Major security breach at Hivewire3D, is daz shop ok?
Rodrak
Posts: 81
I just received an email from Hivewire3D about a security breach at their shop that leaked all credit card info of their customers. While I have an account there, I never bought anything after getting a free Dawn as I didn't like her much, so my card never reached their shop.
But... just a few days ago my card was charged illegally for about $1300. The only places I used it for a year+ was daz3d, rendo, rdna & content paradise. No trojans/viruses/malware detected at any point (and there was major scanning done after the stealing and regular ones before), the card never left my wallet. And it seems Hiveware3D uses the same shop software as daz.
It doesn't really matter to me now where it happened, it's already done and I'm waiting for the police investigation (that will turn out empty most likely) but just in case, take care if your card do not have some extra charges or whatever. I'm switching to paypal permanently even if I don't like the company.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2024 Daz Productions Inc. All Rights Reserved.
Comments
I received the email, too, and I only had free dawn, too, but I guess you had to give your cc-number anyway.
My bank informed me on Saturday of strange debiting of my cc, which was blocked and my cc banned.
Hivewire is security-wise a piece of crap. They started with sending my registration-confirmation email with my password in plain text, and now ... I don't know if my cc-leak is courtesy of Hivewire but I will know and in future avoid such sides.
I received the email, too, and I only had free dawn, too, but I guess you had to give your cc-number anyway.
My bank informed me on Saturday of strange debiting of my cc, which was blocked and my cc banned.
Hivewire is security-wise a piece of crap. They started with sending my registration-confirmation email with my password in plain text, and now ... I don't know if my cc-leak is courtesy of Hivewire but I will know and in future avoid such sides.
There have been a lot of sites hit by this not just Hivewire, its just that Hivewire are actually informing there customers rather than trying to pretend it didn't happen.
I just changed my paypal password, is a worry
edit: never mind. I misread the original post.
People can store their debit card details on Hivewire 3D? :question: I never noticed the option to save the payment options when I check out of their store.
There have been a lot of sites hit by this not just Hivewire, its just that Hivewire are actually informing there customers rather than trying to pretend it didn't happen.
In the last days?
I'm glad, that Hivewire is actually informing me; that's more than we usually get. But, big but: I was talking to the guy at the bank if they had any evidence who hadn't their data security in grip. No clue. Last time I got my cc banned I got some hints and I could conclude whom it was: simple solution: never ever have any money based connection to this business. Simple.
(I do not so much care about NSA spionage and there aren't any nudes of me in the cloud - which would mostly look like Rawart-renders - but I'm completely pissed off by business' unable to do such a thing as store my cc-informations in a secure way. This costs me money and time, of whom I don't have enough. As I said: I'm not sure, if it's Hivewire, but their security approach is "questionable".)
PS: If future tells that another site is responsible: I will simply add them to my list of un-responsible sites and never do business with them again.
Papypal isn't affected, due to their email. (Which I can understand.)
But changing the password regulary, doesn't hurt, too :)
It's credit cards. And even if I've never bought anything from Hivewire besides the free Dawn i guess they must have my cc-information because I got an email adressed only to cc-owners.
It's credit cards. And even if I've never bought anything from Hivewire besides the free Dawn i guess they must have my cc-information because I got an email adressed only to cc-owners.
Based on Steve K's statement on their forums, the latest notification was sent to everyone registered independent on their purchase history/credit card/PayPal use. I got it too and they definitely never had any of my info beyond the email.
He also explained that the hack involved someone collecting the info as it was entered, so it doesn't matter if it was stored on their system or not. Sort of like the data skimming programs they used at Target stores earlier this year.
Ciao
TD
The email stated the affected data was from Aug. 1 to the 25th. Yes, it was intercepted data, not stolen from Hivewire's records. If you didn't buy during that time, should be no problem. 'Til next time. Data security seems to be fast becoming nothing more than a catch phrase without real meaning.
I purchased stuff there on two days during that timeframe. One with PayPal and one with my card. My local branch was skeptical but said I could cancel my card and get a new one but I had to do it in person. No car and even if I could walk down there I'd never make it back up the hill. :)
So I called the main customer service for SunTrust and they're taking care of it. Asked me all kinds of questions to verify I was me. That's good. So I can't buy anything for a week. :) And this card was only three months old :(
However I forgot my verizon bill is due for my cellphone on Friday. I should have taken care of that first. :(
Just for information, there was another malware attack between August 19th and 22nd from advertising banners on prominent sites, and Deviantart was among them.
