Page 1 of 9 1234 ... LastLast
Results 1 to 16 of 137

Thread: Security breach at scan! Consider at least changing passwords

  1. #1
    Registered+
    Join Date
    Aug 2004
    Posts
    84
    Thanks
    4
    Thanked
    13 times in 6 posts

    Exclamation Security breach at scan! Consider at least changing passwords

    A few weeks ago I started receiving spam emails to my scan-only email address. I know there has been a thread regarding the release of scan customer details to Revoo: Scan - What are you doing with my personal details?, but this new issue is much more significant.

    Today I received a spam email to the same email address, containing my scan password IN PLAIN TEXT in the To: field. I can be quite certain that this is a security breach as I have two scan accounts and both were breached in exactly the same manner.

    The received email was addressed in the form:
    from: junk_email_address
    to: Password <scan_email_address>
    subject: Looking for Manager


    I reported the original breach to scan customer services and was assured that no password or credit-card details could have been obtained. Clearly at least the first part of that response is not true. I have updated scan on this matter, but thought it prudent to inform as many customers as possible to at least change their scan passwords.


    I've provided an update with a bunch more information in post #63: Security breach at scan! Consider at least changing passwords
    Last edited by naturbo2000; 21-11-2012 at 10:19 PM. Reason: added more information

  2. Received thanks from:

    AGTDenton (19-11-2012),chrestomanci (17-11-2012),Platinum (21-11-2012),watercooled (16-11-2012)

  3. #2
    Senior Member
    Join Date
    Oct 2011
    Location
    London
    Posts
    343
    Thanks
    154
    Thanked
    52 times in 49 posts
    • SUMMONER's system
      • Motherboard:
      • Asus M5A99X Evo R2.0
      • CPU:
      • AMD FX-8320
      • Memory:
      • 2 x 4GB Crucial Ballistix Smart Tracer DDR3-1866
      • Storage:
      • Samsung 830 SSD, Hitachi Coolspin HDD, stack of HP MicroServers, Seagate & WD USB drives
      • Graphics card(s):
      • PNY Geforce GTX 650 Ti Boost 2GB DDR5
      • PSU:
      • Coolermaster GX-750
      • Case:
      • Fractal Design Define R3 Black Pearl
      • Operating System:
      • Windows 7 64bit, OSX and Ubuntu
      • Monitor(s):
      • 2 x 23" LG IPS234V monitors, mounted on Jetmaster arms
      • Internet:
      • 38Mbit VDSL Broadband via Talk Talk

    Re: Security breach at scan! Consider at least changing passwords

    Surely Scan would not store passwords in plain text!?

  4. #3
    Registered+
    Join Date
    Aug 2004
    Posts
    84
    Thanks
    4
    Thanked
    13 times in 6 posts

    Re: Security breach at scan! Consider at least changing passwords

    That's what I thought, but for 2 separate accounts, with two separate email addresses and passwords, I have two spam emails with the account password included...

  5. #4
    Senior Member Disturbedguy's Avatar
    Join Date
    Nov 2006
    Location
    Manchester
    Posts
    4,545
    Thanks
    525
    Thanked
    390 times in 295 posts
    • Disturbedguy's system
      • Motherboard:
      • Asus P6T Deluxe v2
      • CPU:
      • i7 950
      • Memory:
      • 16GB Vengenance
      • Storage:
      • 1 x 60GB OCZ Agility 3 SSD 1 x 120 Corsair SSD 1 x 1TB Samsung HDD 1 x 500GBHD
      • Graphics card(s):
      • GTX260
      • PSU:
      • Corsair 1000W
      • Case:
      • Fractal Design R2
      • Operating System:
      • Windows 7 Ultimate
      • Monitor(s):
      • 32inch Samsung TV
      • Internet:
      • Crap

    Re: Security breach at scan! Consider at least changing passwords

    Has anyone else received these e-mails?
    I have checked my mail and haven't received anything
    Quote Originally Posted by TAKTAK View Post
    It didn't fall off, it merely became insufficient at it's purpose and got a bit droopy...

  6. #5
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    8,144
    Thanks
    1,300
    Thanked
    635 times in 553 posts

    Re: Security breach at scan! Consider at least changing passwords

    Nope, just checked myself, but I did clear my spam folder about a week back so can't be sure.

  7. #6
    Registered+
    Join Date
    Aug 2004
    Posts
    84
    Thanks
    4
    Thanked
    13 times in 6 posts

    Re: Security breach at scan! Consider at least changing passwords

    Quote Originally Posted by Disturbedguy View Post
    Has anyone else received these e-mails?
    I have checked my mail and haven't received anything
    My emails forward to gmail which did spot them as spam (i.e. you would have to check your spam folder). I can't tell you any details of the original emails - I've deleted them - but the most recent emails were sent at 6:27 and 6:44 this morning.

