Winamp Forums hacked – Winamp Forums Security Breach FAQ
If you ever use Winamp and have ever registered for their forums then you should consider changing your password for that site, if you use that password elsewhere then change them there as well:
http://forums.winamp.com/showthread.php?p=2747002
They were recently hacked and now your details may have been exposed.
Winamp Management Team — On February 11, we discovered that the Winamp Forums (forums.winamp.com) servers were compromised, resulting in a security breach where Winamp Forums users’ email addresses and passwords may have been compromised.
We understand how important trust is, and we’re deeply sorry for and embarrassed about this breach of security. We immediately closed the exploit that led to this compromise and we’re working around the clock to ensure our security moving forward. We’re also committed to communicating openly with you to make sure you understand what has happened, how it may or may not affect you, and what we’ve done to fix things. If you are a registered Winamp Forums user, you should have received an email from us notifying you that your account may have been compromised.
We have confirmed that this attack was isolated to the Winamp Forum (forums.winamp.com) site only. Other Winamp sites and products such as Winamp.com, dev.winamp.com and the Winamp Desktop Media player were not affected in any way.
We have prepared the following FAQ for questions you may have about this incident. If you have additional questions please feel free to contact us at support@winamp.com.
1) How do I know if my password was hacked?
If you’ve registered an account on the Winamp Forums (forums.winamp.com), then it’s best to assume that your username and password were included among the compromised data.
Passwords in our database are encrypted (i.e., not stored in plain text), but they may still be vulnerable to hackers. You should immediately change the password on your account, and if you used that password on any other web site, you should change your passwords on all of those accounts as well.
2) What data was exposed in this breach?
We have confirmed that your email address was exposed as a result of this attack. We have not confirmed but must assume that other Winamp forums user account detail, including your forums username, date of birth, time zone preference and password hash (not your clear text password).
3) Should I be concerned about my other online accounts? What if I used that password on other sites?
If you used your Winamp Forums (forums.winamp.com) password on any other web sites, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username. We’ve put together a guide to help you audit and change your passwords.
4) How can I delete my account?
We understand how important trust is on the web, and some of you may wish to delete your Winamp Forums account. To delete your account make sure that you are logged into the Winamp Forums and follow these simple instructions:
Scroll down to the bottom of the forum home page and click on ‘View Forum Leaders’. Scroll down to the Root section to see the list of Administrators. Send your deletion request to DJ Egg or DrO using the contact link to the right of the administrator’s name. The Administrator will delete your account upon receiving the private request message.
5) How do I change my password?
You can change your password in your “User Control Panel” settings. Log in to your account, click the “User Control Panel” in the Forum Nav, then click “Edit Email & Password” under “Settings & Options” Enter your old password and your new password, re-enter to confirm new password and click “Save Changes.” Your password will be updated. You can also change the email associated to your Winamp Forums account on the same screen.
6) What if I forgot my Winamp Forums password?
On the Login screen attempt to log in once, after you fail one login you will see “Forgot your password? Click here!”. Enter the email associated to your account and text/numbers in the image verification box (aka Captcha). You will be sent an email at that address that will reset your password. Follow the link you will be taken back to Winamp Forums and another email will be sent to the same account. Use that username and temporary password to login. You can reset your password now by going to the User Control Panel. See instructions in #5 above.
7) Who was responsible for the security breach? How did it happen?
Our security team was able to identify and block access to the application flaw which resulted in this breach. The application was patched and new security measures have been deployed to keep this type of breach from happening in the future.
How are you notifying those whose details were compromised?
We are in the process of notifying all users with a registered account for the Winamp Forums via email. Please feel free to forward these FAQs to anyone you know who uses Winamp Forums. We can also be reached at support@winamp.com
9) What are you doing to ensure this doesn’t happen in the future?
The security team has introduced new web application protections and monitoring processes to detect abusive activity.
10) What should I do now?
You should change your password as soon as possible, both on the Winamp Forums and on any other site where you use that password.
11) When did you discover the breach had occurred?
We discovered the breach on Feb. 11. We actively monitor Winamp Forums and all Winamp products via a rigid security plan and software that alerts us whenever there are attempts to breach that security. Those processes alerted us of this breach and we reacted within 24 hours and shut down the exploit.
12) I received an email from “Winamp” on February 15, was that from you?
Yes, we sent an email on February 15 to all Winamp Forums users informing them of this breach and asking them to reset their passwords for the Winamp Forums and any accounts where they use the same email and/or password. The subject was “Winamp Forums Security Notification” and the body of that email was as follows:
Hello,
My name is Geno Yoham and I am the General Manager of Winamp. First, thank you for your support of Winamp. The Winamp Team is dedicated to providing you with the best possible media player experience so it gives us great pain to share that we have recently experienced a security breach of our user forums database.We have confirmed that your email address was exposed as a result of this attack. We have not proven but must assume that other Winamp Forums user account detail which includes your forums username, date of birth, time zone preference and encrypted password (not your clear text or unencrypted password) was exposed. We have secured our Winamp Forums application and we would like to notify you of the incident and ask you to immediately change your password as a precautionary measure. If you have used your Winamp forums password across other web sites, please change the password on those web sites as well.
We apologize for any inconvenience this has caused and want to assure you that we are taking every possible step to ensure that your data and personal information remains secure as a part of our ongoing commitment to protecting your privacy.
If you have any questions or would like to speak to someone at Winamp for more information about your account, please contact:support@winamp.com. We have also set up an FAQ at forums.winamp.com for questions you may have related to this incident.
Best,
Geno Yoham
Winamp13) What can I do if I’m receiving spam because my email was leaked?
You can take steps on your own to wipe out spam from your inbox, but you’ve also got legal recourse.
The CAN-SPAM Act of 2003 allows for private right of actions against spammers. If you receive any spam in your inbox that you believe is related to your leaked email address, please report it to the Federal Trade Commission. Send a copy of unwanted or deceptive messages tospam@uce.gov. The FTC uses the unsolicited emails stored in this database to pursue law enforcement actions against people who send deceptive spam email. For additional information, please visit the FTC’s website. Note, you should not respond to a spam email. By doing so, you confirm that your email account is active, and you’ll likely be flooded with more spam.