Some sites affected were
Java.com
Deviantart.com
TMZ.com
Photobucket.com
So people who visited those and did not use adblockers probably should add a full virus scan to their to-do lists - especially if they did not have installed latest java, flash or silverlight updates at that time.
BTW, these hackers with the skimmers probably won't use the cards themselves. I think they gather bunches of them and sell them off so it takes a little time for that process to complete. Just a quick check of my account didn't show me anything suspicious but I'll take a closer look later.
The hack that hit many Magento sites, including one of our competitors, was more of a man-in-the-middle type (although technically not since it wasn't on the network layer, but the application layer) so it was what data you sent over that was compromised. Basically, the exploit in question was done by modifying core shopping cart files to get the raw data and pass it to the hackers. In this case, had a credit card profile been saved, it would have been more secure since it would have just sent a token over and that would be all that they could have gotten as opposed to all the order information, including usernames, passwords, credit card information, and address information. Please note, this exploit was found and fixes made known for it on July 25th. You can read more about it here from the hosting provider that appears to be the most affected.
Since some sites didn't resolve it until one month after the exploit was known and the fix published (meaning a larger opening of when it could have been active for even longer potentially), I would suggest anyone who has accounts at other 3D sites take immediate action to secure what they can (more details below) and contact your bank to get new cards issued if you had an account you accessed there in the past two months. The biggest problem with this in how it isn't just going to affect the site that had poor security is individual username and passwords getting compromised. More often than not people use the same email / username and passwords on sites. So, if you had an account on a compromised store, your email might be compromised, your online bank account, your daz account, your amazon account, etc. And just because you may not have seen any fraudulent activity yet doesn't mean they don't have your information to use still. I'll state this one more time since this is the most important... If you even visited a compromised site and logged in at any time in the past two months, take all precautions as though you did have your credit card information stolen in terms of securing your computer, your other accounts, and your bank and credit card information.
What can you do to secure yourself? First and foremost, change your passwords and make sure they are unique per site. Do it for any site you have used the same password in other places. Do it for your email, your bank account, the Daz store, and any other site where you have used a common password. Second, just in case, virus scan. Where as the current vulnerability that was exploited was all server side, the fact that it could have provided the means to authenticate to other things means you should check just in case. Third, if you did purchase anything from that site in that time frame even if you haven't had any fraudulent activity yet, or even if you're just still concerned and want to make sure to be safe, contact your bank and get new cards and deactivate your current ones once they come in.
Finally, the big question: Daz3D's store runs on Magento, were you guys hacked or vulnerable to it? Short answer, no. Medium answer, we aren't rookies at this, our web server configuration as well as how permissions are setup make it so we aren't vulnerable to these types of exploits. Long answer, it would be a long write up, and if there is really demand for it, I can take the time over the next couple days to do it and post it in a new thread, but it would go into some technical detail most probably don't care about or understand and would require a base knowledge of how linux servers operate as well as the fundamentals of what makes up a web application stack.
Are you aware of any other '3D sites' being affected but Hivewire ? I ask as I'm not a customer over there, but did purchases at 3 other sites in that time frame (besides DAZ3D).
Anyway thanks for the link and taking time for some explanations.
My card was also compromised and blocked. For me, Hivewire has just been snipped.
Yes, you can admit to a problem. Yes, you can apologise. Yes, you can fix it for the future. But you can never undo an act of identity theft. They've lost my trust.
How does one know whether a site uses magento or not? There are tons of stores out there.
It's credit cards. And even if I've never bought anything from Hivewire besides the free Dawn i guess they must have my cc-information because I got an email adressed only to cc-owners.
I use Paypal but we Dutch get a bankaccount connection instead of a CC one.
I also got the email but my PP account wasn't affected.
To be save, I did change my password though ><</p>
No other 3D sites that I'm aware of use Magento. However, the exploit goes beyond just 3D sites and, unless you know what you're looking for, it can be hard to tell if a store uses Magento or not. So, this holds true for any store you use a common password with where you don't know what ecommerce platform they use.
If you want to find out if the use Magento, the only way to really do it is view the source and cookies and looking for various indicators. One of the more common ones is looking for any occurrence of the string "Varien" in javascript or urls that have "/skin/frontend" in its path. Other indicators are names of cookies, if there is any cookie set for the domain called "frontend". Those are common default things which are rarely changed and will cover 99.9% of the magento stores out there.
Based on Steve K's statement on their forums, the latest notification was sent to everyone registered independent on their purchase history/credit card/PayPal use. I got it too and they definitely never had any of my info beyond the email.
