IMPORTANT! Have you received an email to your forum username?

A question about : IMPORTANT! Have you received an email to your forum username?

NEW UPDATE 10/12/10 - PLEASE READ

Hi folks,

We just wanted to update everyone about what has been going on for the past couple of weeks since this thread was originally posted. The technical team here has been working incredibly hard both investigating and making changes. Thank you to all the users above who've been helping and guiding others.

Was there a new breach?

- We had reported previously we were aware of a breach in November 2009 and had since worked very hard on further tightening the security since that point (including external consultants to assess and analyse risk and improve procedures). One key question was whether the email sent was part of that breach or a new one.

- So far, we still have no confirmed reports of any forumites that joined in 2010 getting the spam email. A number of people who said in the thread that they had received one found they were mistaken (either about join date or had not received the email discussed) when we looked into it

- The poll results suggested 9% of the recipients of the email joined in 2010. However none of these have been in contact with us so that we can verify it. This is just about within the margin of error one may expect when taking into account wrong clicks, people being mistaken and possible malicious votes.

- We have received copious amounts of emails from people who joined after Nov 2009 saying they didn't get the email - far outweighing those who say they did. Also many members who'd changed their login email address since November 2009 report the spam/Trojan email went to their old email address not the changed ones.

- Coupled with our technical team's review of the forum's code, and possible security risks, all of this evidence points to no new breach since the one we are aware of in November 2009. However, we are still more than willing to look at any evidence to the contrary and would ask you please email it to webmaster@moneysavingexpert.com.

What action has been taken?

- Even though it seems there has been no new breach - we have conducted a thorough review and security analysis AS IF there had been, both as a preventative measure and to try to predict any potential weaknesses or breaches for the future.

- The technical team have undertaken a thorough review of the forum's underlying code, to find points which we could try and make even more secure. Obviously we won't be detailing exact measures taken as this could be useful information for any malicious hackers roaming the web.

- The technical team have also taken steps to make it harder for large scale harvesting of email addresses, in the event that we were hacked in future.
- While we don't believe any access to the password file has happened (and it would be very difficult to do), as a precaution for the future we have added an extra warning when users choose a password, advising never to choose something you use for other websites that store sensitive personal information about you.

- While we have no indication of any breach of Private Messages during our investigation, we noted that some people used PMs as if they were a secure form of communication. To prevent this extra warnings have been added whenever users compose a Private Message (PM), reminding them not to send sensitive personal details via PM.

What has been done about the senders of the trojan?

- We contacted the police computer crime unit about this and filed a statement.

- The spam emails sent out contained links, which we advised users not to click. After reporting this to the authorities to investigate we have been informed that there were links to three different locations.

- Only 1 of these contained any malicious files. The only way you can have been infected is if you opened the email, clicked on the link, downloaded the zip file and installed the fake program.

- The police inform us that the majority of the big anti-virus software providers have now updated their products to enable them to tackle this new Trojan.

- The authorities in the countries where the spam emails originated are also conducting investigations.

Please let the webmaster know any useful information about this via email.

UPDATE NOTE - FOR FULL INFO PLEASE READ

Forum members warned of spam emails

Insert and explanation by MSE Dan - web editor

Hi folks,

The thread below has brought to our attention an email being received by forum users, purporting to be from 'Money Expert' and using forum usernames.

Thanks for letting us know about this - we have been investigating all morning and it is definitely malicious spam. It is absolutely not from us, and we haven't (and never would) sell or pass on any data.

Crucially, it contains a link leading to a type of virus called a 'trojan' so please DO NOT CLICK THAT LINK! (read about Free Anti-Virus software)

Here is an example of the email, so you know what you are looking for:
Quote:

If you got this email and didn't open it, or opened it and didn't click the link in it there is nothing to worry about.

We're sorry for any problems this may have caused you. The e-mail did not come from and has nothing to do with Moneyexpert or defaqto, their names have been used to try and trick recipients into clicking the link.

We are still investigating how the e-mails were sent to so many of our users but we've found no obvious breach at this stage. We'll let you know more as it comes to light but it's possible that the e-mail addresses were harvested during a breach that happened last year. Please see this post for more details.

Please help us work out what's going on...

We think that only forumites who joined before Dec 2009 will be receiving these emails, as they relate to a breach in the past. However, if you are a more recent member, it would be a massive help if you can post below and let us know.

Thanks for all the feedback so far, and sorry again for the hassle. We'll post any more updates here

Dan

Update by MSE Martin at 10.30pm Wed

Having been out of the office and contact for most of the day I wanted to write a note now I can, though the senior team have been on this all day.

We are of course working hard to get to the bottom of this. The best info we have so far, is this is related to an old forum breach we think we had last year. But we have to analyse it. Please vote in the poll above, as it will help us determine whether this is only affecting older users or not. Indications are it is being sent to old usernames which shows that being likely.

