Major security breach at Hivewire3D, is daz shop ok?
This discussion has been closed.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2024 Daz Productions Inc. All Rights Reserved.
Comments
First and major question: is it relatively safe to visit HW now to change the password and include a different email?
Of course, I have lots of passwords. Long, crazy, twisted passwords with upper and lower case letters, numbers, other signs. I am lucky enough to have an email allowing me to have up to ten antispam aliases and an unspecified amount of normal ones I can set up in thirty seconds. I always check for HTTPS and signatures. I never do shopping in a hurry. I have an up-to-date Norton Security, which runs in the background and so on. I've got an up-to-date AdBlock Plus as well as NoScript. They are always on, so when visiting a new site, it is entirely blocked by default and every script I decide to unlock has to be unlocked manually.
But... being a computer-insider of sorts, I am paranoid. I would prefer to make another email account now, with a new alias, change the password in spite of differing and so on. Is it safe to go to HW now? I only downloaded the free content from them, never showed them my card. After getting Dawn SR1 (just because plentitude of choices doesn't hurt), I basically never visit HW. I get their newsletters, but the service is too Dawn-focused to even think of buying at them (I doubt it will change). I didn't visit them through all the holidays, I think (perhaps perusing the forum for information on Dusk if any). Anyway, I'd prefer to change that.
Secondly: it would be fantastic if DAZ and other sites had the intelligent keyboard for giving sensitive data. It works like that: operated by Java scripts, it shows up a keyboard you need to click on with your mouse to type in the password, so nothing stays in the disk buffer. Banks in my country use that.
Thirdly: should I change all the stuff I have at DAZ? I mean, the login, the email, the password...
And yes, every person who registered an account at HW got the warning; I got it yesterday night and saw it minutes ago. I don't know if it is right to post a link to its Web version, but if you prefer not to, just remove it: http://us4.campaign-archive2.com/?u=50fe9577ed1ff0f7de781d741&id=232973933f&e=c0ece68299. This way everybody can read it easily.
Thanks for speaking up even though you are fine, it shows maturity of the shop.
PS I never click on advertisments, no matter how interesting the offer may be. It is too risky. I have an account on DA, which I use frequently, but the details for logging in are different from those at DAZ and from those at HW, obviously.
Add me to the ones getting the CC hacked Saturday and my bank cancelling it. So no spending for me until the new one arrives. I got the email from HW as well, but I have never 'bought' anything but free stuff there, until they come out with male figure. I have bought from RDNA and Rendo in the two month period - as well as here. I'm now looking at either firing up paypal again for online or having a seperate CC for online with two levels of security. I'll have to check tonight what other online sites I've used, other than Amazon I don't think there is any. Can't say it enthuses me to spend anywhere just now. ;-(
Might not be necessarily related to anything online. There have been multiple cases of credit card skimming at brick and mortar type stores. The most recent one is Home Depot: http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
TD
Like many others..I got the same email from Hivewire. I did do business with them over the suspect period..so I guess I should fear the worst :( I've also just had trouble with my renewal of my subscription to Norton Antivirus. So, Hi Ho, Hi Ho..it's off to the bank I go tomorrow to check things out :(
Well, I went to bank this morning, and it seems the bank had already noticed some out of character attempts to use card on Sept 1st and blocked access to card. Now I have to wait 3 or 4 business days for new card to be issued :(
I would be interested, but I suspect I'm the only one. Besides, you have better things to do, and telling me about your back-end setup in detail would be frowned upon by your security auditors (if they're at all good at their jobs).
Might not be necessarily related to anything online. There have been multiple cases of credit card skimming at brick and mortar type stores. The most recent one is Home Depot: http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
TD
Mine was used on lastminute.com and another website - they would need the code from the back of the card to put that through. Either way separating shops from online means I'd still have one working CC just now.
I used to do front-end development for a Magento website. Two actually; one a medium niche-market seller and the other was a major brand.
But my work was limited to the 'make it look snazzy' department, only dipping into the PHP and SQL a little bit when IT was overwhelmed. IT was always overwhelmed... but well, not over-overwhelmed... Because Magento is a mess.
I'd also be curious. I hadn't considered that the site here was Magento - don't know why it didn't occur to me because now that I know, it looks like a Magento website... I feel like I've been riding in a car and only just noticed we have wheels on this thing.
Out of the Box Magento has a horrid database when it comes to scaling up, and very bad response times when it comes to higher traffic. Both teams I was on spent an absurd amount of IT resources on rewriting core parts of the system and database to get their performance back to where it was before they'd switched to Magento... For one of these, that was a year long project before success... (in the other case I was only there as a short term contractor to fix one specific ad-campaign - so I don't know how they fared, just that the entire time I was there I could never get access to anyone because they were always in meetings over what to do to fix it...).