My CCs got hacked as well, and I had no financial info stored on Hivewire and haven't bought anything there in months. DAZ and Rendo, on the other hand, I do business with constantly...
Thanks. I used cc at DAZ and three other 3D sites in the last months, but not Hivewire or non-3D-stores. Maybe I should check if I find Magento indicators over there then..
Edit: http://builtwith.com might help identifying sites CMS, though it doesn't know all ecommerce solutions. It identified DAZ and Hivewire3D correct as using Magento, so it might be a working indicator too (and it identified some other as not using Magento).
Thanks for the info, Jon. I'm going to go poking through page source and cookies now :)
BTW, my password is different at every site and bank and email too, thank goodness. But still. :(
See my post above for another indicator. If it identifies a sites CMS successfully, you probably don't need to do further investigation.
Don't you mean August 25th.... my credit card was compromised and I did have purchases at HW during August.... of course I used the same credit card here and at Rendo... so who knows really... but I cancelled it and its being reissued... what a mess... I got a DAZ gift card I can use here but I really don't feel like shopping after an experience like this. I feel like unplugging my internet connection and just working with what 3D I already have.
It is normal with security breaches to not announce them till you have a fix in place and do both at the same time so you don't create an increase in the exploiting behavior while there is no fix for it. The recent exploit and its fix was announced on July 25th as per the link I posted in my post. Here is the link again.
It may or may not be related to the exploit. One thing to note, as I posted previously, even logging into a compromised site, depending on if you have shared passwords, can be enough to start gaining access to your other accounts.
Also, the explanation of the hack doesn't state how long it has been around. It could have been as little as a week, or as much as all year and just now the group skimming is selling off the data (get a huge pool from a bunch of sites and sell big lists). I don't have enough information to deduce that, and I don't know if the ISP those stores were using does either.
If you have an account on an exploited site, there are precautions that everyone should take to minimize the risk of that spreading even if no purchases was made (and most of those precautions should just be done regardless so as to minimize the impacts of any future hacks).
It is normal with security breaches to not announce them till you have a fix in place and do both at the same time so you don't create an increase in the exploiting behavior while there is no fix for it. The recent exploit and its fix was announced on July 25th as per the link I posted in my post. Here is the link again.
This is part of the alert message I got from Hivewire
"This breach occurred on August 1, 2014 and was not identified until August 25, 2014. This affected only customers checking out using a credit card, and did not include any PayPal information."
I haven't had any issues yet, but I'll be contacting my bank first thing tomorrow morning (it's after hours here).
On an aside, I don't think it's fair to blame HW3D for this. Obviously, their store setup had vulnerabilities that left them open to hacking, but that could be true at any store. All it takes is a skilled hacker finding one tiny flaw or loophole, and BAM! Another site hacked, maybe DAZ, maybe another store.
I'll take the steps necessary to protect myself financially, but that doesn't mean I'll stop using stores like DAZ or HW3D.
This is part of the alert message I got from Hivewire
"This breach occurred on August 1, 2014 and was not identified until August 25, 2014. This affected only customers checking out using a credit card, and did not include any PayPal information."
I can't speak for what the sites did to notify people, when they were informed of it, when they fixed it, or anything. That is their own website team to discuss. What I do know is what was in the blog post at http://blog.nexcess.net/2014/07/25/recent-exploit-using-fake-magento-extensions/.
What that post explains is two main things that stick out to me. The initial security of the site from the admin's systems was compromised, most likely because one of the admins used common or weak passwords that were easily brute forced. And two, all sites that were exploited had all submitted information exposed. So usernames, passwords, credit card information, address information, the admin usernames and passwords to the store, etc. Any data that was pushed through a web form on the site got logged and sent off to the hackers which means the rest of the admins and user data.
Greetings,
As an old security developer, I'd love the long-form answer for idle amusement and to see how you take on securing a huge PHP project like Magento, but I don't think it's necessary and I'm not so arrogant to think its worth your while to write something up for the very few people who (1) would understand, and therefore (2) are already pretty comfortable with it. For me it'd just be a cool insight into your world. :)
I know the forums are under constant attack (watching recently created users shows that), and I imagine the store is also.
-- Morgan
DAZ_Jon - I've got to go along with Morgan - as a retired sysadmin, I'd love to read about what you have done - but I also agree that you've really got better ways of using your time than writing something that maybe 6 to 10 of us would be interested in.
I do appreciate the short-form explanation of the exploit and the link to the more comprehensive writeup, and that both you personally and DAZ as a company take security seriously.