Possible compromise of user data

What's Hot
BloogBloog Frets: 3
in Help & Feedback
Have just received one of those "we have taken control of your camera" blackmail attempt emails. As it was sent to a unique address used only for signing up to this forum I'm wondering if any other members have had one. If so, don't worry, it's an empty threat.

My Fretboard profile is set to not share my email address.

As I currently have no other messages to or from this address stored on any computers or my mail server it suggests that the Fretboard database may have been compromised.
0reaction image LOL 0reaction image Wow! 0reaction image Wisdom

Comments

  • TTonyTTony Frets: 27805
    Bloog said:
    As I currently have no other messages to or from this address stored on any computers or my mail server it suggests that the Fretboard database may have been compromised.
    @digitalscream ...
    Having trouble posting images here?  This might help.
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • digitalscreamdigitalscream Frets: 26945
    Been looking at it - there's no evidence of any compromise (ie any queries run from outside the context of the forum application), and there haven't been any alerts for queries run within the app context which shouldn't be there. Also, none of my honeytrap user accounts on here have had any spam.

    I honestly can't explain it :(
    <space for hire>
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • FretwiredFretwired Frets: 24602
    Where was the email address created? Is it on the OPs PC/Mac setup in an email programme like Outlook or Thunderbird? Has the OPs computer been compromised?



    Remember, it's easier to criticise than create!
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • bingefellerbingefeller Frets: 5723

    You might want to look in to a webcam sticker OP.
    1reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • SporkySporky Frets: 28936
    I also use a unique email address for tFB, and have had nothing untoward come through it.
    "[Sporky] brings a certain vibe and dignity to the forum."
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • BloogBloog Frets: 3
    Fretwired said:
    Where was the email address created? Is it on the OPs PC/Mac setup in an email programme like Outlook or Thunderbird? Has the OPs computer been compromised?
    There's no client-based account for the address. As I own the domain name, it's simply a case of entering a new address when signing up for a service and receiving mail via a catch-all address specified at the mail server. Mail is deleted from the mail server 14 days after being downloaded, and anything sent to the Trash on my own system is permanently deleted after 30.

    If my own computers or mail server have been compromised then it must have been around 2 years ago to have acquired the address. My last comms via Fretboard were just after I bought a Laney VC15 in 2016.
    You might want to look in to a webcam sticker OP.
    All camera lenses on my devices are covered with 3 layers of mil-spec adhesive tinfoil :>
    2reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • bingefellerbingefeller Frets: 5723
    Bloog said:
    Fretwired said:
    Where was the email address created? Is it on the OPs PC/Mac setup in an email programme like Outlook or Thunderbird? Has the OPs computer been compromised?
    There's no client-based account for the address. As I own the domain name, it's simply a case of entering a new address when signing up for a service and receiving mail via a catch-all address specified at the mail server. Mail is deleted from the mail server 14 days after being downloaded, and anything sent to the Trash on my own system is permanently deleted after 30.

    If my own computers or mail server have been compromised then it must have been around 2 years ago to have acquired the address. My last comms via Fretboard were just after I bought a Laney VC15 in 2016.
    You might want to look in to a webcam sticker OP.
    All camera lenses on my devices are covered with 3 layers of mil-spec adhesive tinfoil :>
    No need to worry about your webcam being hijacked then ;)
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • oafoaf Frets: 300

    Dunno if it's of interest...

    I've had some spam to the email address connected to my fretboard account (over quite a while too). Like the OP the email account associated with it is only used for the fretboard. As an example this came through today (headers only):

    Return-Path: <bxrcirresponsible@armc.com>
    Received: from mx1.mydomain.com (mx1.mydomain.com [x.x.x.x])
        by mydomain.com (8.14.4/8.14.4) with ESMTP id w4O86C8s031411
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
        for <thefretboard@mydomain.com>; Thu, 24 May 2018 09:06:15 +0100
    Received: from ptcl.net ([39.47.210.3])
        by mx1.mydomain.com (8.14.7/8.14.7) with ESMTP id w4O85uTE007788
        for <thefretboard@mydomain.com>; Thu, 24 May 2018 09:06:09 +0100
    Message-Id: <201805240806.w4O85uTE007788@mx1.mydomain.com>
    From: "Maurine A." <bxrcirresponsible@armc.com>
    To: Thefretboard <thefretboard@mydomain.com>
    Subject: BEST MEDICATIONS for the LOWEST PRICE, Thefretboard.
    Date: Thu, 24 May 2018 13:06:14 +0500
    MIME-Version: 1.0
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable


    I've changed my domain name to "mydomain.com" in the examples above/below so I won't get even more! It's not the end of the world as most of it is bounced as it is really spammy-looking.

