Did BrandRoot Get Hacked?

[Billy Wagner]

Has anyone else just received a ton of emails from BrandRoot? I just got over 30 emails stating my account was closed, but the emails also reference other users accounts. Am I the only person who received emails like this?

 

[thekiller]

I also got those emails:

Oops!

 

[Kate]

Looks like a very sloppy hack/phishing attempt.
I hope nobody reuses the same passwords across sites...

Yes, it is very disconcerting. We have had many recent hack attempts, which all have been blocked but it seems some of our code may have been affected in some way. We are doing everything we can to restore accounts and prevent this from happening again. We have also integrated CloudFlair to help prevent future hacks. This problem is obviously something we failed to catch.

Cloudflare is anti DDOS protection. It does not protect against validation flaw, SQL injection attacks etc. I hope you realize that.
Https also does not secure the site in any way.
The code has to be safe, and the server has to be properly set up and tightened.

PS: I hope that passwords were stored as salted hashes and not clear text. That still doesn't rule out brute force recovery, and the hacker could also have installed a logger on the login form to capture login data in clear.

 

[Chris Hydrick]

I hope nobody reuses the same passwords across sites...

Great advice. Though, you can identify me through my email, I'm glad I used a random username, not affected with any other site.

Very sorry everybody! Looks like our email system had a bit of breakdown.

Looks like a very sloppy hack/phishing attempt.

Hi @Kate - To my knowledge this hasn't been confirmed a hack and/or phishing attempt yet.

Is there any way for somebody to analyze the email, and determine if it was an attack? Or, do we have to rely on BR to investigate the issue, and determine cause?

Also, thank you. I'm not as technically advanced as you, and I appreciate how you broke down the tech for those less experienced.

 

[Cristi Marin]

I got those emails as well, but I was very suspicious from the start
and when you have a suspicion is better not to click any links.
I did login into my account without any problem.

Let's hope that this was just an internal issue and not an attack
and that this will never happen again!

Good luck and stay safe @Brandroot!

 

[DNScholar]

I also got those emails:

Show attachment 31384

Oops!

That's lot of mails

 

[campout]

@Brandroot Have any of your sellers' passwords been exposed in this apparent hack?

 

[Coral Cove]

@Brandroot Have any of your sellers' passwords been exposed in this apparent hack?

Nothing but email address's and names were exposed to the limited number of sellers who received the emails.

 

[Abdullah Abdullah]

This happened to me and 14 other users on 23-SEP-2015. Everyone on the public list could see everyone else's email details.

I expressed my concern regarding the fact that my account details were made public and also my disbelief that Brandroot cannot organise a simple BCC mailing list. They did not reply to my complaint.

I have since withdrawn all my names and never used Brandroot again. I'm saddened, but not surprised, that their complacency continues...

You have done the right thing 100%

 

[Abdullah Abdullah]

They should just close the service if they cannot provide data security

I couldnt agree more. Loading.....

 

[DNGear]

I did not get any emails, because they did not accept my application..

 

[Dnbolt]

Cloudflare would help to prevent hack attempts???

I know cloudflare to be good to be prevent DDoS attack but it doesn't look like DDos attack to me. Cloudflare also offers anti scrape system but that is not robust either(no robust system exits). Cloudflare is know for super charging speed of site by using caching technologies.

I also suspect that the mass email was way to obtain user and password since it might be encrypted in the database ( I am not sure just my thought)

 

[Dnbolt]

Show attachment 31354

I was asked to verify my account via link. I mistakenly entered my username and password in the same window, not thinking it could have been related to a hack.

Show attachment 31353

Potentially sensitive information has been leaked:

Username:
Name:
Email Address:

Has Brandroot officially announced about the problem they are facing so others can be aware about the situation and not to follow suspicious links? I hope they are taking right steps to resolve the issue and I recommend they re-install Joomla which they use for their Content Management System.

 

[Kate]

I think it's high time for them to make a statement, even while the investigation is underway. A breach of personal data is not something you should try to sweep under the rug.
There are strict regulations in the health care industry for example, and breaches can be sanctioned by hefty fines (HIPAA). Or think Sony. Or Home Depot. A breach can be very costly, it can literally ruin your business and wipe it away because of the loss of trust and mitigation costs.
Seriously.

 

[svede]

Yes, it is very disconcerting. We have had many recent hack attempts, which all have been blocked but it seems some of our code may have been affected in some way. We are doing everything we can to restore accounts and prevent this from happening again. We have also integrated CloudFlair to help prevent future hacks. This problem is obviously something we failed to catch.

@Dominium we did get your message and that issue was resolved. This is a separate, site-wide problem.

We take the security of your information very seriously and have taken every step possible to protect the site, including encrypting every page with HTTPS, utilizing CloudFlair, and implementing very strict form validation. Please be patient with us while we resolve this problem. Again, I'm very sorry that we allowed your data to be compromised. The information was only sent out to existing Brandroot sellers and possibly a few Brandroot seller applicants. My hope is in the integrity of this industry. Please delete any emails that were sent to you by mistake.

Nothing but email address's and names were exposed to the limited number of sellers who received the emails.

I just want to get some clarity on this..

You are saying that you weren't hacked, but code was affected? You realize that's basically the DEFINITION of being hacked? Also, they got names & emails, but you weren't hacked? You don't get that information without it being a hack.... Even if it is a SQL injection attack, that is a type of hack... (and a SQL injection attack is even more concerning to me as that is basic web prevention and not what users should NEVER have to worry about..)

This is very concerning to me. I am a software engineer and although hacking can happen, the fact it isn't being called that and it seems like the details on it are muddy makes me VERY concerned. I'm asking as a potential user - every time I think that Brand Root is improving, it seems that something huge happens to totally discourage me from even being willing to try using your product.

Please give me more clarity and reason why I should have any confidence in using your service.

Thanks so much!