Options
Recent Hackings on the Forum
pcgs_education
Posts: 38 mod
Hello everyone,
I would like to take a moment to address the recent account hacks that many of our forum users have been experiencing. I want you all to know that we take this situation very seriously and have been working with the forum support team to figure out what is going on since the first hacked account was reported.
In the meantime, please be mindful of any suspicious emails you receive.
- PCGS will NEVER contact you asking you to change your password or update your email unless YOU initiated a password reset.
- Never click on a link you receive in a suspicious email. Always go directly to the website the link came from to verify authenticity.
- Make sure you are using strong, unique passwords to protect your account. Using the same password to log into multiple accounts can put them all at risk. We also suggest changing your password periodically to help mitigate the risk of compromised passwords.
- We are also aware that people have been scammed by these hackers. Please refer to our post about best practices when buying and selling on the forum. The most relevant line to remember right now is: "If something sounds too good to be true, it usually is." Additionally, remember that Collectors Universe assumes no liability in the event of either party failing to fulfill their commitment to the other party. If you've been scammed out of money, we can't do anything but ban the bad actor.
Abby Zechman
PCGS Education Coordinator
22
Comments
Just fyi, the hacker is currently active on this account as he/she has edited at least one of my posts and also changed my password after I changed it.
Hmmm. At some point it might be a possibility that your pc has been hacked.
If you used your pc to change your password and they still changed it again, try changing it from your phone.
Then how did you get in?
You need to change the password for your email.
That would be about the only way a "hacker" can be changing your passwords for your accounts, if they get your emails.
The substantial truth doctrine is an important defense in defamation law that allows individuals to avoid liability if the gist of their statement was true.
^This is my thought as well although I do believe I was conversing with the real Tim via PM less than an hour ago. Now I am not certain who is posting in the threads (Tim, the Hack, or both). THKS!
Yes, you were. It let me in under my old password. Then I changed the password while I was still logged in. I'm guessing the hacker was able to access the new password. When I go to change the password now, the new one I set up will not work. I don't think I'll be able to have access after I logged out. I just talked to another board member on the phone that will post in a little bit.
Lol... the hacker is/was apparently on at the same time I was since he was editing my post! I'm posting from my work PC now and have to log out so guessing I won't be able to get back in for a while! Peace for now!
Tim
Is this true? Then why can I login on my laptop, tablet, and phone at the same time?
Or, if the hacker never logs out, maybe he can keep changing passwords? 🤔
this is pointing to the forum "stuff" having exploits instead of password cracking
I'd think they'd be cooperating with law enforcement as crimes have been committed such as identity theft:
Stealing someone's identity on a website to steal money is a multifaceted crime involving both identity theft and fraud, often prosecuted under federal laws. Specifically, it can be classified as identity theft under 18 U.S.C. § 1028, and depending on the specific actions, could also involve credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), or wire fraud (18 U.S.C. § 1343)
Has anyone filed a police report?
That's only true if there is email authentication required
Hello everyone,
In the interest of keeping private information safe and limiting the ability of any bad actors to take advantage of other forum members, the reported accounts have been temporarily banned while we work with the forum provider (Vanilla) to find a solution.
If your account has been banned during this time, or you believe your account was hacked and you are unable to access it, please email izavala@collectors.com with the following information:
User Name
Email associated with the account
Last login date
Do you recall receiving any emails requesting that you login, provide your account info or alerting you of issues with your account?
Do you recall logging into any pages that looked different from our standard login screen?
Any other suspicious alerts or notifications prior to this occurance?
Thank you! We are doing everything that we can to help Vanilla troubleshoot these issues to ensure no one else is impacted and restore access to these accounts.
And please, just in case, take a moment to reset your passwords, it never hurts to be cautious.
Heather Boyd
PCGS Senior Director of Marketing
peacockcoins
Sadly, Id fraud happens so often there are not enough investigators to follow up and bring charges.... They just cannot get to them all... They will get to some for sure, but to many to get them all. I think reporting it is still the right thing to do however..
fbi
My grandma always used to say good begets good and bad begets bad. Hopefully the hackers get nothing but the bad.
God comes first in everything I do. I’m dedicated to serving Him with my whole life. Coin collecting is just a hobby—but even in that, I seek to honor Him. ✝️
Thank you, Heather!
Mark Feld* of Heritage Auctions*Unless otherwise noted, my posts here represent my personal opinions.
They finally fixed what was needed to get me back onboard. I hope the others are restored quickly too.
Come to think of it, if I'm on a different computer or even a different browser on this computer I can still login to my PCGS message board account with each one so I can be logged in at 4 or 5 different locations.
