Possible security / privacy problem with the sites email database

DerAgo · Jul 19, 2010, 06:27 AM

I used a customized email address only for this site ( "ago-drvhvn@bastart.eu.org" ), and today I started to receive spam for this address. Please check your servers security, guys. Here is a copy of the email:

Code:

Envelope-to: ago-drvhvn@bastart.eu.org
Message-ID: <BLU0-SMTP398835D2A1EE79F38B4CE4FABF0@phx.gbl>
From: "wowaccountadmin@blizzard.com" <donotrelpy@blizzard.com>
To: <ago-drvhvn@bastart.eu.org>
Subject: Account disable Notification
Date: Mon, 19 Jul 2010 10:14:56 +0800
MIME-Version: 1.0
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: base64

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIGNvbnRlbnQ9Ik1TSFRNTCA2LjAw
LjI5MDAuNTg5NyIgbmFtZT1HRU5FUkFUT1I+PC9IRUFEPg0KPEJPRFk+RGVhciBwbGF5ZXJzLCBB
cyBXb3JsZCBvZiBXYXJjcmFmdCdzIGRldmVsb3BtZW50IGFuZCBvcGVyYXRpb25zIHNlcnZpY2Ug
DQpwcm92aWRlcnMgLSBCbGl6emFyZCwgd2UgaGF2ZSBiZWVuIGhhcmQgd29yayBmb3IgZWZmb3J0
cyB0byBwcm92aWRlIGJldHRlciBhbmQgDQptb3JlIGp1c3QgZm9yIHRoZSBwbGF5ZXJzIG9mIHRo
ZSBnYW1lIG1vcmUgYmFsYW5jZWQgZW52aXJvbm1lbnQuPEJSPkp1c3QgDQpyZWNlbnRseSB3ZSBm
b3VuZCB0aGF0IHNvbWUgcGxheWVycyB0byB1dGlsaXplIGEgYnVnIGluIFdvcmxkIG9mIFdhcmNy
YWZ0IG1ha2UgDQppbXByb3BlciBidXNpbmVzcy48QlI+VGhpcyBpcyBvdXIgZmF1bHQsIHdlIGFy
ZSBhbHJlYWR5IGludmVzdGlnYXRpbmcgdGhlIA0KbWF0dGVyLjxCUj5BbmQgd2lsbCBBU0FQIHRv
IGFsbCBwbGF5ZXJzIGEgc2F0aXNmYWN0b3J5IGFuc3dlci48QlI+SW4gdGhpcyANCnByb2Nlc3Ms
IHdlIG5lZWQgeW91ciBjb29wZXJhdGlvbi4gWW91IG5lZWQgdG8gbG9nIDxBIA0KaHJlZj0iaHR0
cDovL3d3dy53b3ctaW0uY29tICIgdGFyZ2V0PV9ibGFuaz53d3cud29ybGRvZndhcmNhcmZ0LmNv
bSANCjwvQT4mbmJzcDtBbmQgdmVyaWZ5IHlvdXIgYWNjb3VudCBsb2dpbiwgYWNjb3VudCBpbmZv
cm1hdGlvbiBoYXMgYmVlbiB0byBlbnN1cmUgDQphdXRoZW50aWNpdHkuPEJSPlNpbmNlcmVseSwg
QmxpenphcmQgQ3VzdG9tZXIgU2VydmljZSA8L0JPRFk+PC9IVE1MPg0K

Here is the message text with Base64 decoding applied:

Code:

Dear players, As World of Warcraft's development and operations service providers - Blizzard, we have been hard work for efforts to provide better and more just for the players of the game more balanced environment.
Just recently we found that some players to utilize a bug in World of Warcraft make improper business.
This is our fault, we are already investigating the matter.
And will ASAP to all players a satisfactory answer.
In this process, we need your cooperation. You need to log www.[censored].com  And verify your account login, account information has been to ensure authenticity.
Sincerely, Blizzard Customer Service

If you need any more information, I will be happy to provide it.

- Axel Gembe, deve.loping.net

Neshi · Jul 19, 2010, 08:03 AM

yea.. I'm getting alot of world of warcraft spam about my account being used in transactions etc.. my account was frozen ages ago.
I just delete them.. but if they are from here it would suck..

***craig5320*** · Jul 19, 2010, 09:57 AM

Thanks, I'm investigating now.

DerAgo · Jul 19, 2010, 01:24 PM

BTW, the original email linked to "www.wow-im.com" with a link text of "www.worldofwarcarft.com" (sic), which is now down. The email header mentions 116.217.115.80 as the original IP. Both wow-im.com and 116.217.115.80 are registered in Beijing, China.

Tyrsonswood · Jul 19, 2010, 02:15 PM

I'm not getting anything like this..... just sayin'

DerAgo · Jul 19, 2010, 04:46 PM

Quote:

Originally Posted by Tyrsonswood

I'm not getting anything like this..... just sayin'

Well, I think it is highly unlikely someone would have guessed the email, and I also don't think it was a breach on my side. I didn't even know about this email anymore until I received the spam today

Also, I never even had a WoW account.

***craig5320*** · Jul 20, 2010, 09:39 AM

I've been through our firewall logs and various other logs we have and I can see no intrusions. There's also no other reports of this behaviour over at vBulletin.com. However I'm escalating our update schedule so we can rule out any security flaws in our current vB version and have changed mysql related passwords as a precaution.

Jul 19, 2010, 08:03 AM	#2
Neshi S.N.A.F.U. Join Date: Dec 2005 Location: Wellington, NZ Posts: 3,377 Rep Power: 177 System Specs	Re: Possible security / privacy problem with the sites email database yea.. I'm getting alot of world of warcraft spam about my account being used in transactions etc.. my account was frozen ages ago. I just delete them.. but if they are from here it would suck.. __________________ If one does not attach himself to people and desire, never shall his heart be broken. But then, does he ever truly live? Life is just too damn short for if's and maybe's

Jul 19, 2010, 09:57 AM	#3
*craig5320* HH Administrator Join Date: May 2002 Location: Manchester, UK Posts: 8,565 Rep Power: 445 System Specs	Re: Possible security / privacy problem with the sites email database Thanks, I'm investigating now. __________________ HardwareHeaven on Facebook

Jul 19, 2010, 01:24 PM	Thread Starter #4
DerAgo HardwareHeaven Newbie Join Date: Aug 2007 Posts: 4 Rep Power: 0	Re: Possible security / privacy problem with the sites email database BTW, the original email linked to "www.wow-im.com" with a link text of "www.worldofwarcarft.com" (sic), which is now down. The email header mentions 116.217.115.80 as the original IP. Both wow-im.com and 116.217.115.80 are registered in Beijing, China.

Jul 20, 2010, 09:39 AM	#7
*craig5320* HH Administrator Join Date: May 2002 Location: Manchester, UK Posts: 8,565 Rep Power: 445 System Specs	Re: Possible security / privacy problem with the sites email database I've been through our firewall logs and various other logs we have and I can see no intrusions. There's also no other reports of this behaviour over at vBulletin.com. However I'm escalating our update schedule so we can rule out any security flaws in our current vB version and have changed mysql related passwords as a precaution. __________________ HardwareHeaven on Facebook