Hi Gang,

so yesterday we had a minor security incident. Someone had gotten into a Member’s account, changed their email and was contacting us pretending to be the Member, and asking if we would send them all the videos “because they had lost them”.

Luckily the site alerted the Member that their email had been changed. They alerted us, and the account was secured. Fortunately without sending the asshole hacker any movies.

The question then became how the asshole got into the account in the first place. The site bruteforce protection had not been triggered. Nobody had gotten through either of the firewalls. Our security company could see nothing suspicious, and there is no malware present on the site. The asshole somehow slipped in very easily and quietly.

The Member suggested that the asshole in question most likely had his password, because he uses the same password on other on-topic sites. And of course, unscrupulous owners of those sites then have access to every single account that you use that password on. I’m glad we spotted that, because said asshole may have been accessing peoples accounts quietly for years.

People, please be careful about your security. No point in all our recommendations about being safe, if you are basically posting your main password onto the public internet.

The Member in question unfortunately had used the same password on a whole load of sites, making it difficult to identify which other site was the culprit. However, I would take this opportunity to remind you. While we have always taken great care of your data, your info, personal messages and all kinds of other private stuff, and keep your passwords encrypted so not even I have access to them – other sites, with unethical operators in questionable locations, you may have no idea what is happening with your personal and often extremely private data. As we already see from yesterdays attempt. I have a few ideas who it was. Someone operating another site, who is familiar with our policy of only discussing account details with the account owner – which is why they changed the email on the account. That narrows it down a bit.

PREVENTATIVE MEASURES

First step, please change your site password. I suggest you do that immediately. I’ve posted some tips below.

Next, I have just implemented a force password change module. It will require you to change your password at regular intervals. I have set it to 30 days initially, after which I will change it to every 90 days. Just in case any of you are a bit lazy and decide to change it back to your publicly known password. I know it’s a minor pain in the ass, but not nearly as much a pain in the ass as random people strolling through all your personal accounts, purchases, messages etc, as if they were their own.

We will also in future be implementing a standard fee should you ‘lose your movies’ and need us to resend them. We prefer not to do that anyway, since resending means re-editing, re-exporting and re-uploading video files, a bunch of work. I know from time to time some of you will contact us begging to resend, and historically we have been quite lenient about this with our regular supporters. However, in light of this incident, in future we will need to levy this fee – both to cover the work involved, and also to deter any assholes from doing what they attempted to do yesterday.

Finally, we will be implementing a Passphrase system. At your next purchase, we will ask you to give us a secure Passphrase that we will keep securely offline. Any time you ask for anything potentially sensitive, we will ask you to give us your Passphrase, so we know who you are. Please do not post this Passphrase on the site, site messenger etc. Please only use this Passphrase via email. And of course, don’t forget it.

Security always has, and always will be our top priority for our community, so your cooperation is appreciated. Thanks for your understanding.

OTHER BITS

Also, for fucks sake please don’t tell me you are using the same password on your emails as you use on other dodgy websites. If you do, you might as well start giving your bank details out in the street. People, please take a few minutes to sort out your passwords, for your own protection.

TIPS ON PASSWORDS

Firstly, these days you should be using STRONG passwords for your online stuff. These are easily generated here:

Strong Password Generator

Problem with strong passwords is that they are nigh impossible to remember.

There are software systems available to store passwords on your PC. Personally I don’t like the idea of these, because if I were a hacker, first thing I would look to hack is software like that. Here is what I do instead.

I have 1 spreadsheet with all my passwords in it. The labels for the passwords are not immediately clear to anyone else, so if someone else did get hold of it, much of it would be nonsense. For example

GY – passwordxzy

Might be my Gaia Yahoo account. Since most of us use passwords every day, you will quickly get used to this.

I keep this document on an encrypted USB pen. I use Veracrypt, but you can also use version 7.1a of Truecrypt. I insert and mount this encrypted drive when I start my PC. You will need 1 password to access the encrypted drive, that should also be a strong password. I keep a written copy of that password hidden in a place nobody would ever find it. I also keep a copy of it very well hidden on my pc, again in a place nobody would ever find it even if they were looking for 2 years. I open that password, mount the encrypted drive, then all my passwords are there neatly organized.

Once a month I take a copy of this passwords document, in case I lose the drive, corruption or anything like that. I put it in a passworded rar file, and upload it to an obscure email account I keep for this reason. That email also has a fairly strong password, but over the years I have learned to remember that password, so I don’t need to write that down anywhere.

Give that a try Gang. With increasingly more of our lives and businesses being conducted online, learning what to do with passwords becomes increasingly more important. So you should take this quite seriously. Unless you like dodgy fuckers having access to all your shit.

LASTLY

Your email provider. You Yahoo users will no doubt be aware of the massive Yahoo hack that happened a short time ago. Your choice of email provider makes a difference.

We strongly recommend changing your email provider to Protonmail. It’s free, it’s encrypted so far less chance of anyone snooping. And it has double authentication – i.e. 2 passwords. That means, even if someone did get hold of your password, they still couldn’t get into your email. I’m glad to see many of you making the jump to Protonmail, and I hope the rest of you will too. Encrypted secure mail is kinda important for us petlovers.

Play safe Gang, and remember the price of freedom is eternal vigilance. Sloppy people get hacked, sloppy people get busted. If assholes can get access to your stuff, so can the NSA. And you probably don’t want that, right? 🙂

 

Published in Security
6 Comments
  1. wangly5364551 1 month ago

    where is the group in the COMMUNITY? I can’t find it.

  2. allyfitz 1 month ago

    Protonmail uses single passwords now. They haven’t had dual passwords available for a while. It may still be an option if you pay, but for free accounts it’s single password. Two-factor auth is an option as well, which everyone should be using.

    • Author
      adam 1 month ago

      Ok good point. It’s still a good provider to use anyway, because it’s encrypted and because of it’s location. Also we have no problems sending mails to Proton – mails like GMX etc, we ALWAYS have problems with.

      Thanks for letting us know though 🙂

      • allyfitz 1 month ago

        Glad to help. I use protonmail and it’s been great. I’ve never once had a problem getting emails from you. 🙂

  3. guodong 1 month ago

    thank you

  4. rob1994 1 month ago

    Thanks for the warning and the tips.

Leave a reply

©2018 ArtOfZoo Official Site - a Gaia Media Industries Website

Log in with your credentials

or    

Forgot your details?

Create Account