We have yet to verify anyone who joined in 2010 got the email, so if you have, we'd kindly request you urgently email webmaster@moneysavingexpert.com with your username so we can check the logs and a copy of the email received so we can investigate.

The forum is run using a 3rd party software called Vbulletin, and we rely on its protection to look after the files, plus over the last year we've been through a major exercise to try to tighten it up with our own security on top.

An upgrade to that software is available and it is on our list, but it is a massive exercise of many months to rebuild all the bespoke features we've added (many on users' request) and isn't something that can happen quickly.

Thankfully, we don't hold any personal data on individuals - barring email addresses. That is and always has been a deliberate policy because I don't want us to data mine individuals and it means in the event something like this happens (and determined hackers try all big sites (Nasa, Facebook, the Navy and banks have been hacked at times) the worst that can happen I hope is inconvenience. Of course, it's also an important reminder to ensure you have anti-virus software (see free anti-virus).

If we have been hacked whether recently or in the past, I of course apologise wholeheartedly. It's not for want of trying - we've been through some major security exercises over the last year including bringing in outside consultants to check for any flaws. Yet this unfortunately reflects the murkier side of the internet.

We will further continue looking at this in the morning. My tech team and our server company's security team have been looking it at this and the access logs. No indication of a recent breach has been found yet (as far as I'm aware, though it is 10.30pm and I can't get hold of them all).

Regards

Martin

__________________________________________________ __
Back to the original post...

Webby

This morning I received an email from MoneyExpert.com addressed to my MSE username:

SugarSpun,
MoneyExpert: News-Tool.
At MoneyExpert, we believe it's only fair that you can compare products from the whole of the marketplace. After all, it's the only way to be sure you're not missing that perfect deal. That's why we insist on being independent, which means we're never biased towards any particular company. We provide details on every product from all of the major providers in the market. We partner with Defaqto, the people who deliver product data to the FSA, to ensure that our tables are accurate and complete. You can find out more about Defaqto at www.defaqto.com.
Download MoneyExpert News-Tool:
[link removed]
_________
MoneyExpert is VAT registered. Our VAT registration number is 825281335.

I noticed the VAT registration number on the bottom so I googled it and came up with this. It seems to be a legitimate company that's sent out a mail shot to email addresses it's acquired from somewhere - can it be that MSE has sold our email addresses? This is the only site I've used my primary email address for since I wanted to sign up to the weekly email at the same time, and I always click the no third party sites.

May we have an explanation please?

Best answers:

• Can you edit out the link to the zip file please?
  Just in case it is dodgy/virus/trojan etc.
  Thanks.
• Posts from this thread:
  https://forums.moneysavingexpert.com/....php?t=2864252
  Quote:
• I also received one of these emails this morning to the email address I use for MSE and it was also addressed to my user name on here!
• Two received here and reported.
• Yup, I've had this too.
• I own a domain name and get all emails sent to a different email address in Money Saving Expert case I get it sent to moneysavingexpert.com@mydomainname.com this is so I can block emails once a company starts sending spam etc.
  The email we all got this morning not only has MSE unique email address it also has my forum username.
  What other information has MSE leaked/sold?
• I've got one as well -- there's something fishy on those there waters
• Yup, me too, I think MSE must have been hacked.
• I got one too. I sent it to the webmaster (before reading this thread).
  I am most concerned that a company that is not MSE has managed to link our email addresses and forum user names together. Most odd.
  I assume Martin will be in touch! lol
• I also had one of these emails this morning, with the exact same text as that copied above. I hope this is resolvable - and a hack. I strongly doubt that MSE would intentionally give email addresses to an outside operator.
• Me too.
  To an email address that is not my normal one.
  What has happened MSE?
• Hi folks,
  Thanks for bringing this to our attention, we're looking into it as a matter of urgency.
  DO NOT CLICK ON ANY LINKS IN THAT E-MAIL!!! It is likely to link to a trojan or other types of malware.
  Please note that we would never voluntarily allow anyone access to your personal information so we're investigating the security side of things.
  Webby
• A third email has arrived to a different email address I have which isn't registered to MSE at all.
• Just to add that I have one as well and to the correct address, ie the one I use for MSE and which unfortunately is also my professional email.
  Virgin did pick it up as spam so it was in my junk folder.
• Me too.
  Like an earlier poster, I use a different email address for every single thing I sign up for (so I can disable any that start receiving excessive spam, and so I can track down which organisation leaked it). I can absolutely confirm that the email address to which today's spam was sent is (was!) known ONLY to MoneySavingExpert. Since it's not publicly visible on MSE, the inevitable conclusion is that MSE has been hacked.
• I'll send the full headers to webby if required but just for info the original 'from' address was business at moneyexpert dot com