Flippa Got Hacked, Change Your Passwords

According to news around and the discussion in my forums, Flippa had a security breach and passwords were possibly compromised.

Flippa hasn’t come up to accept or refute the allegations so we don’t know the extent of the breach.

Flippa users may want to change their passwords urgently.

As Flippa and Sitepoint logins are common would it be worth all Sitepoint users changing their passwords too?

Passwords are not available to admins so there’s no need to change them. We also don’t store financial details so users are in no danger from that point of view.

We have now been able to post about this here:

http://flippa.com/blog/news/flippa-security-vulnerability-reported-and-fixed/

Just another note here, Flippa stated in their blog post that passwords were NOT compromised.

But still better safe than sorry.

You know that isn’t completely true, they admitted it on their blog and then promptly deleted the blog post so no one would know about it.

http://webcache.googleusercontent.com/search?hl=en&source=hp&q=cache%3Ahttp%3A%2F%2Fflippa.com%2Fblog%2Fnews%2Fflippa-security-vulnerability-reported-and-fixed%2F&aq=f&aqi=g10&aql=&oq=&gs_rfai=

With that said, another good point was raised in that Flippa admins seem to have full access to your accounts (including acting as you and reading your PMs) based on screenshots of the admin functionality.

So check your Flippa accounts to ensure that no one has been playing around as you and doing things you don’t want done or that you haven’t pm’ed anyone anything you wouldn’t want out in public (although the cat is out of the bag on that one already).

I just wanted to warn about the password issue and that, considering some stories about users having problems logging in, it may be worth changing passwords. Of course, there’s more discussion about this elsewhere.

You posted in there, Dave, but you didn’t answer the valid questions and security implications raised in the comments :wink:

From where we’re sitting we see clear access that admins had to some financial information (financial information is not just credit card numbers!) and the fact that admins don’t have access to passwords doesn’t mean they can’t change them. The hacker could have easily overwritten someone’s password, got access to his whole account, taken all the information he wanted and the account holder would know nothing. He’d try to login, find his password not working and simply request a new password oblivious to the fact that a hacker has been through his entire account.