James 63 Posted June 4, 2017 Please post all questions related to the GE Tracker security disclosure below. We're happy to answer everyones questions, no matter how big or small. Quote Share this post Link to post Share on other sites
arnator 1 Posted June 4, 2017 Hi, Why wait 24-48 hours before going public? Quote Share this post Link to post Share on other sites
James 63 Posted June 4, 2017 Hi arnator, It is to give you all enough time to update your account security not only on GE Tracker, but all websites and services you are a member of. 1 Quote Share this post Link to post Share on other sites
therminsales 5 Posted June 4, 2017 (edited) I appreciate the frankness and openness of the message you sent out, and you did an excellent job of explaining what exactly happened. What information was made available was stated, and it seems you've responded appropriately. Top notch job overall. I've already enabled 2fa, as well as changed my email passwords. Edited June 4, 2017 by therminsales 4 Quote Share this post Link to post Share on other sites
arnator 1 Posted June 4, 2017 I appreciate to detailed email, it's a shitty situation but you guys seem to handle it well. 1 Quote Share this post Link to post Share on other sites
jmoore 0 Posted June 4, 2017 Hey, the email doesn't really explain to what level ge tracker was breached. Do you believe that ge tracker account credentials were compromised and if so, what type of password storage does ge tracker use? Also, will you folks be rotating everyone's credentials? Quote Share this post Link to post Share on other sites
zips 18 Posted June 4, 2017 28 minutes ago, jmoore said: Hey, the email doesn't really explain to what level ge tracker was breached. Do you believe that ge tracker account credentials were compromised and if so, what type of password storage does ge tracker use? Also, will you folks be rotating everyone's credentials? @jmoore The email does go into depth about what was affected in the breach but I can summarize: - If you logged in, or registered, between the 25th and 29th of May there is a chance that your login credentials were intercepted. - There is a small chance that your GE-Tracker profile was scanned. In this case your account email was harvested. - There was no leak of the user database at any point, and the attacker was booted from the system by clearing all sessions and locking the compromised accounts. The password in the database are encrypted with industry-standard encryption and salted. I can't speak for a site-wide password rotation as that would be James. Let me know if I can answer any more questions for you. If you'd like to get technical, DMing me on Discord would be best. (I deleted my previous response of this to make sure you were tagged) 3 Quote Share this post Link to post Share on other sites
doggie 0 Posted June 7, 2017 Thank you for all being so open about this. Any chance that OSBuddy credentials would have been swiped too if you use the import feature for profit tracking? Quote Share this post Link to post Share on other sites
James 63 Posted June 9, 2017 On 2017-6-8 at 0:39 AM, doggie said: Thank you for all being so open about this. Any chance that OSBuddy credentials would have been swiped too if you use the import feature for profit tracking? They are encrypted in the database and the hacker didn't specifically target them so they are safe 1 Quote Share this post Link to post Share on other sites
