PSA: Forum accounts are being compromised

Author Topic: PSA: Forum accounts are being compromised  (Read 34762 times)

i said i suggest cutting contact with these people, i doesn't take a genius to assume that if I have no clue who you are, and you're in a discord that is habitually responsible for stuffty things, it's in my best interest to not contact you. don't everything so personally

While I can kinda understand that mindset, it's still not fair to group all the people into the "probably richardhead" category. There's a fair amount of people in there who, despite whatever opinions you may have with them, haven't actually done malicious stuff. And I'm pretty sure that's more then just the two people you mentioned.

"better safe than sorry" is perfectly fair.

That's an extremely flawed way of thinking, but you do you I guess

Not really, it's been proven time after time on this forum.
If you hang out with people who do this you deserve to be considered a liability, too bad.


That's an extremely flawed way of thinking, but you do you I guess
how?

I can't change my password, badspot banned me from editing my account...

That's an extremely flawed way of thinking, but you do you I guess
You should give specific examples of why it is a flawed way of thinking in this situation before saying something condescending and opting out.

Well, I got one of the "spooky" pms and I checked through the HTML. There didn't seem to be anything suspicious, no script tags, no nothing. But I changed my password just in case.

setgaming might be compromised, he put "eh michael" in the same font zapk put "eh zapk" beforehand on this picture

wait actually i'm handicapped that was on an earlier image blake posted and i didn't notice it until set's post

What the hell is this year. So much is going down.



FYI, after some testing it seems like a very simple solution to having your email address compromised is to simply change your settings so you aren't sent an email every time you receive a personal message.

The way this exploit works: When you CC people in a PM, an email is also sent to everyone who was CC'd in it notifying them of the personal message. In that email itself, people are also CC'd, and since it's not a blind CC you can see the emails of everybody who was CC'd in the PM. If someone in the targeted group used mailinator, you can do a password reset request and then access their mailinator inbox.

tl;dr don't use mailinator, and if you want to protect your email address turn off PM email notifications

ultimax god dammit i literally just typed out a nice detailed summary of the exploit :(

but yeah, here's what it looks like, emails blacked out:



In summary, BLF doesn't use BCC like it should in emails. If you CC a bunch of people and then yourself in a PM, you'll get the emails of whoever has email notifications enabled.

IN OTHER WORDS: If you don't want anyone seeing your email address, disable email notifications.