[solved] If you're a customer of Intl-Outdoor there is the possibility that your data is online

103 posts / 0 new
Last post

Pages

nikanon
Offline
Last seen: 4 years 1 month ago
Joined: 08/25/2012 - 08:50
Posts: 439
[solved] If you're a customer of Intl-Outdoor there is the possibility that your data is online

In german flashlight forum TLF members reported that their data is beneath the google search results, obviously some kind of data backup of intl-outdoor online store, that includes:

- name
- address
billing amount
- some reported that a password hash is written in cleartext

If you use your password for several accounts all over the internet, you should consider changing it.

Members reported that they contacted I-O already.

Don’t write me a PM, I’m not a customer of I-O and can’t share a link to the aforementioned backup data.

EDIT:
Members reported that the link to the data is dead for now.
15-FEB-2013: Still available
Problem seems to be solved since 15th of february.

Edited by: sb56637 on 02/18/2013 - 15:20
gords1001
gords1001's picture
Offline
Last seen: 1 year 5 months ago
Joined: 05/07/2012 - 14:02
Posts: 5276
Location: wigan england

I just googled a few different ways, couldn’t find myself, wish I could speak German so I knew what to search for…

scaru
scaru's picture
Offline
Last seen: 2 years 12 months ago
Joined: 03/22/2012 - 13:36
Posts: 6946
Location: Virginia

gords1001 wrote:
I just googled a few different ways, couldn't find myself, wish I could speak German so I knew what to search for...
+1, if you don't tell us what to search for we can't see if our stuff has been linked...
NightCrawl
Offline
Last seen: 3 years 8 months ago
Joined: 01/22/2012 - 08:20
Posts: 3071
Location: Karlsruhe, Germany

Intl Outdoor has removed the site now, but I suggest you change your passwords on other sites if you used the same combination of email and password elsewhere.

Also, I knew what to search for but didnt find myself.

Pöbel
Pöbel's picture
Offline
Last seen: 7 hours 28 min ago
Joined: 02/14/2013 - 08:27
Posts: 236
Location: Germany

-The vulnerability has been fixed. You can no longer directly access the information.

As somebody might still have extracted the database before, it’s recommended that you change your passwords if you are using the same passwort for other websites or services.
-

/edit

seems that the info is still accessible Sad

Oldienea
Oldienea's picture
Offline
Last seen: 4 years 7 months ago
Joined: 08/30/2010 - 23:18
Posts: 613
Location: France

Nothing to find about me. My the means of the internet I don’t even exist.

nikanon
Offline
Last seen: 4 years 1 month ago
Joined: 08/25/2012 - 08:50
Posts: 439

Thank you Nightcrawl and Pöbel !

gords1001
gords1001's picture
Offline
Last seen: 1 year 5 months ago
Joined: 05/07/2012 - 14:02
Posts: 5276
Location: wigan england

Thanks for the heads up guys, I’ll change my passwords but there’s no billing data on there I don’t think, unless PayPal has been hacked, either way, good luck getting cash out of my account, I can’t lol.

Pöbel
Pöbel's picture
Offline
Last seen: 7 hours 28 min ago
Joined: 02/14/2013 - 08:27
Posts: 236
Location: Germany

no, there has been no billing data!

Just Name, Address, E-Mail and possibly the PW hash.

scaru
scaru's picture
Offline
Last seen: 2 years 12 months ago
Joined: 03/22/2012 - 13:36
Posts: 6946
Location: Virginia

Yeah, mine is still out there. Sad

Werner
Werner's picture
Offline
Last seen: 2 months 2 weeks ago
Joined: 10/19/2012 - 15:00
Posts: 3679
Location: Germany

Yep still available…now I have stolen all your identities…muhhaaaw >)

CM2010
Offline
Last seen: 4 hours 53 min ago
Joined: 07/19/2012 - 05:48
Posts: 526
Location: England

How do you change your password can't find a link on the site?

scaru
scaru's picture
Offline
Last seen: 2 years 12 months ago
Joined: 03/22/2012 - 13:36
Posts: 6946
Location: Virginia

I'll add that it only shows up in google search, the whole in their system seems to have been fixed. Can anyone confirm my theory that before you could download a SQL file with everyones info in it?