  8. #7
    Admin Team peterb's Avatar
    Join Date
    Aug 2005
    Location
    Southampton
    Posts
    12,446
    Thanks
    1,265
    Thanked
    1,799 times in 1,445 posts
    • peterb's system
      • Motherboard:
      • Nascom 2
      • CPU:
      • Z80B
      • Memory:
      • 48K 8 bit memory on separate card
      • Storage:
      • Audio cassette tape - home built 5.25" floppy drive
      • Graphics card(s):
      • text output (composite video)
      • PSU:
      • Home built
      • Case:
      • Home built
      • Operating System:
      • Nas-sys
      • Monitor(s):
      • 12" monocrome composite video input
      • Internet:
      • No networking capability on this machine

    Re: Security breach at scan! Consider at least changing passwords

    I haven't received anything (apart from revoo)

    I am assuming that they were complex passwords, and could not have been obtained from a hacked e mail account, or obtained through a dictionary style attack.

    Few database/CMS systems store passwords in plain text, although the level of protection (from encoding to encryption) may vary. However e-commerce systems usually have strong encryption. That isn't to say it can't happen (twitter for example) just that there may be other explanations. The theft of one account detail is also unlikely - an attack against a password database would result in the leakage of lots of account details.

  9. #8
    Retail Sales Manager Chris P's Avatar
    Join Date
    Apr 2006
    Posts
    5,648
    Thanks
    758
    Thanked
    509 times in 407 posts

    Re: Security breach at scan! Consider at least changing passwords

    We are currently looking into this and will come straight back to you all with a full response..

    Best Regards

  10. Received thanks from:

    chrestomanci (17-11-2012),Disturbedguy (15-11-2012),JimmyBoy (19-11-2012),KeyboardDemon (27-11-2012),naturbo2000 (15-11-2012)

  11. #9
    Senior Member Disturbedguy's Avatar
    Join Date
    Nov 2006
    Location
    Manchester
    Posts
    4,545
    Thanks
    525
    Thanked
    390 times in 295 posts
    • Disturbedguy's system
      • Motherboard:
      • Asus P6T Deluxe v2
      • CPU:
      • i7 950
      • Memory:
      • 16GB Vengenance
      • Storage:
      • 1 x 60GB OCZ Agility 3 SSD 1 x 120 Corsair SSD 1 x 1TB Samsung HDD 1 x 500GBHD
      • Graphics card(s):
      • GTX260
      • PSU:
      • Corsair 1000W
      • Case:
      • Fractal Design R2
      • Operating System:
      • Windows 7 Ultimate
      • Monitor(s):
      • 32inch Samsung TV
      • Internet:
      • Crap

    Re: Security breach at scan! Consider at least changing passwords

    Quote Originally Posted by naturbo2000 View Post
    My emails forward to gmail which did spot them as spam (i.e. you would have to check your spam folder). I can't tell you any details of the original emails - I've deleted them - but the most recent emails were sent at 6:27 and 6:44 this morning.
    I checked my span and my inbox
    Quote Originally Posted by TAKTAK View Post
    It didn't fall off, it merely became insufficient at it's purpose and got a bit droopy...

  12. #10
    Registered+
    Join Date
    Aug 2004
    Posts
    84
    Thanks
    4
    Thanked
    13 times in 6 posts

    Re: Security breach at scan! Consider at least changing passwords

    Quote Originally Posted by peterb View Post
    I am assuming that they were complex passwords, and could not have been obtained from a hacked e mail account, or obtained through a dictionary style attack.
    For that I do have to apologise:
    One password can be dictionary attacked (I know... Strictly my brother's account... He shouldn't be allowed to use the internet).
    The other cannot be dictionary attacked (sufficiently complex combination, not a word or derived from a word), but could be brute-forced due to password length.
    I do not believe that the details have been scraped from my email accounts, as I find no such record of the passwords. I will also rule out keylogger or similar attack as I didn't even remember that I had the less secure account!
    I would expect that Scan would be able to confirm if dictionary or brute force attacks were made on their systems. If I were the subject of a couple of brute force attacks then I stand corrected and will apologise to Scan right now.

    However - given that Scan effectively use multiple passwords (Mother's maiden name plus an additional password), it looks most like something has gotten into their system and scraped the details wrongly. From the way the emails are addressed, it would appear that a scraper assumed the Mother's maiden name to be the password and the additional password to be the customer name!

