l.croft opened this issue on Apr 11, 2017 ยท 83 posts
nujazz posted Tue, 18 April 2017 at 3:50 PM
Raindroptheelf posted at 3:11PM Tue, 18 April 2017 - #4302938
nujazz posted at 7:19PM Tue, 18 April 2017 - #4302934
Raindroptheelf posted at 12:52PM Tue, 18 April 2017 - #4302478
KristiS posted at 9:58PM Thu, 13 April 2017 - #4302220
Hello,
We are very sorry this is happening to you.
We have taken all the steps we can to be sure Renderosity is as secure as an online store can possibly be.
I suggest completely cancelling the card and getting a new one since it seems someone has gotten ahold of your information.
Thank you for being a valued member of Renderosity and wish you a wonderful week,
I am sorry but the steps you have takine to have a secure store are not good enough. It happend 2 x to me and I am lucky that the bank has put the money that was taken , back in to my account. Right now we have filed a disupute because they got hold of my address, phone number and they set up a monthly subscription apparently with my authorization. So we have to deal with that too. This is not acceptable and I would urge anyone who reads this to use paypal to make purchases here. I added my card to my paypal account and still I do not dare shopping here.
I would suggest you deal with your customers security first before page design and adding tons of adverts. Petra
In response to the second time it happened to you...
There was a weekend when Renderosity experienced an isolated security incident. We have sent an email to everyone who was at risk. If you were affected then you should have received an email from us notifying you about the incident and directing you to alert your bank or credit card company.
After learning of the attack we immediately removed the attacker's work, changed all internal passwords (including admin user accounts), and implemented various protective measures. In the interest of maintaining security I cannot disclose all of the details, but we have added very restrictive filtering on all file uploads and user input as well as new monitoring tools and improvements to existing tools. We stopped all new feature development. We spent 3 weeks intensively reviewing and revising our systems at every level. We were able to trace the attack route, and we closed the vulnerability. We also found a couple other vulnerabilities that the attacker never found. We are continuing to use our new and improved tools to monitor our systems for any suspicious activity.
Since plugging the holes we have seen the attacker come back, but all of his attempts have failed.
I want to re-emphasize: If you believe your account information was compromised (or if you received the email from us), please contact your bank or credit card company and have them send you a new card.
Also, if you paying with PayPal then you are actually safe from anything that could ever happen in Renderosity's checkout. PayPal transactions are processed entirely on their site, and then you return here to confirm and download your files. Not even Renderosity can see your payment information if you checkout with PayPal.
I only started using paypal a short while back, after the SECOND time my card and account information was skimmed. You write since you checked and changed everyting to make the store save the Attacker came back and tried and failed * ALL of his attempts *. Now that is not reassuring and I am sure glad the attacker did not find * the other 2 vulnerabilities *. So it is really just luck that not even more harm to us the customers has been caused. You are responsible for the security in your store and you have a responsibility to your paying customes AND if those things happend you should inform ALL customers via email asap regardless if they have shopped on that day or not.
So again, please do not tell me just because I did not shop on that day the * attack * happened or because I did not get an mail that it did not happend here when it happened 2 times.
And it is not just getting a new card, for me , for example it is filing a dispute with visa over an subscription for some xbox stuff that the lowlifes did with my CC and telling them they got my authorization. Also got a call reg. the rollex watch that I ordered... It is a LONG BIG ratstail of things that happens even after you get a new card.
I am curious about the first time your account information was skimmed. Please send me a sitemail with details, so I can look into this for you.
You write since you checked and changed everyting to make the store save the Attacker came back and tried and failed * ALL of his attempts *. Now that is not reassuring and I am sure glad the attacker did not find * the other 2 vulnerabilities *.
How is this not reassuring? Fending off the attacker is a success. It's the exact purpose of security. Keep in mind that unscrupulous people are constantly looking for holes in your favorite sites. Fortunately, they usually do not succeed at getting through. And this time the attacker's failure was a direct result of our improved security. I must say it was a pretty good feeling to see him come back, try his old tricks in vain, and then leave. :)
I think I should also clarify something: We patched the "couple of vulnerabilities" we found immediately (before the attacker returned). There's no luck here, just lots of hard work and long nights. This is a natural part of computer security; all websites and software should be improving constantly.
Even if the attacker had found them, it wouldn't have helped him do anything beyond what he was already capable of. Further still, exploiting them would have required insider information and we would have been aware of the activity. So there really is no "luck" here. And our users were at no extra risk. If anything there is even less risk.
That was my point: We solved more than just the issue at hand. We preemptively protected our users against something that hadn't even been tried. Security is all about outsmarting your opponent.
So again, please do not tell me just because I did not shop on that day the * attack * happened or because I did not get an mail that it did not happend here when it happened 2 times.
I don't know what you want to hear, but the truth is that the attack was started at a specific time and it was defeated at a specific time. Only purchases during that time were at risk of possibly being compromised. Not even all purchases during that time were at risk, because the attack had bugs! To be extra safe we emailed everyone that made a purchase during that time or even near that time.
I know how having personal information can affect more than just the account, and I understand how much of a hassle it can be to fix that (from personal experience with a family member). Once you have replaced your card, please send a sitemail to Krisitis or myself. Include the stolen and closed card number, so we can investigate it. At this point we have fulfilled all of our legal obligations. However, we would like to go above and beyond to make it right for you however we can.
Also, if you did not receive our email please verify the address you have on your account and make sure you check it regularly. Please also check you spam filters and all the other common email issues. https://www.renderosity.com/settings/?saccount