But it seems they've learnt some managing publicity lessons. In the early days they would have jumped quickly to defend themselves (remember the SP threads?) They've now learnt patience. This hasn't blown up big enough yet so they're sitting pretty waiting for it to blow over. What the big boys would do is wait till people have moved on to something else and then they'd post replies in threads like this saying that it was all taken care of and everything's secure now.

"We regret any inconvenience and like to reassure our members that we take security very seriously"

**hooperman** · July 20th, 2010, 11:33 AM

Originally Posted by Clinton

But it seems they've learnt some managing publicity lessons. In the early days they would have jumped quickly to defend themselves (remember the SP threads?) They've now learnt patience. This hasn't blown up big enough yet so they're sitting pretty waiting for it to blow over. What the big boys would do is wait till people have moved on to something else and then they'd post replies in thread like this saying that it was all taken care of and everything's secure now.

That explains the "Luke - what have you done? Noooooohhhhh!!!" quick deletion of his blog post.

I'm surprised that nobody has raised the issue on the SP forum.

You make a good point about personal details being revealed in PMs. Someone once sent me their affiliate account credentials to log on and see for myself. It's an unscrupulous hacker's dream.