New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
FraudRecord - Member Email Addresses Leaked
FraudRecord have left their mailing script in a public directory where it lists member email addresses opted in for their newsletter.
Brought to my attention by @AsadHaider
Comments
Please remove the URL. We don't need every script kiddie on LET getting their hands on the list. @kcaj
So instead of reporting this, you post it here?
I call for a ban!
Meh. I expect most members to be providers using addresses that are likely not private. Just my expectation at least.
Same. I took a quick look at the majority of them are all mails such as [email protected] (which is mine). There ARE a couple freemails in there, but they're most likely not active, or not people you'd want to send spam to anyways.
Hell, I should be updating my FR email now that's it's been brought up! I'd rather have emails sent to my new brand!
Not that bad of an issue.
It's already in the public domain on other forums and various other internet sources.
I'm being told that the directory has been open and accessible for a long-time now.
Care factor? Zewch.
Enough to engage with the thread, evidently.
It's illegal in the EU at least, negligence about protecting supposedly private details.
It's why they go to the bother of hashing customer details in their main product, after all
Evidently you can't understand context. My care factor towards proposed "others" posting on other forums does not mean you just post it here.
And yeah, because this is not supposed to be publicly posted. Go send an email to Harzem instead of having your moment of drama.
While you might think every thread is an opportunity for handbags, I'm thankful the OP posted this. There isn't a single reason to have a list of private details in a publicly accessible file.
Not that there's any indication that the file can be found on any particular website, of course.
I think this brings into the question the security of details being maintained/processed in their main product. If basic text book errors like this are being made, what else is potentially at risk? Is anybody auditing their work?
I see someone with some money to burn basically closing that place down, given time. Still, that's a pretty bad error on their part (I'm assuming the leak is on their website), regardless of how low expectations are.
I'm not quite sure what you mean by handbags, but I do probably come off a little bit harsher than I intend.
I need to get a bind for a key just for ":-)"
Sigh. And this is the trusted service providers use to report "fraud" ??
Hey FR, while you're busy fixing the security hole(s), maybe an opportune time to add in a dispute process or (secure) 3rd party review algorithm.
I could be alone in thinking this but their actual data should just be mostly hashes and comments, and it's 100% publicly accessible as it stands. I'm not really sure just what negligence on their part to secure their data would do negatively. It's literally a public database. I guess you'd be free to parse it differently?
Lol
Would like to receive a dump in pm. It should be cool to track which people collect and report information about bad guys.
@Harzem will you be doing a full disclosure about this leak?
It's already out there and not hard to find if you want to see it. As @jar said, it's really providers in the main so there is no real damage here and no sensitive information.
But yeah, security, algorithms and a stupid mistake like this? Another shot in the leaky boat that is Fraudrecord.
I must clearly be waking up, YGPM.
Seems to be a fair few recently.
I used my real/main email to buy VPS first time.
So many people always trying to drum up or instigate drama over FraudRecord... must be stepping on a lot of the "do not want" customer's toes
Wow ..... really?
I guess people can't just have concerns about a blacklist system that was flawed even prior to this disclosure huh?
Voicing a dissenting opinion !== Guilty
Oh, but I forgot, this is LET
Same here. It would be really useful for me.
There is another discussion over at "that site" :P which has a more in depth discussion.
https://vpsboard.com/topic/6357-fraudrecord-public-dumps-user-customer-info/
From that other thread:
If putting index.html is his idea of security then he's the wrong guy to be running this system.
His attitude is pretty poor too. No one owes him the favour of pointing out these mistakes.
Simply visiting that link was causing the mailer to run over and over again! Dafuq?
An index.html as your security? Dafuq?
Don't get me wrong here, the person that spotted it should have given them the chance to nail it shut before releasing it but I have to say that a bug/vulnerability being spotted is one thing. Downright stupidity (which this is), that is something else.
Some people (like me) just have account to query the website to see whether there's any records on me.