Pöbel
Pöbel's picture
Offline
Last seen: 7 hours 28 min ago
Joined: 02/14/2013 - 08:27
Posts: 236
Location: Germany
scaru wrote:

I’ll add that it only shows up in google search, the whole in their system seems to have been fixed. Can anyone confirm my theory that before you could download a SQL file with everyones info in it?

yes, that is exactly what happend. You could download the whole file directly from their site. They responded swiftly to the mails and took it down, but still this should not have happend in the first place.

sb56637
sb56637's picture
Offline
Last seen: 56 min 46 sec ago
Joined: 01/08/2010 - 09:29
Posts: 6560
Location: The Light

Somebody should submit a Google takedown request to get that data removed from Google’s cache.
http://www.google.com/dmca.html
I imagine the request would be processed faster if the site owner (Intl-Outdoor) were to submit the request. Maybe somebody could suggest this to them.

Budget Light Forum ...where Frugal meets with Flashlight!

dthrckt
dthrckt's picture
Offline
Last seen: 2 months 2 weeks ago
Joined: 11/08/2011 - 10:11
Posts: 4040
Location: Upstate NY
leaftye wrote:

sb56637 wrote:
Somebody should submit a Google takedown request to get that data removed from Google’s cache. http://www.google.com/dmca.html I imagine the request would be processed faster if the site owner (Intl-Outdoor) were to submit the request. Maybe somebody could suggest this to them.

Done, but via feedback.

I forwarded a link to SB’s post directly to Hank.

____________________

Girls can shoot!

Werner
Werner's picture
Offline
Last seen: 2 months 2 weeks ago
Joined: 10/19/2012 - 15:00
Posts: 3679
Location: Germany

Still available(not with google) and now I know the addresses of you guys so we can shut down the forum and write old school letters?…

I request a password before every order so I have no issues with that.

JohnnyMac
JohnnyMac's picture
Offline
Last seen: 2 years 2 weeks ago
Joined: 04/12/2011 - 16:03
Posts: 8863
Location: Eastern PA

How are you guys seeing this stuff?  I tried searching via google but come up blank.

JamesB
Offline
Last seen: 44 min 41 sec ago
Joined: 08/24/2011 - 14:43
Posts: 876
Location: France

Ohhh boy…

CheapThrills
CheapThrills's picture
Offline
Last seen: 20 hours 58 min ago
Joined: 07/02/2011 - 10:45
Posts: 3567
Location: Suomi

I don´t use same user / password in ANY 2 sites over the net.
And I can assure, there are a TON of them. I keep a list of passwords.

Woody
Woody's picture
Offline
Last seen: 2 days 22 hours ago
Joined: 02/20/2012 - 17:08
Posts: 1637
Location: London

I just changed my IOS password, but have no idea what the old one was. I know that my BLF password is as complex a password as I use (because I have to use capitals, numbers, punctuation etc, but again, have no idea what it is, and can’t remember how or where to check what passwords Windows 7 stores for me.

NightCrawl
Offline
Last seen: 3 years 8 months ago
Joined: 01/22/2012 - 08:20
Posts: 3071
Location: Karlsruhe, Germany

Changing the PW at IO doesnt make any sense because your old password was visible..

NightCrawl
Offline
Last seen: 3 years 8 months ago
Joined: 01/22/2012 - 08:20
Posts: 3071
Location: Karlsruhe, Germany

kreisler wrote:

NightCrawl wrote:

Changing the PW at IO doesnt make any sense because your old password was visible..

this phrase of yours doesnt make sense to me simone

Quote before its gone. Silly

Well, people now go crazy about "I have to change my password at IO so nothing bad happens to other sites".. fact is, that the old password was visible and someone probably saved them. Thats why I said: change the password on other sites where you used the same email/password combination.

Copy that?