    I'm very surprised to see that I've received an email each to two separate accounts, yet no-one else has the same issue (yet). It is entirely possible that my accounts have been singled out, but I find it hard to believe.

  13. #11
    Member
    Join Date
    Sep 2012
    Location
    Cardiff
    Posts
    140
    Thanks
    16
    Thanked
    11 times in 11 posts
    • Dutchjonsey's system
      • Motherboard:
      • Asus Sabertooth 990FX R2.0
      • CPU:
      • AMD Phenom II x6 1090T @3.6GHz
      • Memory:
      • 16Gb 1600 MHz
      • Storage:
      • 2.5 Tb HDD, 128Gb SSD
      • Graphics card(s):
      • XFX 7870 BE
      • PSU:
      • Corsair AX760i
      • Case:
      • Bitfenix Colossus
      • Operating System:
      • Win 7 x64

    Re: Security breach at scan! Consider at least changing passwords

    Ive not got any, either inbox or spam. Weird if they have gone for just you.

  14. #12
    Registered+
    Join Date
    Jun 2012
    Posts
    24
    Thanks
    3
    Thanked
    1 time in 1 post
    • Moonglum's system
      • Motherboard:
      • MSI Z77A-G45 Z77
      • CPU:
      • Intel Core i5 3570K
      • Memory:
      • 8Gb Corsair Vengeance LP
      • Storage:
      • 120GB AGILITY 3, 1TB ST1000DM003
      • Graphics card(s):
      • 1GB XFX HD7770 DD Core
      • PSU:
      • 600W Corsair Gamer Series PSU
      • Case:
      • Coolermaster Elite 430
      • Operating System:
      • Windows 7 Professional

    Re: Security breach at scan! Consider at least changing passwords

    I think I have had the same - I use my work email address, so the email has been blocked by the spam filters (so I cannot check all the details in the email). But its the same Subject field as yours, and the email is listed as originating from uol.co.br - came through around 11am today.

  15. Received thanks from:

    naturbo2000 (15-11-2012)

  16. #13
    HEXUS.social member
    Join Date
    Jul 2003
    Location
    Internet
    Posts
    18,631
    Thanks
    680
    Thanked
    1,462 times in 954 posts

    Re: Security breach at scan! Consider at least changing passwords

    Quote Originally Posted by SUMMONER View Post
    Surely Scan would not store passwords in plain text!?
    They have done in the past - I don't know if they still do. You can find references to people comparing passwords over the phone to the ones they have on record on Scans side. You can't do that with a hash, as you need the complete password to hash it.
    Quote Originally Posted by Saracen View Post
    And by trying to force me to like small pants, they've alienated me.

  17. #14
    Registered+
    Join Date
    Aug 2004
    Posts
    84
    Thanks
    4
    Thanked
    13 times in 6 posts

    Re: Security breach at scan! Consider at least changing passwords

    Some news. I've just had a phone call from a Scan company director to discuss the issue.

    I don't want to go into too much detail as they are still urgently fact-finding and will post a full response shortly. I don't want to make any false claims but thought it might be useful to give people a heads-up.

    It seems the breach was actually back in 2007 and Scan did follow due-diligence to the extent of informing the police of the issue (It would have been nice if they had let customers know as well, but I'll let that slide).
    Anyone with an account after 2007 is apparently unaffected (hence why only myself and Moonglum have the emails just now).
    Accounts before 2007 may have been compromised (though I'm assured that the nature of the breach means credit card details could not have been compromised, even if they were, I don't have them anymore...).

    I'm pleased with the seriousness that Scan are applying to this issue - I believe they are only just now aware that passwords could have been compromised from old accounts. Current encryption policies mean that all data is secure should a breach ever occur in future.

    I suggest that once this is cleared up, Scan get in contact with the affected customers to let them know the situation.

    (Oh and obviously, I should have changed those passwords somewhere in the last 5 years).

  18. Received thanks from:

    blueball (15-11-2012)

  19. #15
    Senior Member Disturbedguy's Avatar
    Join Date
    Nov 2006
    Location
    Manchester
    Posts
    4,545
    Thanks
    525
    Thanked
    390 times in 295 posts
    • Disturbedguy's system
      • Motherboard:
      • Asus P6T Deluxe v2
      • CPU:
      • i7 950
      • Memory:
      • 16GB Vengenance
      • Storage:
      • 1 x 60GB OCZ Agility 3 SSD 1 x 120 Corsair SSD 1 x 1TB Samsung HDD 1 x 500GBHD
      • Graphics card(s):
      • GTX260
      • PSU:
      • Corsair 1000W
      • Case:
      • Fractal Design R2
      • Operating System:
      • Windows 7 Ultimate
      • Monitor(s):
      • 32inch Samsung TV
      • Internet:
      • Crap

    Re: Security breach at scan! Consider at least changing passwords

    Quote Originally Posted by naturbo2000 View Post
    Some news. I've just had a phone call from a Scan company director to discuss the issue.

