+ Reply to Thread
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Flippa Got Hacked. Your Account Got Compromised. Days Ago. Got the notification?

  1. #1
    Administrator Clinton is a Premium Member
    Join Date
    Jan 2010
    Location
    Essex, UK
    Posts
    7,585
    Blog Entries
    30
    Thanks
    4,206
    Thanked 3,005 Times in 1,673 Posts
    Rep Power
    107

    Flippa Got Hacked. Your Account Got Compromised. Days Ago. Got the notification?

    Word on the street is that Flippa got hacked (headsup, Flipfilter) about a week ago. Nice image of the Flippa admin screen at the is-hacked.com link. The alleged sequence of events is

    1. Flippa Got Hacked (no big deal in itself) by Adam
    2. Adam was kind enough to tip Flippa off about the vulnerability
    3. Flippa fixed it (pretty quickly)

    But if Adam's claims are true and everybody's accounts at Flippa have been compromised, why didn't Flippa tell its members? Maybe they think he's got only a list of email addresses. Isn't that still good reason to put out a press release and apologise profusely to your users?

    The hack certainly ruined Lucas Chan's day (developer at Slippa). He says on Twitter (15th July):
    @ISHACKED Thanks for your email. Have notified our dev team. We're on it. Will get back to you properly when near a computer.
    And on the 16th
    On average there is 1 day per year when I decide I hate the interwebs. That day is today. Looking forward to tomorrow when love resumes.
    And now that the flaw has been fixed, why is Flippa threatening to sue Adam if he releases a video of how it was done?

    Luke / Dave, care to shed some light on this?

    Flippa’s Dave Slutzkin and Lucas Chan were notified to the breech within hours of when it was found, minutes after recording the video (out soon)
    With the amount of web developers on SitePoint and Flippa it can almost be guaranteed we we’re not the only ones to know about this MASSIVE VULNERABILITY, as it was too easy to access their users information for it to only be us nice guys to have found it.
    The advice around is to change all your passwords, not just the passwords for Flippa and Sitepoint, but for Google Analytics, Escrow.com and any other account you used at Flippa (teach you to trust someone else with your GA/escrow or other login!)
    If you're new to buying / selling websites, please read this first.

  2. The Following User Says Thank You to Clinton For This Useful Post:

    SusanH (10 September 2013)

  3. #2
    Dormant Account
    Join Date
    Jan 2010
    Location
    Manchester, UK
    Posts
    1,284
    Thanks
    184
    Thanked 97 Times in 78 Posts
    Rep Power
    18
    Quote Originally Posted by Clinton View Post
    And now that the flaw has been fixed, why is Flippa threatening to sue Adam if he releases a video of how it was done?
    I'm stunned by Flippa's reaction (though I shouldn't be, going by their past actions).

    Flippa can be forgiven for getting hacked, but attempting to cover up like this is not the best way forward (assuming the is-hacked reports are true).

    Adam really took the "How to get the most out of Flippa" blog post to heart

  4. #3
    Dormant Account
    Join Date
    Jan 2010
    Location
    U.S.A.
    Posts
    1,608
    Thanks
    70
    Thanked 277 Times in 199 Posts
    Rep Power
    26
    I wonder if they are legally required to notify users of this breach because of the potential for identity theft. The risk of being sued by a user who had their linked PayPal account compromised and didn't know about this issue should be enough for them to notify the users, even if they don't feel like they are morally obligated to do so.

    I'm not stunned by their reaction. They have a history of covering up any potential problems by deleting posts at SP and censoring comments at the Flippa blog, and they enable scammers by obfuscating information for sellers at Flippa (taking away the links to past auctions is just one example). Because of that, I certainly wouldn't expect them to have the courage to publicly announce that the site had a problem.

    Fortunately, the username and password combination I use there is unique, and the only thing I have linked to that account is a throwaway email (plus my phone number, which is already public information). I still appreciate the notification, because I'll be sure to avoid providing them with any other personal information in the future, since there is no way to know if they really fixed this problem or not.
    Last edited by benitez17; 20 July 2010 at 6:50 am.

  5. #4
    Administrator Clinton is a Premium Member
    Join Date
    Jan 2010
    Location
    Essex, UK
    Posts
    7,585
    Blog Entries
    30
    Thanks
    4,206
    Thanked 3,005 Times in 1,673 Posts
    Rep Power
    107
    A little sniffing around and I find that Flippa did make a post about "Security Vulnerabilty Found and Fixed". Funny thing is that blog post has gone walkabouts in the great Australian wilderness.

    Fortunately for you lot, I found a cached copy.

    It starts off by saying that no financial details were compromised as they don't store these. Yes, that was my first worry - would people find out how much I paid for sites?! Then they say no passwords were compromised; their explanations is that as Flippa admins can't access them so the hacker couldn't have either.

    Then the really interesting bit. They disclose that Adam was able to log in as another Flippa user and used that mechanism to log in as an admin user. So, presumably, he could have logged in as anyone! (If he logs in as me, doesn't he have access to my password and/or to changing it?)

    Anyway, access apparently gave him free control of the following admin functions: dispute resolution, adding credits to accounts, moderating auction comments, banning and suspending users, lifting bans and suspensions etc. He also got access to a full list of member names and corresponding email addresses.

    So no major compromise of the system then.

