alma Posted November 26, 2014 Share Posted November 26, 2014 Full email addresses and passwords leaked to the internet here: http://pastebin.com/C9e82Lm7 Someone already tried to use this to log into my DropBox today but that has a different password. This is serious. Change your passwords now for any sights that might share the same login information. USPSA must send notification to all affected immediately! Also, when you rebuild this, USPSA, please salt and hash our passwords!!!!!!!!!!!!!!!! It's disgraceful that these were stored in plane text. Link to comment Share on other sites More sharing options...
NickO Posted November 26, 2014 Share Posted November 26, 2014 I'd remove the link to the dump, i fear many people will not learn about this leak and minimizing exposure to list would be ideal/ Also I would hope that USPSA would send an email to its user base SOONER than later. Stan thank you for posting this. Link to comment Share on other sites More sharing options...
alma Posted November 26, 2014 Share Posted November 26, 2014 No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit. The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find. Link to comment Share on other sites More sharing options...
alma Posted November 26, 2014 Share Posted November 26, 2014 Like I said, attempts have already been made to access my accounts. This is urgent and action must be taken now. Hiding the link from this group does no real good unless someone requests a takedown from pastebin. Link to comment Share on other sites More sharing options...
johnsons1480 Posted November 26, 2014 Share Posted November 26, 2014 Well, mine is in there. I've gone on a sanitation mission this morning, hopefully I knocked it out. Link to comment Share on other sites More sharing options...
Beastly Posted November 26, 2014 Share Posted November 26, 2014 (edited) Full email addresses and passwords leaked to the internet here: http://pastebin.com/C9e82Lm7 Someone already tried to use this to log into my DropBox today but that has a different password. This is serious. Change your passwords now for any sights that might share the same login information. USPSA must send notification to all affected immediately! Also, when you rebuild this, USPSA, please salt and hash our passwords!!!!!!!!!!!!!!!! It's disgraceful that these were stored in plane text. Yes, mine is in there. Fortunately I don't re-use passwords. Disgraceful is an understatement. I'm wavering somewhere between negligent and grossly negligent. Why have I not received notification from USPSA? Maybe we just need to use the email list to send a mass warning notification to USPSA members email addresses informing them of the breach and the potential risk to any other accounts tied to that address/password combo. Anyone have easy access to a bulk e-mailer? Edited November 26, 2014 by Beastly Link to comment Share on other sites More sharing options...
gose Posted November 26, 2014 Share Posted November 26, 2014 What database is that? Doesnt seem to be the member database as I cant find my address there. Link to comment Share on other sites More sharing options...
alma Posted November 26, 2014 Share Posted November 26, 2014 What database is that? Doesnt seem to be the member database as I cant find my address there. It looks like the USPSA website database so whatever you use to sign in there. Link to comment Share on other sites More sharing options...
gose Posted November 26, 2014 Share Posted November 26, 2014 What database is that? Doesnt seem to be the member database as I cant find my address there. It looks like the USPSA website database so whatever you use to sign in there. Guess Im reaping the rewards for never signing in then... Link to comment Share on other sites More sharing options...
GrumpyOne Posted November 26, 2014 Share Posted November 26, 2014 Mine is there...but it's a defunct email address...but I have changed passwords because that login is used in other places. Link to comment Share on other sites More sharing options...
ron169 Posted November 26, 2014 Share Posted November 26, 2014 I wonder if it only effects people that changed their passwords on the site? When I log on, I use my member number and a code that came on my first issue of front site magazine.... Never changed it either Link to comment Share on other sites More sharing options...
BritinUSA Posted November 26, 2014 Share Posted November 26, 2014 I found my email address and password, but the thing is I don't use that email address as my login id. I think what they did is found the id and password and then looked up the email address associated with that id (such as USPSA number) and that is what is in that password dump. I don't use that password for any other site so I should be ok. I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though... Link to comment Share on other sites More sharing options...
Chuck Anderson Posted November 26, 2014 Share Posted November 26, 2014 They have the DownRange newsletter they could use to send it out. Link to comment Share on other sites More sharing options...
ummm Posted November 26, 2014 Share Posted November 26, 2014 If you read the dump file, you'll see that USPSA was apparently vulnerable to more than just a standard SQL injection attack. It claims they also used cross-site scripting and blind sql injection. I mention this as a potential source of concern as the USPSA blurb (now posted in the OP) mentions only SQL injection, raising the possibility they are unaware of other attack vectors. Link to comment Share on other sites More sharing options...
ctay Posted November 26, 2014 Share Posted November 26, 2014 From USPSA: We have become aware of a security breach that happened on USPSA.org within the last 24 hours. The USPSA website login database was compromised and at least a partial list of usernames and passwords were exposed. USPSA staff has taken steps to address the vulnerability, and we have changed the system to ensure this type of attack will not be effective in the future. Members are strongly encouraged to change their passwords on USPSA.ORG and any other website for which they used the same email and password.It is important to note that the breech did not involve the credit card processing system or any financial data. All credit card processing is done using a separate industry standard secure vendor — no credit card information is stored on the USPSA server.We will keep the membership updated as more information is available. Link to comment Share on other sites More sharing options...
