We discovered over night that the Stamporama website has been hacked and data from the membership database has been taken. All of our emails, password and phone numbers were posted on a website called skymem.com on Sept 21. Arno found this after investigating Alyn's post re his password having been changed by someone. I have requested that the information be taken down from the skymem.com website, but it could well be posted there again. We have no knowledge about the stolen information being used apart from the fact that it was posted on the skymem site.
I believe that I have found where they got in and have closed the security hole. I apologize sincerely that the security hole existed and that I hadn't caught it before.
It is very important that you go onto the Members Area and change your password. Even more important than that, if you use the same password that you use on Stamporama on other websites, especially if you use the same email address on those other websites, you should go and change your password on those websites. This is especially important if you use your stamporama password for any banking websites etc.
To change your password on Stamporama, login and go to the Members Area and use the "Change Password" function, which is right underneath the Edit Profile function. Please let me know if you need help.
I have sent this message out to all active members, except those who have unsubscribed from the bulk emails.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Bob,
There is an email going out to all active members right now (except to the members who have unsubscribed to the bulk emails). I have also posted the message on the SOR Facebook page.
Support the Hobby -- Join the American Philatelic Society 03 Oct 2015 10:05:35am
re: The Stamporama website has been hacked. PLEASE READ NOW.
If there had been any widespread abuse, I believe we would have become aware of this issue much earlier. Great. Tim, that you have figured out and fixed the vulnerability.
What are you going to do about such lowlifes? We could consider requiring mandatory password changes every couple of months, but that is probably not very popular with most users. So, I believe that falls into the realm of the internet being a scary place and to always be guarded, i.e., to use different passwords for different places and to change them once in a while. Of course, me too is guilty of not doing so at all times.
re: The Stamporama website has been hacked. PLEASE READ NOW.
"Makes you wonder what these idiots get out of doing stuff like that."
If anything, practice for the big money hack jobs later. Scumbags, nonetheless.
This a good reason to update passwords on a regular basis and to use different ones on different sites.
re: The Stamporama website has been hacked. PLEASE READ NOW.
For all those sites that want a password but cannot hurt me - for example, a newspaper that requires a log-in but does not have my credit card - I use a single password.
At last count, there were dozens & dozens of such sites using that non-critical, non-financial, pretty-much-zero-impact password.
The very idea of making-up 50-100 different, secure passwords - for each credit card, retailer, etc - and changing them strikes me as ridiculous.
I've tried password-generating software but, frankly, did not like the results, as I have to save the whole password in a convenient electronic place, and having a document on my desktop with a long list of URLs and passwords does not appeal to me.
Without giving away your family jewels, how do you manage your flock of passwords?
Cheers,
/s/ ikeyPikey
  1 Member likes this post. Login to Like.
"I collect stamps today precisely the way I collected stamps when I was ten years old."
re: The Stamporama website has been hacked. PLEASE READ NOW.
Changed mine, thanks for the warning Tim.
If anyone is using Firefox, all your saved passwords are available to see. Go to Options in the menu (3 bars) icon, top right of screen. Click on security, passwords and view passwords.
Personally I keep mine in a book that is then hidden within other papers but mostly memory works well after a few entries.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Thanks to SOR adminstrators for being open about this and addressing this so quickly!
I will add the following. I noticed an uptick in the number of spoofed emails from SoR members over the past 2 weeks. Oftentimes, the mailbox is actually correct but the domain name is different. The spoofing appears pretty convincing, otherwise, because they are using our full names rather than our username handles. I was concerned about this enough to contact at least one SoR member about this.
I think now I know why the uptick in the spoofed emails.
So please be advised to be extra careful to check the domain name in any emails you think you are receiving from SoR members. I'm not saying toss any emails from SOR members, but that you should check to make sure the domain name is the same as in the emails you received from them in the past.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Like khj, I've also gotten e-mails that seemed to come from SOR members; however, unlike real messages these latest e-mails have been routed to my spam box rather than my inbox. I'm not sure how the Yahoo spam filters detect the difference, but I've made a note not to open any items in the spam box. The two I did open didn't appear to have any clickable links, but had nothing to do with stamps. I've also changed my password.
Collecting the world 1840 to date - one stamp at a time! 03 Oct 2015 03:25:00pm
re: The Stamporama website has been hacked. PLEASE READ NOW.
Password changed....
Anyway, as online security is part of my profession, I've got two (ok, three) suggestions
1) instead of asking users to change password, the system/admins should automatically update everybody's password in situations like this. Then ask users to simply reset their password (using email based opt-in/confirmation system). That way any further damages are immediately prevented instead of relying whether or not all users read the notification.
2) Hashing passwords in database is MUST DO action. Storing passwords as plain text (or with simple encryption) has been big no-no for the past decade. (Again, if it requires resetting everybody's passwords, so be it. )
3) In addition of member details, I'm bit worried if also private messages have been affected/leaked as well? Personally I would never share any sensitive information (such as credit card details) using anything as insecure as email or members messages, but I do know for a fact that some collectors do so.... If the messages have leaked as well, then it might be a good idea to ask users to kill their credit cards if they have shared their credit card details using private/members messages.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Scb,
Thanks for your suggestions. It is much appreciated especially as you are an IT professional. Below are some comment/explanations re your comments.
