Creative Labs forum data breach

[AGTDenton]

Recently I've been receiving Emails telling me of several unsuccessful login attempts and my account is locked for x hours.
This has been for the likes of Origin & Epic Games so far. I wont know about the sites that don't take intrusion seriously.
Actually in the case of EA they managed to get in, but I was quick enough to save it whilst it was happening.

The data breach has likely come from Creative Labs's forum which they have now shutdown and permanently closed by the looks of it.
I have been signed up to it for years potentially well over a decade, just one of those sites you forget about.

I'm signed up to a web service called 'Have I been Pwned' which informed me that my Email has been compromised. It now makes some sense as to why I've been receiving odd intrusion attempt emails.
https://haveibeenpwned.com/PwnedWebsites#Creative

There will probably be official news about it tomorrow. But if anyone believes they might have been signed up to Creative Labs forums at one point or another it will be worth changing important logins that may use the same password. If you believe you are also signed up to any other vBulletin based forums they may also be out of date and breached at any time.
This is the 1st time that I've noticed anything so soon after the event.

[AGTDenton]

Hopefully the Hexus forums are up to date (which I believe you are because this was known about last year). It seems Creative Labs got a little sloppy.

https://haveibeenpwned.com/PwnedWebs...gencyVBulletin < is likely to be the same or related hack...

[badass]

Personally I would inform the ICO first. https://ico.org.uk/ Now with GDPR there is a mandatory 72 hour breach notification and if it turns out they have been sloppy then they might be looking at a decent size fine. It will take a good number of prosecutions before the last incompetent dregs of the corporate world take security seriously.

[AGTDenton]

Personally I would inform the ICO first. https://ico.org.uk/ Now with GDPR there is a mandatory 72 hour breach notification and if it turns out they have been sloppy then they might be looking at a decent size fine. It will take a good number of prosecutions before the last incompetent dregs of the corporate world take security seriously.

Annoyingly I can't see any news about it yet. According to HIBP, the breach happened 1st May prior to GDPR, but cannot find out when they actually knew about it.

It appears to have gone completely unnoticed, possibly because its just another unpatched vBulletin forum

[Dashers]

Data breaches are still notifiable under previous DPA - although I'm unclear about how that relates to American businesses. Creative has a UK presence, but I can't imagine their forums are part of that subsidiary.

I very reluctantly sign up to forums, I tend to find if I'm trying to solve a problem, somebody has already asked it and just follow other threads. And if I have a view on it, I work out if it's really worth signing up to spew my thoughts to random people on the Internet who probably won't read it.

But when I do sign up, I use a unique email address. That way when stuff like this happens, and it does frequently happen, I can simply delete that alias and have all mail bounced - or if I'm feeling vindictive, redirect all mail to the CEO of the company who had the breach.