Magento's great for my end of the industry. The CMS system of templates and such make it very easy to manage large scale look and feel changes to a website - and to plug in and pull out ad-campaigns. I sat in the middle of marketing for my longer assignment and we could just pass it all around and have things live in a snap.
- except that using Magento's built in staging system for deploying exponentially added to the database... and I think we applied a couple of 'powers of 2' to our database's list of redirects overnight one time... then had IT hastily pull that system out.
That's exactly my scenario (some other websites, too, but with stored CC-info). So it seems the CC-fraud and the HW-hack are only accidentally connected.
And I never use my CC offline, so it can't be a store-hack in my case.
This is why I've long ago stopped giving anyone my CC info. For web shops, especially smaller companies, either you take PayPal or I don't buy from you. Period, end stop. Yes, PayPal is obviously a big target for the crooks, but they have entire teams dedicated to security, unlike 98% of all web properties. Amazon and Google are the only other places I have CC info stored any more, and again while nobody is infallible, they at least have better infrastructure and staff to deal with security.
I guess I was lucky as I only made one purchase at HW during August, and since the few things I've bought there were under $10 each, I always used PayPal, so I'm OK.
I did check at my bank yesterday, and there were no hinky charges from any other site (3D or not) that uses Magento as their shopping cart/store software. I also know the credit card I generally use online (I have 2 others I never use online) affords me $0 liability for fraudulent charges, and it also affords me their early fraud warning service, which automatically alerts me to any suspicious activity on my account.
I knew that service worked when they called me at home some years ago to check on what they thought were suspicious charges at several stores in a mall within a couple of hours. We had a good laugh when I said, "no that was me", as I was getting ready for a vacation, and had bought several things I needed for it, including a new suitcase.
As I understand this site uses Magento. I just saw this notice of recent exploits/hacks:
http://blog.nexcess.net/2014/07/25/recent-exploit-using-fake-magento-extensions/
Can anyone at DAZ advise?
I am going to merge your thread with the main thread about this issue, as a spokesperson from DAZ 3D has posted there.
I'm getting used to this.
My credit card details were leaked in the Sony hacking more than a year ago. Sony notified my credit card provider themselves, and my card was disabled. It would have been nice if I'd realized this BEFORE I tried to use it (embarrassing, to say the least). But the precautions did prevent me from suffering any invalid charges.
It's not just fly by night websites that are suffering. If Sony can be hacked for online purchase information and Target can be hacked for in store purchase information, no where is truly safe.
I stopped using my credit card, as a result. I buy disposable cards for online purchases and use PayPal for subscriptions. In store purchases I make with cash. I pay a little extra in transaction fees with the disposable credit cards, but I also never pay interest.
My bank, however, does offer a low balance card specifically for online purchases. So if you want to limit what a potential thief can charge on your stolen details, you can request a card with a maximum $500 balance or thereabouts (You may be able to get one that's lower). I think this is probably a very good idea for those of us who make a lot of online purchases. If you haven't got one of these, it might be a good idea to look into it.
Thanks, DAZ-jon for the explanation.
I did get the call from my cc company Monday morning and am waiting for a new card right now. Still, quite a bit of paperwork to deal with... :/
And now I have to come up with a bunch of new passwords as well...
Anyway, since this seems to affect quite a few people, I do hope DAZ doesn't feel the bite of this too much. One of their bigger sales and suddenly people have no credit cards anymore :/
I had to replace my card, but nothing to do with online -- in my case it was an ATM skimmer.
I couldn't help myself. :) My card is disabled but I still have PayPal which I can use---and I did. I think first time ever I've used it at DAZ.
I’d also be curious. I hadn’t considered that the site here was Magento - don’t know why it didn’t occur to me
How could it NOT occur to you? Do you almost never come here or something? Because this site is down ALL THE TIME thanks to Magneto. I feel like kicking that software in the face, right in the source code.
Out of the Box Magento has a horrid database when it comes to scaling up, and very bad response times when it comes to higher traffic.
That explains a lot. I hate Magneto. It makes DAZ crash all the time. Esp. on Sundays.
For web shops, especially smaller companies, either you take PayPal or I don’t buy from you
Paypal is HORRIBLE. Even with better security, why would anyone want to use this? All the hidden fees, and "ooh, let's suspend your account just because I feel like it", "I won't do business with you because you're too obscene" "uh-oh, you made too much money, time to freeze your account!" and all the other BS with them. I esp. don't understand why anyone on the business end (as opposed to customer end) would use Paypal. And let's not forget thier origins as an Ebay monopoly! I wish Paypal would disappear so that multiple things, some better, some not, could replace it. I despise Paypal with a passion.