    Perhaps there is some kind of vulnerability? Most people just won't notice as they use the same account for everything and we're not talking mountains of spam.

    I've never shared this account name with anyone (it is only used for when I get mentions, etc) or used it elsewhere.

    Here's a bunch of bounces from the last few days, not millions, but a good few:

    /var/log/maillog:May 20 11:22:30 mydomain sendmail[28189]: w4KAMTkN028189: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[86.104.237.173], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 86.104.237.173 - Request access at http://www.spamhaus.org/query/bl?ip=86.104.237.173
    /var/log/maillog:May 21 19:04:10 mydomain sendmail[22048]: w4LI48qf022048: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[182.187.95.87], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 182.187.95.87 - Request access at http://www.spamhaus.org/query/bl?ip=182.187.95.87
    /var/log/maillog:May 22 10:38:58 mydomain sendmail[4535]: w4M9cv7E004535: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[41.138.61.189], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 41.138.61.189 - Request access at http://www.spamhaus.org/query/bl?ip=41.138.61.189
    /var/log/maillog:May 23 16:52:45 mydomain sendmail[16874]: w4NFqhFH016874: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[196.181.95.30], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 196.181.95.30 - Request access at http://www.spamhaus.org/query/bl?ip=196.181.95.30
    /var/log/maillog-20180429:Apr 25 22:47:56 mydomain sendmail[12594]: w3PLlujO012594: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[190.129.63.184], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 190.129.63.184 - Request access at http://www.spamhaus.org/query/bl?ip=190.129.63.184
    /var/log/maillog-20180429:Apr 26 09:33:49 mydomain sendmail[22271]: w3Q8Xnas022271: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[61.19.86.146], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 61.19.86.146 - Request access at http://www.spamhaus.org/query/bl?ip=61.19.86.146
    /var/log/maillog-20180513:May  7 05:22:09 mydomain sendmail[16338]: w474M5iJ016338: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[180.211.135.170], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 180.211.135.170 - Request access at http://www.spamhaus.org/query/bl?ip=180.211.135.170
    /var/log/maillog-20180513:May  8 10:05:50 mydomain sendmail[6864]: w4895jaG006864: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=mail.206.citicsinfo.com [114.251.228.124] (may be forged), reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 114.251.228.124 - Request access at http://www.spamhaus.org/query/bl?ip=114.251.228.124
    /var/log/maillog-20180520:May 19 00:38:38 mydomain sendmail[28406]: w4INcZSh028406: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[77.35.244.89], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 77.35.244.89 - Request access at http://www.spamhaus.org/query/bl?ip=77.35.244.89
    /var/log/maillog-20180520:May 19 02:41:23 mydomain sendmail[30115]: w4J1fMnN030115: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=[125.94.44.231], reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 125.94.44.231 - Request access at http://www.spamhaus.org/query/bl?ip=125.94.44.231
    /var/log/maillog-20180520:May 19 22:53:01 mydomain sendmail[15177]: w4JLr07I015177: ruleset=check_rcpt, arg1=<thefretboard@mydomain.com>, relay=177155102223.tvnsul.com.br [177.155.102.223] (may be forged), reject=550 5.7.1 <thefretboard@mydomain.com>... Refused unsolicited email from 177.155.102.223 - Request access at http://www.spamhaus.org/query/bl?ip=177.155.102.223

    When you have your own domains you do get all sorts of weird spam, but I thought I'd give you another data point.

    Oh and checking my backup MX server that is receiving small amounts of spam fretboard mails too, despite the main server being up (usual spammer nonsense).
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • valevale Frets: 1052
    i get a little dialogue box under the sign in when i first land that says:

    "this connection is not secure. logins here could be compromised. learn more'

    with an icon of a padlock crossed through with a diagonal red line.

    as my fretboard account is linked to my 'general junk spam' email addy, rather than my personal addy (no offence), i am not hugely bothered if i get spam there. & i have a solid firewall & av in place.

    but the appearance of that dialogue under the sign in box may be of interest to the forum tech gatekeepers to know about, either to secure the site or to protect peeps whose fretboard account is linked to their personal addy.

    would post a pic but i don't have any of those online instagram things (not big on social media).
    hofner hussie & hayman harpie. what she said...
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • darcymdarcym Frets: 1297
    a little late to this, but there was some large ISP router logs posted on a public "I need help site" a month or two back by someone quite inexperienced, and it was a LOT of logged data, which was customer data, none of any real value, but if you where one of the ISP's customers (or tier 2 customers) and you logged into this site over http the username and password would have been sent clear text (but I believe the password is hashed in transit ?) but if your email is your username it could have appeared in that long log history as it was raised in multiple security discussions that the log had been scraped and the thread had a crazy high amount of hits suspected to be bots scraping the log
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
Sign In or Register to comment.