    I don't want to go into too much detail as they are still urgently fact-finding and will post a full response shortly. I don't want to make any false claims but thought it might be useful to give people a heads-up.

    It seems the breach was actually back in 2007 and Scan did follow due-diligence to the extent of informing the police of the issue (It would have been nice if they had let customers know as well, but I'll let that slide).
    Anyone with an account after 2007 is apparently unaffected (hence why only myself and Moonglum have the emails just now).
    Accounts before 2007 may have been compromised (though I'm assured that the nature of the breach means credit card details could not have been compromised, even if they were, I don't have them anymore...).

    I'm pleased with the seriousness that Scan are applying to this issue - I believe they are only just now aware that passwords could have been compromised from old accounts. Current encryption policies mean that all data is secure should a breach ever occur in future.

    I suggest that once this is cleared up, Scan get in contact with the affected customers to let them know the situation.

    (Oh and obviously, I should have changed those passwords somewhere in the last 5 years).
    Naturbo,

    Thanks for the heads up, my account is pre 2007 so I am now going to wait and see if I hear anything from SCAN. Good to hear you have been contacted.
    Quote Originally Posted by TAKTAK View Post
    It didn't fall off, it merely became insufficient at it's purpose and got a bit droopy...

  20. #16
    Loves Wifey dangel's Avatar
    Join Date
    Aug 2005
    Location
    Cambridge, UK
    Posts
    8,332
    Thanks
    400
    Thanked
    445 times in 327 posts
    • dangel's system
      • Motherboard:
      • See My Sig
      • CPU:
      • See My Sig
      • Memory:
      • See My Sig
      • Storage:
      • See My Sig
      • Graphics card(s):
      • See My Sig
      • PSU:
      • See My Sig
      • Case:
      • See My Sig
      • Operating System:
      • Windows 7
      • Monitor(s):
      • See My Sig
      • Internet:
      • 20mbit Sky LLU

    Re: Security breach at scan! Consider at least changing passwords

    Interesting timing given the recent breach of data protection there too. Let's hope the two aren't connected -watching my inbox too.
    System 001: Asus Z68 Deluxe, 2600k i7, EK Supreme HF - Full Copper CPU Block, GTX 670 FTW 2GB x 2 SLI, EK 680 GPU Blocks/EK Bridge, 8GIG Corsair Vengence DDR3 RAM CL9 @ 1600mhz, Corsair HX1000, Dell U2412M, Logitech 5.1, Samsung F3 1TB x 2 (RAID 0), Samsung 830 128GB x 2 (RAID 0) SSD (System), Antec 1200 case, Thermochill 120.4 rad, Vario Pump, Windows 7 x64, Cyberpower 1500VA UPS[main]
    System 002: A8 3850 APU, ASUS uATX FM1A75 MB, 4GB Corsair Vengeance DDR3, Corsair psu, OCZ Agility 3, 1TB F3, Dell 2001FP 20" LCD, £7's worth of 5.1 speakers (they rock) Windows 7 x64[wife/server]
    System 003: AOpen 1557 GLSLaptop, ATI 9600 64mb, 1.5 GIG of DDR2700 memory, 60gig fujitsu HD 8mb cache, Intel Wireless and it's great! Windows 7 32bit [main lappy]
    System 004: ASUS MB, Intel Core 2, 4 GIG Corsair, Silverstone HTPC case, stock cooler, GT220 1gbDDR3, Samsung F3 1TB, Kingston 40gb SSD, MCE Remote, Samsung 40" LCD (87BDX) via HDMI Windows 7 (32) [media centre]
    System 005: Asus UL50AT Intel Core 2 Duo,4GB, Intel Gen 2 80GB SSD, Win 8 x64 [no justification]
    System 006: HP Proliant N40L Microserver, 4x2TB drives, fan mod, Pico PSU mod, Win7 x86 [file server]
    System 007: Dell Optiplex 9010, i7, 8gb, 128gb Samsung 830 x 2 (boot and VM drive), 1TB WD HDD, ATI something, Windows 8 x64 RTM [work]


Page 1 of 9 1234 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •