Site compromised
Hi. I got word an hour or two ago that the site was sending out phishing emails to OGA user accounts. If you have recently received a sketchy, poorly-spelled email that starts with "Your Acount is disabled for the purposes of security", you can safely assume that your account was not, in fact, disabled for the purposes of security, and under no circumstances should you provide anyone with any of your passwords, particularly information pertaining to your "Peypal" account, as the email calls it.
I have currently disabled the mail server on OGA until I can assess the extent of the hack. Since they managed to get a complete list of account emails, it's safe to assume that they also grabbed (hashed) passwords, so you should consider your OGA password compromised and change it wherever you're using it, particularly if you're using it with the email address that you used to sign up to OGA. Until I've determined the source of the intrusion, it's probably best to hold off on changing your OGA password.
I'll post another blog entry as soon as I know more.
Update: As of 12 hours later, the malware scan I'm running on the server is about half done. I'll post an update when it's finished.
Comments
The mail has been non-functional for quite a while by the way (Weeks/Months+). New users never get their verification emails, and as such can't complete registration.
Ever since the server move.
Email is still being sent just fine. We were on a couple of spam blacklists, and I contested it and had us taken off.
Thank you Bart for quickly posting this blog entry ; I just received the email, and I came to the website to try to get more infos.
Glad to see you already know about it. I found the mail in my spambox but the plethora of spelling and grammar errors was a dead give-away. Hope you can get this resolved soon.
I got the email as well in the spam thank you for posting this so that we can know that it is fake :)
this is the email I got:
Be careful with this message. Our systems couldn't verify that this message was really sent by gmail.com. You might want to avoid clicking links or replying with personal information. Learn more > Message-Id: <privateidnumber@opengameart.org> Date: Tue, 17 Nov 2015 12:40:26 -0800 (PST)
Your Acount is disabled for the purposes of security
Dear Customer., While the audit team is reviewing your Acount,
they discovery strange activity or deceptive or fraudulent and based upon,
The team disable access to your Acount until your review for this strange activity and respond to it
What is the problem in detail?
1. You have more than one Peypal with a negative balance; or
2. You provided information that we believe was false, inaccurate, or misleading; or
3. You sent or received money that was potentially related to fraudulent activity; or
4. You are in violation of the User Agreement, the Commercial Entity
Agreement, the Acceptable Use Policy, or another agreement you have with us.
What is the solution?
To resolve this issue, you must log on to the site of the page devoted to verify
which is attached at the bottom of linked
and write your lnformation in a full
Log-In
Thank you for give us your time
Apologize for any annoying
Kind regards
17/11/2015 03:40:26
Might want to check up on this suspicious comment, too:
http://opengameart.org/comment/39938#comment-39938
I brought it up on IRC back in August when it was fresh, but it must've slipped the admins' notice.
That was actually me. I was verifying to someone I was talking to on the internet that I was who I said I was. :)
Anyway, I deleted it, since it's served its purpose.
How was the site's database compromised, anyway? Silly server setup from the sounds of it.
Has the server finished the scan?
Any updates?
as a random data point, in case it helps at all, I did not recieve one of these emails, although it's possible Google intercepted it on my behalf.
I haven't received any of these emails either and I have checked the junk mail too.
I got one as well, and to be honest it scared the tar out of me, even though I knew I didn't do anythng wrong. So it is a scam?
Rather disappointed I didn't get an email. I have my own mail server; no intercepts. Do the scammers not feel I'm worthy of targeting? Feeling hurt.
Seriously though, thank you for handling this so professionally, bart.
I didn't see my message at first, but later found it in my spam folder.
This is a shame.
Please do double back over your security and practices and strengthen them moving forwards.
[2015-07-11 15:11:53] <redswar> hello, i have a problem with registration, i can't have the confirmation mail, what can i do (i will upload my first blender props for evaluation :))
[...]
[2015-07-14 08:42:04] <tony1420> Hello, trying to register on the website but i get an error message about not able to send confirmation to my email
[...]
[2015-09-24 01:01:40] <abadidea> are there any site admins here? I tried to register an opengameart account and the email thing is broken.
[2015-09-24 02:22:39] <abetusk> "Unable to send e-mail. Contact the site administrator if the problem persists." <---- after trying to contact the site administrator of the problem :(
[...]
[2015-10-15 18:06:18] <AlexanPT> Anyone here? I registed on opengameart but didn't receive any verification email, tried to register again says username and email already in use so I try to login but it doesn't work
[2015-10-15 18:06:36] <Jattenalle> AlexanPT, checked your spam folders?
[2015-10-15 18:06:46] <AlexanPT> I have nothing on my spam folder :/
[2015-10-15 18:06:55] <Jattenalle> how long ago did you register?
[2015-10-15 18:07:02] <AlexanPT> Some days ago
[...]
[2015-10-18 18:03:45] <AlexanPT> Still haven't received an activation email. :(
[...]
[2015-11-17 17:34:49] <tipsy> looks like the mailserver is down
[2015-11-17 17:35:04] <tipsy> :^)
[2015-11-17 17:37:45] <Jattenalle> wait, it's still not fixed?
Like I said, it's been an issue for quite a while.
@bart:
Any update in this?
whoah, just got a ton of mails, going to guess the mail daemon is alive again?
:)
I luckily never got this, I guess bart decided to put up extra security mesures on my account because he secretly watches me and im him favorite. yushhh.
I just received a second such email, so there seems to be another round. (I already got one in the first round.) The text seems to be identical, but I have long since deleted the first email, so I cannot be sure. So, is the site compromised again, or do the spammers still use adresses they harvested back then?
@Arianna: Best. Comment. Ever.