    Having fixed the vulnerability, we’re now in the process of conducting a full security audit of the entire Flippa website marketplace system, to ensure that this doesn’t happen again. We’re completely committed to ensuring the safety of our users and the integrity of our system.
    If you're new to buying / selling websites, please read this first.

  6. #5
    Dormant Account
    Join Date
    Jan 2010
    Location
    Manchester, UK
    Posts
    1,284
    Thanks
    184
    Thanked 97 Times in 78 Posts
    Rep Power
    18
    The Google cache of that page shows that the post got tweeted 3 times! Damn those autotweets.

  7. #6
    aka "meathead1234" Thomas is a Premium Member
    Join Date
    Apr 2010
    Location
    UK
    Posts
    1,162
    Blog Entries
    8
    Thanks
    157
    Thanked 501 Times in 261 Posts
    Rep Power
    24
    Wow - that's a big exploit. The Flippa list itself would be worth a fortune. One quick email -> squeeze page -> opt in - sounds like a lot of damage could have been caused if they wanted to. I for one would not want people sniffing around my auctions - lucky I don't link any accounts like GA or Escrow up, wouldn't trust anyone with that!

    IMO a public announcement is essential, deleting/hiding/covering it up is not going to do them any favours (especially with those of us who buy/sell regularly).

  8. #7
    Administrator Clinton is a Premium Member
    Join Date
    Jan 2010
    Location
    Essex, UK
    Posts
    7,585
    Blog Entries
    30
    Thanks
    4,206
    Thanked 3,005 Times in 1,673 Posts
    Rep Power
    107
    meathead1234, good point about the marketing opportunities of that list.

    To several people who corresponded with me via PM at Sitepoint (and DP - Ajeet, you'll remember what may have seemed like paranoia at the time), I suggested the conversation be moved to email because I didn't trust Sitepoint to not sneak into my PM box.

    I had no reason to suspect that they were the snoopy type, but I'm natually suspicious and reckoned there was no need to leave it to trust.

    Today I discover that Sitepoint's sister site actually has a built in mechanism for admins to log in to users' accounts and (probably) read their PMs. Ouch!
    If you're new to buying / selling websites, please read this first.

  9. #8
    Dormant Account
    Join Date
    Jan 2010
    Location
    Manchester, UK
    Posts
    1,284
    Thanks
    184
    Thanked 97 Times in 78 Posts
    Rep Power
    18
    Is that legal? It's a shock, whether legal or not.

  10. #9
    Administrator Clinton is a Premium Member
    Join Date
    Jan 2010
    Location
    Essex, UK
    Posts
    7,585
    Blog Entries
    30
    Thanks
    4,206
    Thanked 3,005 Times in 1,673 Posts
    Rep Power
    107
    First, consider the implications.

    If admins had access to your PMs, hackers likely did too.

    It may be worth going through your messages to see if there's any sensitive information you ever gave anyone by PM (or information you didn't want Flippa to see).

    Are you sure you never sent another Flippa user a login of any type, a password, or other information that could prove dangerous in the wrong hands? Time to trawl through old PMs now.

    Thanks, Flippa, nice one!

    But it seems they've learnt some managing publicity lessons. In the early days they would have jumped quickly to defend themselves (remember the SP threads?) They've now learnt patience. This hasn't blown up big enough yet so they're sitting pretty waiting for it to blow over. What the big boys would do is wait till people have moved on to something else and then they'd post replies in threads like this saying that it was all taken care of and everything's secure now.

    "We regret any inconvenience and like to reassure our members that we take security very seriously"
    If you're new to buying / selling websites, please read this first.

  11. #10
    Dormant Account
    Join Date
    Jan 2010
    Location
    Manchester, UK
    Posts
    1,284
    Thanks
    184
    Thanked 97 Times in 78 Posts
    Rep Power
    18
    Quote Originally Posted by Clinton View Post
    But it seems they've learnt some managing publicity lessons. In the early days they would have jumped quickly to defend themselves (remember the SP threads?) They've now learnt patience. This hasn't blown up big enough yet so they're sitting pretty waiting for it to blow over. What the big boys would do is wait till people have moved on to something else and then they'd post replies in thread like this saying that it was all taken care of and everything's secure now.
    That explains the "Luke - what have you done? Noooooohhhhh!!!" quick deletion of his blog post.

    I'm surprised that nobody has raised the issue on the SP forum.

    You make a good point about personal details being revealed in PMs. Someone once sent me their affiliate account credentials to log on and see for myself. It's an unscrupulous hacker's dream.

+ Reply to Thread

Similar Threads

  1. Converting a Dormant Account to a Normal Account on These Forums
    By Clinton in forum Forum Rules, News & Feedback
    Replies: 9
    Last Post: 10 September 2013, 1:20 pm
  2. My Flippa Account Has Been Suspended!
    By Clinton in forum General & Miscellaneous
    Replies: 47
    Last Post: 20 December 2012, 6:51 am
  3. FP - Flippa account suspended!
    By Imminentdomains in forum Buying a Website, Blog, Internet Business
    Replies: 16
    Last Post: 12 October 2011, 12:49 pm
  4. FP - My first website sale - 2 days left on Flippa and I have an important question!
    By Ryan Sorensen in forum Selling a Website, Blog, Domain or Business
    Replies: 13
    Last Post: 18 February 2011, 3:43 am
  5. More Google Shenanigans: This Site May Be Compromised
    By Clinton in forum General & Miscellaneous
    Replies: 51
    Last Post: 11 January 2011, 5:41 am

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts