mmo-champ database unsecure?

[Pnad]

I'm not pointing fingers, or trying to place blame on you guys, and or make any accusations, however I have very good reason to suspect your database is being used by hackers to gain account info.

1 very common way for accounts to get hacked is, a group of 'hackers' will go to fan sites, and find user info, including e-mail addresses which 99% of the time are the same e-mail used on your wowaccount, and then you get all those spam emails pretending to be blizzard, with links to malicious sites.

Anyways, I recently made a new e-mail account, and used it only once, to sign up to this website, and that account is now receiving impostor blizzard spam to keyloggers ect. which leads me to believe somebody accessed your database of user names and contact info ect

I'm sure you well aware this happens daily and are probably trying very hard to stop it, but just thought I'd mention my personal situation pertaining to me.

[Badpaladin]

I've noticed a fuckton of emails from "blizzard' popping up since about two months ago. I usually have 2-3 of them in my junk box every day now, but it's hard to say if it's MMO-C or Retpaladin.com or even Battle.net.

[darxide]

This is why I have an email account that is used for battle.net ONLY and not anything else ever. Nobody but me knows the email address of that account.

If you attach bnet to an account you use with anything else, it's like advertising to the world that you have lots of really nice things at home and don't lock your doors at night and then signing it with your address. Don't whine when you come home to an empty house.

[Longview]

Databases like MMO-Champion's are often attacked via SQL-injections and there's really nothing the people at curse can do that's not ridiculously expensive.

[Chamass]

Thank god i have good software to not got a keylogger, and a brain to not open those mails

ALso .. GET AN AUTHENTICATOR

---------- Post added 2011-01-15 at 08:34 PM ----------

Databases like MMO-Champion's are often attacked via SQL-injections and there's really nothing the people at curse can do that's not ridiculously expensive.

SQL injections are not the hardest thing in the world to secure against

[Malechie]

This is why I have an email account that is used for battle.net ONLY and not anything else ever. Nobody but me knows the email address of that account.

That ^ ...I use an email for the game and game only, also do not see those fake emails from the chinamen that steal your accounts. I use a different email for everyday usage like accounts on forums and whatnot, one that if it does get hacked I could care less about any identity getting compromised.

[rhorle]

This is why I have an email account that is used for battle.net ONLY and not anything else ever. Nobody but me knows the email address of that account.

If you attach bnet to an account you use with anything else, it's like advertising to the world that you have lots of really nice things at home and don't lock your doors at night and then signing it with your address. Don't whine when you come home to an empty house.

That really has nothing to do with this issue. They aren't getting emails because it is the same one as their battle.net account, but getting emails because they used an e-mail on a wow related site. You don't need to use the same e-mail as your battle.net log in for your account to be hacked by key loggers and the like. If they have that it just makes one part slightly easier, but finding your account name isn't the hard part at all.

The only thing using your battle.net account for only battle.net does is allow you to easier spot phishing e-mails. However they are pretty easy to spot anyways and you shouldn't be clicking links in the first place so it is more a matter of how many messages you either have to send to junk folder or delete from inbox/junk folder.

[Deleted]

Databases like MMO-Champion's are often attacked via SQL-injections and there's really nothing the people at curse can do that's not ridiculously expensive.

If you have no clue, don't post. Please.

[Daladiesman]

If you have no clue, don't post. Please.

how about enlightening him,instead of being arrogant?
too much work for the great self entitled addon expert?

[Chamass]

how about enlightening him,instead of being arrogant?
too much work for the great self entitled addon expert?

What point is there explaining someone how to build a website properly?
Coding ur webpage so SQL injection is not possible can be done in a range of ways, all of which basicly mean that any enduser doesnt have acces to the actual code or the objects that do the queries

[Rtwo]

I've noticed a fuckton of emails from "blizzard' popping up since about two months ago. I usually have 2-3 of them in my junk box every day now, but it's hard to say if it's MMO-C or Retpaladin.com or even Battle.net.

i actually have the same, i used to get the odd fake email, now about 2-3 each day, and it also started about 2 months ago
and for me its not from retpaladin.com because i never even heard of that site before :d

[Knuffelbert]

I have separate email accounts for different stuff.
1 for random stuff, 1 for WoW and 1 for mmo-champion.

On my mmo-champion email account I've recieved 0 fake emails. Nix nada niet.
The only emails I get are report emails.

Same.

Causality != Correlation

[Boubouille]

Hai.

I already explained that here: http://www.mmo-champion.com/threads/...=1#post9504345

As far as I know, there's no way to get users email on MMO-Champion as of today, I would love if someone proved me wrong because we'd actually have something to fix.

On a sidenote, I tried to find your "new" account and the only thing we could find with your IP was an alt account registered in October and you apparently got banned a week ago. Since you brought up security stuff I investigated further and the mail used on that alt account wasn't used on MMO-Champion only, it was also used on Facebook (and was a fan of the MMO-Champion page).

Now huh, if you want to give me more information in PM I'll be happy to answer your questions, and I'm not saying that we can't have a vulnerability, but calling the database insecure in the thread title seems a little ... trollish, sir.