NightCrawl
Offline
Last seen: 3 years 8 months ago
Joined: 01/22/2012 - 08:20
Posts: 3071
Location: Karlsruhe, Germany

kreisler wrote:

NightCrawl wrote:
Well, people now go crazy about "I have to change my password at IO so nothing bad happens to other sites".. fact is, that the old password was visible and someone probably saved them. Thats why I said: change the password on other sites where you used the same email/password combination.

this is kinda understand.

NightCrawl wrote:
Changing the PW at IO doesnt make any sense because your old password was visible..

this is still dont understand Big Smile

 

never mind so far. thanks! Smile

Maybe I should have written "Changing the PW only at IO..".

If you still dont understand, I'll explain it to you via PM in German (because obviously your english skills are non-existent *troll the troll*) Wink

MRsDNF
MRsDNF's picture
Offline
Last seen: 1 hour 26 sec ago
Joined: 12/22/2011 - 21:18
Posts: 13061
Location: A light beam away from the missus in the land of Aus.

If you still dont understand, I'll explain it to you via PM in German (because obviously your english skills are non-existent *troll the troll*) Wink

I like it.

 

djozz quotes, "it came with chinese lettering that is chinese to me".

                      "My man mousehole needs one too"

old4570 said "I'm not an expert , so don't suffer from any such technical restrictions".

Old-Lumens. Highly admired and cherished member of Budget Light Forum. 11.5.2011 - 20.12.16. RIP.

 

Werner
Werner's picture
Offline
Last seen: 2 months 2 weeks ago
Joined: 10/19/2012 - 15:00
Posts: 3679
Location: Germany

Why writing a Pm, now you can send a postcard to the address from the customer database……

And we should demand some discount for this dumb backup…a free gift for everyone Big Smile

NightCrawl
Offline
Last seen: 3 years 8 months ago
Joined: 01/22/2012 - 08:20
Posts: 3071
Location: Karlsruhe, Germany

kreisler wrote:

"Changing the PW at IO doesnt make any sense because your old password was not visible."

that sounds logical to me: if the PW was encrypted in the file, then it is secure and doesnt need to be changed! Smile

 

NightCrawl wrote:
Maybe I should have written "Changing the PW only at IO..".

ok, that makes more sense too.

Big Smile

It was encrypted, but I guess if you had one clear-type password (for example your own) and the matching hash key, you could find out how to decrypt the rest. Not too hard..

kreisler
kreisler's picture
Offline
Last seen: 5 years 11 months ago
Joined: 11/12/2011 - 23:32
Posts: 3992
Location: Deutcheland

NightCrawl wrote:
and the matching hash key, you could find out how to decrypt the rest. Not too hard..

well i guess it would be possible to extract all hash keys from the file automatically at once, e.g. with a clever text editor or mma, and then feed the list of MD5's to google webpages such as hash-cracker.com but i dont believe that any of us flashaholics is up to the task. besides, since MD5's are irreversible, the password would have to be in the database of 700 mio strings already. if your password is really unique e.g. the string kreisler then the MD5 could not be decrypted Wink

And now..

..gimme da hash!!

 

Wink hehe

*FMI* i got 4 i/o sh
scaru
scaru's picture
Offline
Last seen: 2 years 12 months ago
Joined: 03/22/2012 - 13:36
Posts: 6946
Location: Virginia

Yeah, who ever downloaded the page could have easily gotten everything... At this point I don't see a need to shop at Intl-Outdoor again, they put my public information out on the web. I think someone needs to crack the hashes and fill in all of the info including passwords and send that on to Intl-Outdoor to point out how insecure it was. 

laszlomdq
Offline
Last seen: 4 months 1 week ago
Joined: 12/05/2012 - 18:13
Posts: 34
Location: AZ

Hmmm, I thought I paid with Paypal, am I compromised too?

fran82
Offline
Last seen: 2 weeks 22 hours ago
Joined: 07/31/2010 - 10:15
Posts: 2572

Is still the data available?

This post/thread "may" contain referrals, a little contribution I "earn" in form of points ONLY if you buy the item. The purpose is to redeem items using the points and then making reviews of them in the forums to shar

Pages