1. As we stand today I don't have a way for a member to change their password unless they are logged in. If I globally changed everyone's password, which would have addressed the initial security breach, no-one would have been able to login. It was quickest to ask everyone to help get them changed.
2. I'm working today on implementing password encryption across all membership records so that even if someone manages to hack-in again, they will not be able to read the passwords.
3. I don't think that they got to the private messages, but I can't be sure. We should all keep a close eye out for anything strange.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Changed - and I changed my password on all of my other selling sites that use the same email. At least my PAYPAL account I had already set up with a different password because I have been hit there a few times.That is the one that could cause the most issues - if they could get into there with the password from here.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Ikey-Pikey said;
"Without giving away your family jewels, how do you manage your flock of passwords?"
I have an old address book that I have written all my passwords in to all my sites used.
This is done for 2 reasons -
1) so I don't have to REMEMBER them all!
and
2) in case anything happens to me, my wife can access all my stuff with no problem - after all, when I'm gone, it's all hers!
re: The Stamporama website has been hacked. PLEASE READ NOW.
Great one, Randy!
PW changed. Mine was unique to SOR.
I too have received spoof email from supposedly SOR members. Arrived in my Spam. Didn't open the attachment, deleted the message, and performed an in-depth scan. No infection was found.
It's a 'geek tool' so there's a bit of a learning curve to get into it. But fortunately Youtube has got lots of videos that should get anybody started with it. Though it's officially Windows only, there is number of exensions/tools that integrate (make it work seamlessly) on ANY browser, device or operating system.
Once you get everything up and running, it works pretty much on the background (reminding when to renew passwords, fills usernames + passwords when required, creates new passwords when required etc). The only thing you'll really have to take care is have backups of your 'master password' file (which in itself can be crypted in number of ways) in case of computer crash etc.
re: The Stamporama website has been hacked. PLEASE READ NOW.
I got the rest of mine about 30 minutes ago. I wondered about that as well but it was mentioned that there is an automatic extension of a lot if there is a bid within a certain time of the lot ending. I was not aware of that feature.
Greg
Login to Like this post
"Seesomething you like in my Hipstore? Contact me for a deal!"
re: The Stamporama website has been hacked. PLEASE READ NOW.
Brian and Greg,
With the bulk email that I sent out yesterday re the website getting hacked, there was a big backup of emails to send. Brian, you have all your emails now, right?
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Brian,
I'm not sure what has happened to your auction emails. It all looks OK on the server. Could you please check your spam/junk folders in your email program?
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi all, I only just received the info this morning, Monday.
I could not log in(password invalid) so have created a new profile/username/password.
All my internet registrations/passwords are in software from coffeecup.com
Its called "Lockerbox" check it out, it works. Different passwords generated by the software. I have been using it for a long time. So in short, every internet account I use has a different password.
To get any of my info one would have to hack my personal computer and then hack lockerbox.
On forums I always use a postal address of a Jail/Goal, after all I would say any communication on Forums is by email.
Support the Hobby -- Join the American Philatelic Society 04 Oct 2015 03:54:37pm
re: The Stamporama website has been hacked. PLEASE READ NOW.
Bicolor04,
Of course, creating a new username/profile will wipe out your history here (history of lots sold and won, invoicing, discussions you participated under your old name etc. etc. etc.). It will also duplicate our member count (?). Better really not to become a 'new' member, but to use the "change password" function for your old username, which is now located below the login box. Perhaps Tim should make the link a little more prominent to avoid that members believe they must create new profiles.
re: The Stamporama website has been hacked. PLEASE READ NOW.
I've been using LastPass for several years now. It's a great password generator and password vault program. You need to remember only one password - that's the one to access LastPass itself.
There is a free version available. I use the premium version ($12/year) so that I can access my passwords on my phone and tablet.
Please forgive me if it isn't appropriate to give publicity to other programs here.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi, Thanks for the email. Pasword successfully changed. Please note that skymem does not want confidential data on their website and according to their faq you can delete documents from their site by clicking on the Remove Button above each document. Don't know if that's true. You cana lso remove data from google search results, etc.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Jim,
You are quite correct. I did make use of their "Remove" function. They don't guarantee that the data will stay removed, so I'm keeping an eye on it every couple of days.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Not sure if related but note a debit of $24.10 on my Visa account dated today from a source I do not recognize.. It shows as pending so no use calling until Monday. I of course did not have this card # as part of my information on here but maybe someone used my password to access my account.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi,
I had not reset the password earlier but it was working fine till today when I was unable to login to SOR.My password was saved so whenever I used to open SOR it always used to open the page with me logged in, but today it was not logging me in. I remembered my password but still it was not logging me in with my password. So, I had to reset the password and log in again.
Few questions to Admin:
1. Can anyone change my password without any email communication to the email address which is updated in SOR.
2. Assuming someone hacked the password of SOR and changed the email address from my profile, would not be an email communication sent to the earlier email ID which was there providing the info that your email address has been changed.
