Yeah, I tested the waters and waited just to see what happened. Since my card had a small a limit, I wasn't too worried (keep it low for a reason,   )

Did get hit by with a $1 charge to some charity in Columbus, OH about a week ago. Cancelled my card right away, as I watched it like a hawk.

Annoying that I had to cancel the card, and I fully realize that they could have gotten more than a $1 out of it.

I just had to know for sure, and now I do.

If you don't watch your account as closely as I do, please for the love of your wallet, cancel your card if you haven't already.

 

At least they have admitted it was REALLY THEM, and not some of the wacky theories some of our fellow fans rushed to post in their defense.

They should still apologize for posting that ridiculous credit card fraud article at the beginning of all this... and not to mention a certain someone blaming customers for using their cards unsafely...

 

My banks goona think I'm a idiot! Two cards cancellled in one year once for the PSN and now for this!

 

Ah thanks. It's getting really confusing with everything that has been said. I hope they find out more soon. Hearing how much money some have lost is sad.

 

For those who don't speak hack-ese, a SQL injection attack just means that someone filled out a form on their site with something that had... wait for it... a quote character and/or semicolon in it!!!

This: '

Or This: ;

You use the character to terminate the string or statement and then tack on your own SQL statements afterward to exploit the database. Your grandma could pull off this 'exploit'.

To prevent these attacks from being successful, you 'sanitize' your input, which is a fancy way of saying "you remove the quotes and semicolons". It's stupidly easy.

This is pretty pathetic...

 

Are you surprised, though? This is FP we're talking about here.

Even in the email, they are quick to pass the buck: "This was our ISP's fault, not our fault or are crappy, outdated systems! It was all our ISP's fault! They told us we were secure!"

Sorry FP, this is definitely your fault, and falling to an SQL injection proves it. This all could have been avoided if they updated their website and security when fans asked for it years ago.

And that's the worst part: this could have been avoided if Fun Pub listened to its fans. The fact the hackers just kept accessing the database for months, as said in the email, right under Fun Pub's nose is simultaneously anger inducing, hilarious and sad.

 

And these still arent being sent out to former members who have been just as affected.

 

Agreed 100%.

Anyways, while I am glad they've sent out an email admitting that they screwed up and that they're actually going to fix it, this is something they should sent out ages ago, instead of blaming other people for it and trying to sweep the entire thing under the rug. If they had taken this approach sooner, many people, myself included, might not have completely sworn off the club. However, they didn't and as a result, I ain't coming back and I really hope others do not come back either, because the only way "Fun" Pub is ever going to change anything, is if they see their profits take a hit.

 

So, I would assume it would be really easy to track? Or no?

 

Not if the people who used an injection attack were smart about it.

Also, regarding all this talk about "military grade" security, that's NOT the claim I would make, given that the growing orthodoxy from what I've read among US intelligence/military services is to assume that your system is already compromised, and go from there.

 

Nopes, to list out the contents you would need access to their server and use a server side language (like asp or php) sql injection leaves the database open for a hacker to corrupt the data, but not to read it

 

I wonder why they haven't ran a DB sweep often? Come on. FP couldn't be that lazy or ass backwards.

 

Damn... I was already almost hit a month ago by someone being able to log into my Paypal account and buy a $6000(!) watch (which I was able to stop within minutes of receiving the Paypal e-mail). That was partly my fault for using the same inlog details as on the TFCC site (although nobody should have been able to touch those details).

After that had happened, I did in fact try to cancel the CC I used with TFCC, but the bank told me they would only cancel it AFTER an intrusion (even though I sent them an e-mail with the TFCC warnings attached and links to the topics here on TFW2005). So... if anything is going to happen to my account, the bank should really have considered themselves warned.

 

Yeah, no crap. I'm out of the collecting loop for a few months due to rl issues and come back to find out about all this HERE but as a member within the last year, didn't get crap for notification in my email. I was about to take a trip so information that my one and only credit card may be compromised would have been good to know. That is some serious BS.  

 

That's really lame! You should be able to cancel your card whenever, especially if you have proof it's probably going to get compromised. Doesn't really make any sense...

(yay 100 posts!)

 

What I don't get about the SQL injection attack is how they got anything out of it without resorting to methods that are tedious and would be immediately obvious, unless FP had some page somewhere that just ran a literal search and printed out a table from it.

 

Indeed, and IF they had a page like that, how would anyone find out about it? I as a member could never see my credit card info on their site, so how would a hacker be able to?

 

Na, don't worry about it I'm in the same boat you are saving them problems as well. Trust me they would rather cancel it.

 

Yeah, my bank actually thanked me for being proactive about it and saving them the effort of fixing everything after the fact  

 

The thing that kinda makes me mad is that it has taken them so long to say that they truly were the problem & that all of their information was compromised. Also the fact that inactive members have to get this information from sites like this instead of being sent it directly. Last year was my first year as a member & I don't know if I will ever be able to trust this company enough to give use their services ever again.