What is PCGS/Collectors Universe or any other party doing about the hacks
Relaxn
Posts: 1,105 ✭✭✭✭✭
While I understand this is a free forum it does host MULTIPLE BST forums where transactions are taking place. The security of this forum is some how compromised... I, at this point, believe there must be something with the forum security that is allowing these hacks to transpire. It is more than hackers getting lucky on some kind of phishing expedition.
I IMPLORE the powers that be to investigate and help the people on this forum. There is a direct attack on us and it appears the forums lack of security is facilitating it.
@PCGS_Moderator
@Heather
@PCGS_Marketing
J
6
Comments
@PCGS_Hy
@pcgs_education
Founder- Peak Rarities
Website
Instagram
Facebook
Never mind.
Unfortunately I agree with @scubafuel.
Our corporate sponsors can’t fairly be asked to police third-party transactions like this. “Caveat emptor” applies.
However, anything they DO voluntarily undertake in the way of investigation would I’m sure be appreciated. To lose the BST would be tragic.
Have a look at the extremely blunt language Doug used in this sticky at the top of the CoinTalk BST. I’d expect a similar stance from the hosts here.
https://www.cointalk.com/threads/warning-if-you-buy-here-you-may-get-ripped-off.316414/
There is always the risk of losing the BST but if there are active hacks going on, it is an issue even with no BST. It would be nice to know more about this latest set of hacks (and stop if possible) as it is certainly better than previous attempts.
Agreed
For the record I don't expect PCGS to do any policing or intervene with any BST transactions, I tagged two more admins to take notice so that the hacking of accounts can be remedied in some way.
Founder- Peak Rarities
Website
Instagram
Facebook
I was hacked "Russell12", the admins are still working to try to get my original account back. I hate to loose all of my history.
I think it would be easier just to shut down the BST.
All comments reflect the opinion of the author, evn when irrefutably accurate.
If there were no BST, it's just a message board and no one is going to bother to hack it. There might be some amusement in pretending to be me, but there's no profit.
All comments reflect the opinion of the author, evn when irrefutably accurate.
What do you expect they CAN do? If you reused a password that was compromised, that's not something the forum can prevent...
Shutdown accounts when notified, sure. What else?
Shutdown BST as a high-risk / attractive nuisance ???
ANA 50 year/Life Member (now "Emeritus")
I don't think anyone gets "hacked". People click on links they shouldn't and voluntarily give up info.
If people used stronger passwords, it would help.
Maybe the forum software could be set to enforce this?
Except it's a little suspicious that there are so many cases on this one forum given how few people are active here. If the percentage were so high in the general population, Eastern Europe would have the 3rd highest GDP in the world.
All comments reflect the opinion of the author, evn when irrefutably accurate.
Hmm.... hack @jmlanzaf , post a few eBay sucks threads, profit.
For starters, a basic email verification in order to change login information would probably help quite a bit.
Founder- Peak Rarities
Website
Instagram
Facebook
Fun... no profit
All comments reflect the opinion of the author, evn when irrefutably accurate.
Oh I'm sure someone would pay for it
The assumption then must be that someone hacked CU and stole users info. That doesn't seem like the most probable conclusion.
even shutting down the bst won't be 100% effective as they can just move to PMs to the user's known contacts
I wish those that got hacked would reveal what password they were using, so we can see how sophisticated the hacking is.
They could provide a reasonably good idea of how strong (or weak) the passowrds were without disclosing the specifics.
Mark Feld* of Heritage Auctions*Unless otherwise noted, my posts here represent my personal opinions.
Password strength
Simple or commonly used passwords such as "password", "123456", or "qwerty" can be cracked almost instantly by automated tools that try the most popular combinations first.
Passwords of eight lowercase letters, even if not a dictionary word, can be cracked instantly by a modern computer—there are 209 billion possible combinations, but hardware and specialized software can check them all in seconds.
Adding complexity—uppercase letters, numbers, symbols, and greater length—raises the difficulty: for example, an eight-character password with uppercase, lowercase, numbers, and symbols can take 22 minutes to crack with a supercomputer, but a 12-character password with the same complexity could take 34,000 years.
This ‘feels’ more like a data breach to me, the same thing that happens to major corporations on a continuous basis.
Change your password on at least a quarterly basis. Add upper and lower case letters, and a special character or two. Never reuse the same password for different sites. At this point, that’s all you can really do.
Dave
After more research and reviewing the forum attacks, it appears they all originate from a vulnerability in shared software. The attacker can exploit the server to access sensitive information like login credentials. I'm fairly confident this is the issue, and a software update should address it immediately. Changing your password could help if it's already compromised, but the attacker could just as easily obtain the new one through the same vulnerability.
On another note, there is a strong chance OSINT tools are being used to attempt credential stuffing across other platforms. For example, if you share usernames and passwords elsewhere, make sure to change them.
I'm not a computer guy by any means, so this may be an ignorant question. Doesn't the hacker have a computer or other ID that can be blocked? When I block someone from emailing me, doesn't my computer just block all incoming emails from that ID that I blocked?
bob
To me, that actually seems more probable than that 3 out of a couple hundred active users all got independently hacked.
Not to mention, if they were individually hacked they would likely have issues at other sites they use, like their bank.
All comments reflect the opinion of the author, evn when irrefutably accurate.
No. Your computer blocks the email address not the ISP.
All comments reflect the opinion of the author, evn when irrefutably accurate.
Hello all,
We understand your concern over this matter and are actively looking into the issue.
Abby Zechman
PCGS Education Coordinator
I am not asking the 3rd party transactions to be policed. I am asking the host to secure OUR DATA. We entrust with them.
If the security of the site is allowing the hacks then the onus falls on them.
We, as buyers and sellers, have our own responsibility to buy and sell... but they have a certain responsibility to protect our data.
Either they hacked all of our accounts together or it was individual attacks on members with weak passwords. I am guessing the second scenario, but everyone should improve their passwords for starters to make sure.
And for everyone reading, if for some reason you're suddenly unable to login into your account, alert another forum member immediately. My cell and email are on my website, if you send me a message I will post a warning that your account has likely been hacked. If you brush it off, that will give the hacker time to drum up some shenanigans before you and everyone else realize what has happened.
Founder- Peak Rarities
Website
Instagram
Facebook
Just exactly how does one change a password? I went to my account page and find nowhere to do that.
thanks,
bob
password can be changed by clicking on the gear icon located upper right, then edit profile
This is how it is done on a desktop, but a phone might be different. Click on the gear symbol in the upper right corner of the page. A dropdown menu will appear and you can hit "Edit Profile". It will take you to "Account & Privacy Settings" and then click on the pencil icon next to your password. At that point a popup will come up to change the password.
In honor of the memory of Cpl. Michael E. Thompson
This is not necessarily a true statement. If it is an information disclosure flaw exploit the data leaked from memory may only be the credentials that apply to one or more than one member.
It is likely the perpetrator has multiple means to hide his origin IP and or other information making it nearly impossible to single them out.