Don't know if this will help anyone, one thing I have avoided, storing user/saving names and passwords to my laptop, phone whenever registering. Whenever I am asked to save such info, I have declined every time. All my personal info, user names and passwords are in a small notebook. Don't know if this is a good practice but if my laptop ever gets hacked, I like to think and hope they won't find anything they can use. One time, registering for some company or website, they asked for my first 3 digits of my SS. I replied that the last 4 digits are already out there so I can't do that. They did find another way of registering me. Leo
The more qualities observed in a coin, the more desirable that coin becomes!
My Jefferson Nickel Collection
Watch they don't change the shipping address to send your coins that maybe coming back to you, other than that it is kind of funny. I mean who hacks a PCGS message board forum.
it would be nice if PCGS would add two factor authentication via authenticator app
Coin Photographer and Videographer
https://www.youtube.com/@FriendlyEagle7
it needs more than that. it needs a SM1 again
i think there is a forum system exploit. perhaps a pause switch would be useful with a down for maintenance sign
This is correct. I don't believe staying logged in is any kind of safeguard by itself.
Collecting 1970s Topps baseball wax, rack and cello packs, as well as PCGS graded Half Cents, Large Cents, Two Cent pieces and Three Cent Silver pieces.
I don't even think it needs to be all that difficult.
Currently, you can change ANYTHING about the account without any type of confirmation to the linked email account. If that was simply a feature that wasn't able to be unchecked, then anytime a hacker would try to change a password or notification setting, the user would get an email that would have to confirm. I think that would solve 98% of the issues we have been having without making the sign in process too difficult.
Founder- Peak Rarities
Website
Instagram
Facebook
Best practice would be to have different, random passwords for the two accounts (pgcs.com and forums.collectors.com)
ANA 50 year/Life Member (now "Emeritus")
I don't have a PCGS account per se unless the account to access the set registry is considered a PCGS account for the purpose of submitting, etc.
I don't think that's an option for the Vanilla forums platform. They do offer 2FA for the PCGS registry/membership account, but that's different software.
Keeper of the VAM Catalog • Professional Coin Imaging • Prime Number Set • World Coins in Early America • British Trade Dollars • Variety Attribution
I guess I'll be the pessimist/doomsayer (although I hate what I'm about to say, it's realistic).
There is one solution that is 100% effective, solves lots of other pesky issues, and saves CU money...
chopmarkedtradedollars.com
if there is an exploit then no confirmation would be needed. step 1 change the email address. even with 2fa, change that. submit change password request
@PCGS_Moderator @HeatherBoyd
Hackers may be brute forcing passwords using public password lists (think yahoo breach)
Brute forcing involves trying hundred to thousands of passwords
Solution(s) -
1. Have cloudfare put a pause between login attempts with a check box (verify you are human)
2. Have the forum software automatically lock out accounts after 3 unsuccessful logins, requiring an email link to reset
This sounds like a keylogger - Something that can see the keys that you are pressing on your computer. JBK has a point but if the password is changed you wont be able to get into the forum on your phone. Treat your computer as though its compromised.
spellinh
It's all about what the people want...
Another Solution - 2 factor authentication
It's all about what the people want...
Sorta like you can't have a driveby shooting if you don't/can't have a vehicle.
If you try to login in with an unfamiliar IP address then maybe a security question or 2 would be appropriate.
Added security question would be very helpful.
God comes first in everything I do. I’m dedicated to serving Him with my whole life. Coin collecting is just a hobby—but even in that, I seek to honor Him. ✝️
Just don’t use coins as your answer
Even if that was my grandmaw's maiden name?
All very true.
My point about (preemptively) changing the password via phone was that a keystroke logger on the pc would not work on the cellphone so a hacker on the pc would be shut out on the new password if it was changed on his phone.
But it's all just speculation as to where the real issue is rooted.
Not available in the Vanilla forum software.
Keeper of the VAM Catalog • Professional Coin Imaging • Prime Number Set • World Coins in Early America • British Trade Dollars • Variety Attribution
If you got compromised because of a keystroke logger you should expect them to try to access more of your accounts I would think. I had someone try to blackmail into sending money or they would send embarassing video to everyone in my address book. Claimed they got me through a keystroke logger. I knew that was BS since I don't have a webcam or a FaceBook account.
vanilla doesn't have a lot of things but we find it needs them now
They also tried the same crap with my NGC and CoinTalk accounts. I was able to beat them to the punch and change my passwords there. I posted on CT that a for sale ad by another user was a scam and got a PM theatening to shoot my family. NGC took care of his business there.
I just wanted to reply to this concern. Forum logins are not connected to your PCGS login. I advise using a different password for any accounts that have access to payment or address information.
Heather Boyd
PCGS Senior Director of Marketing
I would advise shortening the cookie expiration. I recall logging in when registering and have been logged in ever since. If an attacker could retrieve my cookies from my local computer, no password changing would be needed for them to gain access.
Thank you to heather and Isabela for getting me fixed up and back in. I really hope this doesn't happen again and the hacker/s get expsed!
Tim
how do you think it happened to you?
peacockcoins