> we are sending emails to our entire customer database
Matt, are you sending these mails out gradually? I have not received anything. I just happened to learn about this forum post from another discussion group.
If you’re not sending mails out “gradually” then maybe you need to send them out again. I’ve not had any trouble getting other mails from C2.
We also need to know, were the passwords and credit card numbers encrypted, or not?
I also did not receive any email. I don’t usually read or post to this forum so it’s only by chance that I found out that C2 has been hacked. Could somebody please PM me the email that Matthew sent out? Thanks.
Warren,
As Matt stated, if it was entered on the site prior to yesterday, have a new credit card number issued, and the current one deactivated. I would not recommend “canceling” your card, since you might need to re-apply for a new card. Simply tell your Credit Card’s Security/Fraud department that the existing CC number & CCV may have been compromised.
Presume a worst case scenario. Just because data may be encrypted and hashed does not make it secure.
Matt has not explicitly stated whether Taxpayer information was compromised, but if the username/password DB was compromised, anything entered on the Taxpayer information page (e.g. SS# or EIN#) was open to a hacker.
This is every business’ nightmare. I suspect that every week a financial insitution somewhare has its security compromised but it is well known that most financial institutions choose to not make public security breaches. Skimming devices are found constantly throughout the world in ATM’s, gas pumps, restaurants, etc. and, as such, security breaches may always be with us
I check the transactions on my credit card online almost everyday and fortunately there haven’t been any fraudulent transactions lately.
I am pleased to see that C2 has hired an outside firm to review their security but I am left wondering if this is the first time they have hired outside help. I would like to think that C2 and similar firms hire outside firms to test the site security on a regular basis.
This is a disturbing event but my business is staying with C2.
Fred
frankly, this was a major reason I never accepted a single customer on a system. I thought about it, but I don’t want small operations holding my SSN or other financial information themselves. I was expecting something like this to happen someday.
A small website should be using third party to handle information. I never understood why they were taking and storing people’s credit card numbers here.
It is time to outsource C2’s payment processing to a proper financial company and not try to do this yourself, to save a few bucks.
Paypal and MoneyBookers would be a good, relatively simple start.
Anyone who has been here long enough knows the real reason why you "never accepted a single customer on a system." And it is not because you were so worried about a hacker attack… please.
Fred,
I would agree with you. Big guys are hacked as well as small guys. Sh@t happens. However, disclosure of the event is very valuable information for us as customers and Matthew had disclosed it immediately after his discovery. Some companies never disclose the kind of info. After C2’s disclosure about possible data compromise you can easy protect yourself with known routine: inform bank(replace CC)/put fraud alert/change all passwords. You will be on safe side 99% after the steps. So I would admit that Matthew did necessary and fair for C2’s users step by informing us about the hack.
Eu
I’ve now received my Email from C2. However it still doesn’t say whether or not the account passwords and credit card numbers were encrypted.
Its unfortunate that these situations happen - and i understand all to well that they do - i really appreciate your quick response and action on this Mathew !
Matthew,
Thanks for the earlier email and you making the hard decision in informing everyone.
Having logged into my a/c and trying to change my password the system refuses to let me update my account with the new password. This I’m informed is due to my personal address details not being present.
In light of the recent events/hack to you honestly think I’m going to enter MORE personal details into the system so I can just change my password?
I’m afraid this a case of once bitten twice shy. Please update the system to allow a/c password changes without having the need to have all our personal address details present - this really sucks.
Thanks and good luck.
Neil - I responded to your email about this. The link I recommend you use is:
www.collective2.com/changepassword
which does not require you to update anything other than your password.
Let me know if that doesn’t work for you as expected.
I would also appreciate to outsource the payment process of Collective2.
Paypal could be one vendor…
I guess we are all about to receive an e-mail from infosecurity@albawaba.com in which the author provides all the information that was provided to C2. I just received the e-mail with my user name, old password, address, credit card number, etc. It appears that the hacker may have tried a shakedown on C2.
This will make a lot of the C2 users nervous no doubt.
What kind of email did u receive? could u post without the sensitive data?
I think it is better for me to not post the e-mail but, as noted above, the author/hacker provided me with my username, password, home address, credit card number and expiry date. I checked out the albawaba.com web site and discovered that it is based in the Middle East.
I decided to report to my credit card supplier that my card information was compromised and they immediately cancelled the card. There were no fraudulent charges on the card before it was cancelled.
So you mean the alleged hacker emailed you with your data to prove his negotation power so that we would urge Matthew to pay a possible bribery?
In the meantime I cancelled all my cards too…
Am I the only one to have received an e-mail from the hacker?
Some hackers break into sites for prestige amongst their peers and others do it as a part of an illegitimate business (i.e. extortion). Only the hacker and Matthew can inform you of the hacker’s motives.
Dear Matthew,
I just cancelled the credit card (no fraudalent bookings yet (luckily).
However, this means the credit card information currently with C2 is no longer a valid credit card.
When is it possible to update the credit card (and you are 100% there are no backdoors anymore for the hackers?
(I do not have an arbitrary number of credit cards… - so I do not want to cancel another one.)
Cheers
Klaus
Disclaimer: Never trust a hacker’s good intention.
The attacker/hacker/informer sent an email from "infosecurity@albawaba.com" providing my C2 personal information:
"Dear [First Name],
your personal data (along with data of all other users) had leaked from C2
due to poor site software design and insecure storage in MySQL.
you were registered with C2 as [First and Last Name], email
[my email address] with password [my c2 password]
you possess mastercard #[16 digit CC number] valid till [CC exp date]
you supplied address [full mailing address]
"
The message then continues with another paragraph of some details, motive, and berating of C2.
So, take this message & motive(s) with bit of skepticism. I would treat the “motive” as a lie, except the fact they exploited C2’s security hole to get personal information. It sounds informative, until you get to the last two lines of the “motive” paragraph. Never trust someone that just stole your information and diverts your attention to how they obtained it, or how it should be fixed. Presume theft & security breach of your personal info, since the email sent with the personal information was also in plain text over potentially unsecured mail gateways.
Since the hacker now has the information (and every mail gateway in between), I wonder if the hacker will be held to the same security standard(s) if they continue to hold onto this personal data (instead of delete it). 
–Mike
This is the reason why i’ll never give away my credit card data anymore.
C2 can forget me unless it starts using Paypal montlhy subscriptions.
They are safe FOR SURE.
Take it or leave it, client’s trust is lost anyway.
