VideoGamesPlus.ca hacked

Headshot

Popular import retailer VideoGamesPlus.ca has reportedly been hacked, resulting in 21,000 of its customers' details being posted online.
Hacker "xdev@b4lc4nh4ck" posted a link to what was apparently stolen personal information from the online Canadian shop on Pastebin.
A .rar file posted on RapidShare (since removed) apparently contained names, dates of birth, email addresses, phone numbers and encrypted passwords. Eurogamer readers have been in touch, claiming their details were found inside.
"Videogamesplus.ca has [been] pwned by xdev @ b4lc4nh4ck," the hacker announced via his Twitter account. "Greetz to Don @ b4lc4nh4ck. More information will be posted on Pastebin."
VideoGamesPlus.ca has yet to comment on the hack or publicly acknowledge the breach to customers.
We've contacted the Canadian retailer for more information and will update when we hear back. At the very least, we'd advise anyone who's used VGP to log in and change their password.

http://www.eurogamer.net/articles/2012-01-18-videogamesplus-ca-hacked-21-000-users-details-stolen

**** **** ****

Iv used them in the past, right good online retailer. **** it anyway.

****ing hacking ***** anyway

Headshot

Update: VideoGamesPlus.ca has begun emailing customers to inform them of the site's apparent security breach.
VGP admitted it was "currently investigating a security issue" in a generic email addressed to users, passed to Eurogamer this evening. The company recommends users change their passwords "as a safety precaution" and apologised "for any inconvenience caused".

Its pretty bad that you trust these companies and yet they cant have any decent security

The brick and mortar shops could be back in fashion

Ciaran500

Headshot wrote: »

Its pretty bad that you trust these companies and yet they cant have any decent security

Bit early to say that, if a shop was broken into you wouldn't immediately blame the shop.

Headshot

Ciaran500 wrote: »

Bit early to say that, if a shop was broken into you wouldn't immediately blame the shop.

I dont believe it is

Sony, VGP, Rift, steam and probably a some more. I dont understand why after the big sony fiasco they other online retailers didnt see this coming

A bricks and mortor shop wouldnt have my details

johnny_ultimate

In fairness, VGPlus are a small independent company with none of the resources of the bigger victims. Still not acceptable, but it's a ****ty move on the hacker to have attacked a company that is anything but big businesses.

Ciaran500

Headshot wrote: »

Sony, VGP, Rift, steam and probably a some more. I dont understand why after the big sony fiasco they other online retailers didnt see this coming

What I was saying is that it's a bit early to say VG+ had bad security, nothing is hack proof.

Stev_o

Headshot wrote: »

I dont believe it is

Sony, VGP, Rift, steam and probably a some more. I dont understand why after the big sony fiasco they other online retailers didnt see this coming

A bricks and mortor shop wouldnt have my details

Beause nothing is hack proof and if a determined hacker decides he wants to hack something like this chances are they'll break in one way or another.

Hell they don't even need to hack they can just phish their way in.

kearneybobs

I remember getting GoW:Collection from them for the PS3. Butt hey dont have my email on record so i think I'm safe. Maybe I ordered it as a guest or something.

NotorietyH

I got an alert this morning from the Security company that Sony provided for people after the hack last year, saying that my email address was being traded/sold so I assume it's because of this. I've only ordered from them a few times and the last time was probably 2 years ago. Annoying but my password for there was different from everywhere else anyway so hopefully I'm safe enough.

Glico Man

NotorietyH wrote: »

I got an alert this morning from the Security company that Sony provided for people after the hack last year, saying that my email address was being traded/sold so I assume it's because of this. I've only ordered from them a few times and the last time was probably 2 years ago. Annoying but my password for there was different from everywhere else anyway so hopefully I'm safe enough.

Same here. Changed my password to that account but the feckers still managed to spam me :mad:

HeKnowsAll

Safe is relative. The passwords were MD5 hashed, but random salt, though I suspect the salt is actually in the password data.

The hack is much worse than the stories are saying due to VG+'s terrible security. My gran could have hacked the site.

They've lost: Name, DOB, email, telephone number, postal address, order history, customer basket (if anything put in there and abandoned), registered date, number of times logged in, last login date, some crap do do with affiliates, vouchers and various other bits and bobs. Combine this with google searches and you could have a nice fistful of data thank you-please.

And NotorietyH - yes, I know where you live

kearneybobs

HeKnowsAll wrote: »

Safe is relative. The passwords were MD5 hashed, but random salt, though I suspect the salt is actually in the password data.

The hack is much worse than the stories are saying due to VG+'s terrible security. My gran could have hacked the site.

They've lost: Name, DOB, email, telephone number, postal address, order history, customer basket (if anything put in there and abandoned), registered date, number of times logged in, last login date, some crap do do with affiliates, vouchers and various other bits and bobs. Combine this with google searches and you could have a nice fistful of data thank you-please.

And NotorietyH - yes, I know where you live

I did notice that you had posted something earlier about him and it disappeared fairly lively.

Retr0gamer

Yep I deleted it. I decided to get rid of it because it had some details that were contained in the leak but had a chat with the poster and he's just trying to show people that this is a pretty bad leak and that you should all be careful.