Greetings,
Hmm. PayPal did not start as an 'eBay monopoly'. PayPal actually ELIMINATED eBay's attempt at a monopolistic service 'Billpoint'.There are no hidden fees. It's 2.9% + $0.30, lower if you get more volume. There aren't even monthly account fees (except for larger merchant accounts), like my bank has. I even get money back on my debit card, although it's a pittance. Everything is really, clearly spelled out on their site.
Obscenity is a difficult issue, and most merchant services have trouble with the high refuse-to-pay rate for pornographic or near-pornographic materials.
There have been many attempts to replace PayPal's complete suite of capabilities, and they have all failed due to fraud, which is why PayPal focuses on fraud as much as they do. I've gotten the 'Hey, we see a sudden influx into your account, what's going on...?' phone call. I explained that I'd asked for donations from my user base, pointed them to my site, and the application, and everything, and once they understood, it was all good.
I get that passion is involved, so this may fall on deaf ears, but PayPal is just not the evil empire.
Fair disclosure, I last worked for PayPal over a decade ago, from a few months before going public, through to a year or so after their acquisition by eBay. I joined the company as a software developer in 2001 because I was using them heavily already, and I've stayed a member because they provide a great service. Nobody I know works there anymore, but the product is still very good.
-- Morgan
Just a question... A person who works in bank security told me I should have no issues whatsoever. Do you think it is safe to get a freebie from HW now? Because I am certainly NOT going to get myself Willow by 3DUniverse, even though I really wanted to - because of HW's security issues. I won't do anything requiring a credit card. Or PayPal, PayU or something similar. Only free checkouts. What is your opinion?
I don't see how they could steal any payment data if you get a freebie, since you wouldn't enter any and they're not stored on the site.
Besides the security issue there has been fixed, and there wasn't any problem with paypal to begin with.
It really has been for me. For example, I was only able to get on early am yesterday. i kept getting bad gateway errors all evening.(9pm to 1am)
That was on my home computer (I live in Ontario, Canada). I was able to browse from work but our main server is in the US which may or may not have something to do with it. But daytime/work hours doesn't help me because I can't log on from work.
For the last three weeks especially its been so horrible I was beginning to wonder if I'd be able to participate in the PA sale at all. It may only be down when I need to get on, but it certainly feels like it's down all the time.
Good, that is what I thought, but with all the data I have, I just wanted somebody to reassure me :). Thank you, Leana!
I'll second that - I scan all the store pages with a tool once a week, takes about 8 hours and there are very few problems or timeouts.
Not true. I got my AmEx card account harvested during that same time period and only found out about it when I too got the HiveWire e-mail notice. I contacted my AmEx Fraud Protection office and was informed the hackers tried using the card twice and failed by the AmEx protection tracking system. The sales were halted and the cards account numbers canceled and I was issued a new card. All is good.
It's funny the attempted use of the cards occurred both times at the same overseas security software manufacturing company (which is really suspicious to me anyway) on August 28.
But what bugs me is that HiveWire had complained its site had had problems before with hackers and/or spammers of their forums and supposedly fixed it but it seems they didn't. It is the same case of once the cockroach comes into a house you can never be rid of roaches. Now I no longer want to shop at HiveWire and that is too bad because as a start-up they really needed this like a hole in the head and because so many people there feel the same as us it can only hurt them if they don't fix this rape of their site and their trusting customer base real quick!
I just bought some stuff yesterday at Hivewire using Paypal, I feel secure enough.
Paypal is awesome, and I like their way of how you can get your money back when something is amiss with your purchase.
It really has been for me. For example, I was only able to get on early am yesterday. i kept getting bad gateway errors all evening.(9pm to 1am)
That was on my home computer (I live in Ontario, Canada). I was able to browse from work but our main server is in the US which may or may not have something to do with it. But daytime/work hours doesn't help me because I can't log on from work.
For the last three weeks especially its been so horrible I was beginning to wonder if I'd be able to participate in the PA sale at all. It may only be down when I need to get on, but it certainly feels like it's down all the time. Not just you, From the northeast US was bad last week as well. It's been O.K. today, so far. The screen-cap is from yesterday.
Oh, so I wasn't the only one.
It is almost always solved with a refresh on my side
I was looking up info on uber lights, I figured the servers were flooded, and the forum was taken offline to cover the store. it started about 3PM EST, and lasted till this morning. The forum has been unreachable, from time to time. Refreshing did nothing, I would just have to walk away for a while and try again later.
The 522 Error when trying to view the forums is actually due to the forum software basically throwing an error with a cookie that is no longer valid and only happens in specific browsers. If you log out and back in from the store, it refreshes that cookie so it will work again. We have separate servers that handle the forums from the main store, so we never bring the forums down.
I use Firefox~