Yagi Posted November 26, 2014 Share Posted November 26, 2014 i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick. say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items.... Link to comment Share on other sites More sharing options...
gose Posted November 26, 2014 Share Posted November 26, 2014 I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though... They could get the email addresses from the database dump on pastebin... Link to comment Share on other sites More sharing options...
alma Posted November 26, 2014 Share Posted November 26, 2014 i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick. say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items.... That information is already gone. It has been compromised and is being actively exploited by hackers. Removing the link from here doesn't keep thousands of script kiddies from accessing it and testing logins across the internet. In cases like this I think full disclosure works better than selectively releasing information that is out there for anyone to Google. If your information isn't there maybe you will see some of your friends' and can prompt them to make corrections. Link to comment Share on other sites More sharing options...
johnsons1480 Posted November 26, 2014 Share Posted November 26, 2014 i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick. say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items.... That information is already gone. It has been compromised and is being actively exploited by hackers. Removing the link from here doesn't keep thousands of script kiddies from accessing it and testing logins across the internet. In cases like this I think full disclosure works better than selectively releasing information that is out there for anyone to Google. If your information isn't there maybe you will see some of your friends' and can prompt them to make corrections. Great point. I just let my coworker and shooting buddy know that he was also on the list. He doesn't frequent these forums, so he had no idea. Link to comment Share on other sites More sharing options...
Sarge Posted November 26, 2014 Share Posted November 26, 2014 No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit. The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find. Hey Alma, Computers are not my first language so I have a question. I searched my email just like you said and my name does not appear to be on that list. Does this mean all I really need to do is go in and change my password on uspsa.org when it comes back up? Thanks a lot in advance Link to comment Share on other sites More sharing options...
rbgaynor Posted November 26, 2014 Share Posted November 26, 2014 (edited) What could someone get from USPSA.? Passwords? Member List? Gun Owners? Private addresses of Law Enforcement or Officials? Items sold or purchased via Classifieds? Where everyone shoots every week? The database was compromised over a year ago when the Executive Director allowed third parties to access the info without a privacy agreement. Sad to say it.... I told them they had vulnerabilities in the Dec 2013 BOD meeting. When I suggested they notify the members that data had been compromised, Phil just blew it off as not such a big deal. They said "I doubt anything will come of it and I can't see it hurting anyone". So nothing was done. I raised the issue several times in email and phone meetings but nobody would take me seriously. Hence, one more reason to resign. California law is clear on this kind of breach - timely notification is mandatory (SB-46). Additionally, if it affects more than 500 Californians (I suspect it does), they are required to notify the CA Attorney General. Edited November 26, 2014 by rbgaynor Link to comment Share on other sites More sharing options...
Stan-O Posted November 26, 2014 Author Share Posted November 26, 2014 (edited) I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though... No that can't be the reason -- they can easily spend 5 minutes or so to pull the e-mails out of the database without risking any further attacks. I didn't want to increase the exposure of the dump until every USPSA member was made aware of the leak, I don't know what's taking USPSA so long to reach out to the membership. Nothing can be gained by posting the link to the dump here, even if your e-mail address isn't there, you're still at risk. Edited November 26, 2014 by Stan-O Link to comment Share on other sites More sharing options...
Sarge Posted November 26, 2014 Share Posted November 26, 2014 Are you serious? Link to comment Share on other sites More sharing options...
alma Posted November 26, 2014 Share Posted November 26, 2014 No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit. The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find. Hey Alma, Computers are not my first language so I have a question. I searched my email just like you said and my name does not appear to be on that list. Does this mean all I really need to do is go in and change my password on uspsa.org when it comes back up? Thanks a lot in advance Sarge, yes, that sounds correct. If you remember the password and username that you use on that site just check to ensure that you don't use that same password and username (or email) elsewhere. In my case my email is there along with a password that is thankfully not being used on any of my other online accounts. I have no action to take other than verifying that fact and then selecting a new password when the website comes back up. USPSA should force a password change for every member as a result of this hack so I doubt you will even have the option to keep the same one. Link to comment Share on other sites More sharing options...
ctay Posted November 26, 2014 Share Posted November 26, 2014 From what I understand you will be required to change your password once the site is back up. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now