Headshot

I see no addresses, just name dob and phone number that they got too

btw hacking pricks, why pick on a small innocent company

Headshot

Retr0gamer wrote: »

Yep I deleted it. I decided to get rid of it because it had some details that were contained in the leak but had a chat with the poster and he's just trying to show people that this is a pretty bad leak and that you should all be careful.

So you dont think he's on a windup

hence just registering today ?

HeKnowsAll

Was trying to make the point that the data lost makes things not that safe, a site mod didn't agree which is fair enough. Many people don't think anything can be done with this sort of information. Until their identity is use for fraud of course, but by then you've got the hassle of sorting it all out.

Hackers are a pain in the bum yes, but you don't leave you house unlocked when you go out do you? VG+ seem to be burying their head in the sand.

Being signed up to an ID protect thing is becoming more and more required it seems

HeKnowsAll

Headshot wrote: »

So you dont think he's on a windup

hence just registering today ?

Are you registered with VG+? Send me you name and I'll send you your details

Retr0gamer

Headshot wrote: »

So you dont think he's on a windup

hence just registering today ?

I'm afraid all the details were made available for a while on rapidshare so if you were quick enough they are out there.

Headshot

Retr0gamer wrote: »

I'm afraid all the details were made available for a while on rapidshare so if you were quick enough they are out there.

oh I got the details already and im on it

But all I see is names, dob, email and phone number

nothing else

HeKnowsAll

It was taken down from rapid share quite quickly, which is good actually.

However, VG+ had that file and a whole lot more publicly available on their own website, if you knew where to look, which wasn't very hard.

If you don't believe me I'm happy to prove it - PM me your name, I'll PM back.

Zapp Brannigan

Ugh, great! I had an account but they haven't emailed me letting me know about it. Cheers VGP.

Headshot

Hey Retro lucky you didnt buy that controller eh

Retr0gamer

Headshot wrote: »

Hey Retro lucky you didnt buy that controller eh

Bought a shot load of other stuff from them and they are my main import site so not really happy days

VGP are being really bad about this and are just proceeding as if nothing happened without any e-mails to anyone about this.

If there's one good thing about that Sony hacking from last year is that I changed my passwords.

Headshot

Retr0gamer wrote: »

Bought a shot load of other stuff from them and they are my main import site so not really happy days

VGP are being really bad about this and are just proceeding as if nothing happened without any e-mails to anyone about this.

If there's one good thing about that Sony hacking from last year is that I changed my passwords.

I got an email from them, Retro

Maybe you are lucky and they didnt get your details

Regarding VGP Im going to ring them up tomorrow and ask what is the story

Cuddlesworth

Headshot wrote: »

I got an email from them, Retro

Maybe you are lucky and they didnt get your details

Regarding VDP Im going to ring them up tomorrow and ask what is the story

Judging by the severity of the hack, its unlikely that they didn't get every single customers emails.

I wonder how bad their security was? Looks like it was full admin access to all their databases. Assuming they weren't thick enough to stick everything on the one.......

HeKnowsAll

It was very poor. No CC stuff stored though.

122,765 customer records, with 136,956 related address details.

witnessmenow

I had a look at the dump there, I am on it ok. It has my full name, my email address, and my old phone number

But this is a dump of one table, its very likely they got other tables too

amacachi

I'm just trying to figure out what password I used for the site, see what I need to change now.

eddhorse

Nothing is safe ! Although by the sounds of things they didn't secure their site enough !
I never did get to empty my basket, looks like they did it for me,
Any word on credit card details used on the site?
Ed

NotorietyH

I got an email from them last night, which was a bit too slow for my liking. At least I was aware of it, but there's probably people out there who are only just finding out about it now.

Think I've changed all I can change. After the PS hack I decided I just had to accept that every single shred of information about me is out there anyway and I just had to accept it! Was almost freeing in a way. Will just stay registered with the Security service after my year runs out I think.

Just have to go and change my home address now. Off to daft.ie I go!

eddhorse

NotorietyH wrote: »

Just have to go and change my home address now. Off to daft.ie I go!

Haha

Security Email,
We are emailing all our customers to let them know that we
have had a security breach. Unfortunately, this has meant that some customer’s personal information such as names, phone numbers and email addresses has been
compromised.

However, we can confirm that no customer’s credit card or
other financial information, other than your general contact information, has
been compromised.
We can confirm this because Videogamesplus.ca does not internally store full credit card numbers, or any other financial information on our secure server.
We take privacy and security very seriously and have contacted the authorities to investigate the matter further. We have also taken all necessary security steps to ensure our site is once again secure. We are also upgrading and adding new security measures to the site immediately.

We also note that all passwords were encrypted and are accordingly not visible, but as a safety precaution we are still recommending that all customers login and change their current password to a new one. We have sent an earlier email explaining how to make this change. If you require further assistance with thisyou can contact our customer service team at customerservice@videogamesplus.ca

Unfortunately, you may receive emails pretending to be from
us at videogamesplus.ca asking you for personal details, including financial
information. We ask you to be vigilant with your email and personal
information. We confirm that at Videogamesplus.ca we will never email you asking for passwords, credit cards, banking details or any other personal or financial information, and accordingly recommend that you should simply delete such e-mails and not respond to them. If you receive anything suspicious in your email, please do not click any of the links and
forward the email to mailto:security@videogamesplus.ca us to investigate.

We sincerely apologize for any inconvenience this has caused
our customers.

VGP Customer Service Team