High Grade Comics Hacked?

[passion4comics]

I’m half asleep, but your server showing your books etc should be on the external with a firewall facing out only allowing let’s say port 80, 443, etc to that server. They can hack that all day long and your information is protected. Behind your server, and another firewall, there should be another server with the back end passwords and personal information that the front end server is allowed to retrieve though a very narrow port range using a hash to determine if you are a legitimate user or not.

[blazingbob]

Is your post directed to me?

 

Thank you

bob

[JayT]

Bob, it's all good to order/make offers though now, right?

[Sqeggs]

When does the "Welcome Back -- 50% Off!" sale start?

[blazingbob]

Yes it is ok to make offers and buy books, website is not locked down.

 

 

[zosocane]

The North Koreans, maybe?

[passion4comics]

Is your post directed to me?

 

Thank you

bob

 

No. In general that's how passwords and personal information is protected by using a DMZ. A lot of places are hacked not using this method. Your ISP may not give you this option either.

[blazingbob]

I did run this by my support team.

 

This is what I got in response

 

First, while his recommendation is generally speaking a sound best practice for a larger company, it would involve significant additional expense (two servers plus additional standalone firewall hardware) and would also require more investment in daily management of the server environment.

 

Second, it's important to note that the specific attack we experienced would not have been stopped by this setup. The attack did not gain access to the server itself -- it simply exploited a vulnerability in the code to submit queries against the database through the normal (port 80) HTTP channel.

 

[passion4comics]

Over port 80..... Seems like an SQL Injection attack. In that case, there was nothing that could be done until the hole is patched.

[blazingbob]

That is what was done. Hole has been patched.

 

bob

[blazingbob]

I have gotten a number of emails from customers who are having issues with the password reset.

 

My first suggestion is to cut and paste (Cntl C/Cntl V) the new password when logging in versus trying to type it in. Sounds obvious but I have gotten a lot of emails regarding problems when the person is typing it in.

 

If it still doesn't work please do a password reset. You will get a new password to cut and paste.

 

If you don't get the password reset that means your ISP provider is blocking my business emails. I can get you a password reset.

 

bob

[Aman619]

I dunno bob. Sounds like what Sony used to say about a year and a half ago. 'Not worth it!"

[Bio-Rupp]

I got the Netflix thing last week. Called them and changed my password while talking to them.

 

While I don't think this has anything to do with Bob's site breach... I had the Netflix problem.

 

Someone got into my Netflix account this morning and changed the account's email address which I got a Netflix email notification informing me that I did this (which I did not).

 

Immediately called tech services and they had NO RECORD of my account that I've had for over two years. I ask the tech that surely there has to be some proof I have had an account... she says "no". I say "that's great because I've had $8.75 taken off my Visa card each month for the last two years that I would like back please".

 

I asked her if she didn't see the loop hole their system just opened up to someone. So now she states the only way to find my old account would be to re-sign up to Netflix.

 

So I resign up while the tech is on the phone and she says she has found my old account and it's had the email associated with it changed ( duh) and also the payment method has been changed (which wasn't associated with me or my old account)... and now I shouldn't have any more problems.

 

I say "wait... that's it? Someone takes my account over, changes the email associated with it and then changes the payment method and all this is ok with you?"

 

She states it wouldn't affect me at all since the payment method was changed.

 

I lost my marbles.

 

I'm like "have you lost your mind? Someone hacks into a customers account, changes info, and after you all are alerted to this... none of this affects me??? I say this because your system sent me an email stating that I myself made all these changes".

 

She states "that for all the system knows, it was you".

 

I say "ok, since it supposedly was ME that did this... I would like to know the email address that "I" supposedly changed to." She said "due to privacy laws, she can't give out that information." I'm like "well since I supposedly changed it and have a email notification from you that I personally asked for the change, I'd like to know what "I" changed it to."

 

Again I get " my apologies sir but due to privacy laws yadda yadda yadda"

 

So the tech says sorry but for your trouble you are getting one free month of Netflix. I say "great... so that's on top of the one free month I just got for signing up again?"

 

She says "no... that sign up 30 days was it".

 

I proceeded to lose my marbles all over again.

 

Needless to say, I now have 60 days until my next bill

 

So when you sign back up, don't let those weasels at Netflix pull this on you.

[blazingbob]

Just so people know I do NOT secure their account with a credit card, payment method like paypal etc.

 

[musicmeta]

I have gotten a number of emails from customers who are having issues with the password reset.

 

My first suggestion is to cut and paste (Cntl C/Cntl V) the new password when logging in versus trying to type it in. Sounds obvious but I have gotten a lot of emails regarding problems when the person is typing it in.

 

If it still doesn't work please do a password reset. You will get a new password to cut and paste.

 

If you don't get the password reset that means your ISP provider is blocking my business emails. I can get you a password reset.

 

bob

 

That's what I did, just cut and paste and then I changed it. Simple.

[roulette44]

Sorry for Bob going through this, and as this thread has shown, there was nothing he could have done to prevent it, and he did everything he could immediately to minimize the effects.

 

I wanted to comment on the PayPal thing and Wiz's experience. I had something similar happen, and spend hours on the phone trying to understand (failing miserably, I might add). But here's the deal.

 

It's harder for ones PayPal account to be hacked in general, but when you have an open dispute, it's easier. I can't understand if this exploits a vulnerability in their system, or some intelligent hacking, but what the do is go through the dispute/claim to great a reset email, and then request a change in password.

 

When it happened to me, all the hackers did was close the disputes (I know, weird right?!). But I last checked my PayPal account maybe 11 pm the night before, and woke up 4:00 am for a drink and checked email. Got one from PayPal confirming the email/password reset. PayPal was closed so I had to wait until the following morning to call.

 

These authenticators may have their challenges (some may be eliminated over time as bugs are worked out), but worth considering.

 

Also, just last week, I got an email that someone tried to activate my Facebook account (I hadn't used in a long while) from somewhere in Kazakstan. WTF?!

 

With the Ashley Madison deal, and now HighGradeComics.com, nothing is safe anymore people!!!