3. As I worked in the technical field earlier in server-networking,curious to know was there any technical gap which was opened when we were moved from the old to the new server of SOR.
4. We discussed about encryption, any update on it.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Boseauro,
Here are the answers to your questions:
1. Only you can change your password either by using the Change Password function in the members area or by using the Forgot Password link on the Login page.
2. Had your email address been changed?
3. We don't know if any technical gap that was opened up by moving to the new server.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Tim,
Thanks for your response.
Coming back to my first question:
When we change our password, is there any email communication sent? In this case I did not get any email when my password was changed,so I probably assuming my password was compromised.
re: The Stamporama website has been hacked. PLEASE READ NOW.
Tim,
Please excuse me if these questions were already answered. I didn't see it if it was.
I just did a google search for my email address and I found where my email address, password and phone number were on the skymem website. Is there any way to get it off of there or is it just "tough luck"?
I saw the previous answer to this question, thanks.
Also, what else did they get? Do they have my name and address? I couldn't tell from what I saw.
A Service Dog gives a person with a disability independence. Never approach, distract or pet a working dog, especially when (s)he is in harness. Never be afraid to ask questions to the handler (parent). 23 Oct 2015 10:23:07am
re: The Stamporama website has been hacked. PLEASE READ NOW.
My old one is still listed in Google search too.
Login to Like this post
"Let's find a cure for Still's Disease, Breast Cancer and Canine Addison's Disease. We CAN find a cure and save lives!!"
re: The Stamporama website has been hacked. PLEASE READ NOW.
Hi Ernie,
Skymem.com seems to be a website where hackers like to post their scalps (if you will excuse the term). If you are seeing a page on their website with your details, there should be a Remove button that you can use. I have done so and I thought that it had removed all of our information. I did a search using your email address and it seemed to be removed, but that could just have been the view that Google is giving me. Try clicking on the Remove button.
re: The Stamporama website has been hacked. PLEASE READ NOW.
I think the data is still in the Google cache, but no longer on the Skymem site. I checked for my info, and that's what happened. Showed up in the Google search, but did not show up on the Skymem site.
Login to Like this post
"You gotta put down the duckie if you wanna play the saxophone. (Hoots the Owl -- Sesame Street)"
re: The Stamporama website has been hacked. PLEASE READ NOW.
I am very disappointed by the lack of security on this site. This is not the first issue I have had with the site and must consider it the third strike.
I would hope that Tim would continue to check skymem.com to be sure our information is not re-posted. I am not sure we have heard the last of this yet.
How can I have my personal information removed from StampoRama? I no longer care to be a member of this site. Please advise me on how to proceed and how to document that my personal data is removed from this site.
They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -Benjamin Franklin 01 Nov 2015 11:31:41am
re: The Stamporama website has been hacked. PLEASE READ NOW.
Charlie,
There is no personal data on Stamporama that anyone with even a beginner's knowledge of the internet could not find out elsewhere. Anyone who believes that their private lives are safe from intrusion by a determined data miner is living in a fool's paradise. The internet is a dangerous place, but then so are the dark alleys of most of our cities. Good luck trying to find a safe haven on the WWW, you have a monumental task before you!
Login to Like this post
"The only thing necessary for the triumph of evil is for good men to do nothing. -Edmund Burke"
re: The Stamporama website has been hacked. PLEASE READ NOW.
" Anyone who believes that their private lives are safe from intrusion by a determined data miner is living in a fool's paradise."
How very true. Remember when many people put their social security numbers on their checks and the police recommended that you engrave your social security number on expensive items?
Now we are told to do whatever it takes to keep that number from anyone and to make sure you don't carry your social security card in your wallet. And yet the government uses your social security number for your Medicare number and you are supposed to carry that card with you. Add in that it appears on all of your medical records which cannot be referred to as "secure" by any stretch of the imagination.
Try tracking down an old classmate on the internet - you can usually find them easily. Even the difficult ones who have moved several times can generally be found in less than half an hour.
re: The Stamporama website has been hacked. PLEASE READ NOW.
@cfc1967,
I understand your frustration. We have done everything that we can to secure the website, but we are not hackers and don't have the same type of knowledge as the people who broke into the website. My focus has always been on building not breaking. I continue to look for possible break-ins on a regular basis and I scan the internet to try and find our private information out there. But don't just leave this to me. I strongly encourage you to to be scanning the internet for your personal information. Do regular Google scans for your email address. This was how Arno originally discovered that we had been hacked.
Retired Ap. Book Mod, Pres Golden Gate Stamp Club, Hi Tech Consultant 02 Nov 2015 03:03:32pm
re: The Stamporama website has been hacked. PLEASE READ NOW.
The SOR is highly unstable today. I am unable to post elsewhere, and only after 1/2 hour of tries can I hope to issue this warning. Highly unstable. Login, edit, posts etc all seem to have issues.
Started at 10:30 am more or less CA time.
Rrr. Posting now in desperation before loosing the connection.
Login to Like this post
"E. Rutherford: All science is either physics or stamp collecting."
Please Note: Postings that were loaded from the old Discussion Board cannot be edited.