Home Forums Discussions General Discussion email from AC

Everyone get this?


IMPORTANT INFORMATION

Dear Friend of Amazing Charts,

Earlier this week we discovered there was a cyber attack to the server that hosts the Amazing Charts User Board (UB) that may involve some of your information.

We value your business and respect your privacy. According to our records, you once registered as a member of the Amazing Charts UB. The data accessed included email addresses and some passwords for User Board registrants. To our knowledge, the data accessed did not include any other information.

We have already implemented additional security measures designed to prevent a recurrence of such an attack. We are also working closely with law enforcement to ensure the incident is properly addressed.

As a precaution, please log into the User Board and change your password as soon as possible.

For further information and assistance, please contact us at UB@amazingcharts.com.

Sincerely,
Kathleen Repoli
Senior Vice President
Amazing Charts

I got it. I find it interesting. I changed the email linked to my account a few months back and the email went to that old account. Makes me question the veracity of the email. I would proceed with caution before clicking any links.

It seems legit though. Traces back to MailChimp's servers. MailChimp is used to send bulk emails.

Hi Sandeep,

This is a legit email, we were notified by Kathleen about an hour before the email went out.

Thanks,
Anthony@AC

Alrighty. Thought so.

Might be worth posting in the Amazing Charts Status Update area so all the board members can see it.

According to the email:

"The data accessed included email addresses and some passwords for User Board registrants."

This implies that the AC UB doesn't store the passwords in encrypted form.
Isn't that a major security issue?

Michael
NY

The hyperlink in the email to the board is of the format like

amazingcharts....mananage2.com/track/click?u=...

which makes it look suspicious. emails like this should NOT include a hyperlink. They should force the user to actually type the web address. If a hyperlink is provided it should clearly link to the UB and not some funky third party tracking email.

Yes, it would be nice to know if the passwords were free text or whether they were hashed and salted.

As everyone knows, this is an important time for AC as it transitions to Pri-Med. AC is working diligently to release v6.5.4 and continues to work on v7 while trying to make the Cloud Version more accessible.

While it probably should be, it is likely that the security of AC's servers that host the userboard may not have been as good as it should have been.

One thing to ponder: According to the 2013 Data Breach Investigative Report, 66% of breaches were not discovered for months to years. AC's was discovered in less than five weeks. This speaks volumes to the safeguards which must have been in place.

Let's look at a few companies which were hacked between 2012 and 2013, and some of them were hacked more than once.

Facebook
Microsoft
Twitter
NBC
Evernote

And, we all know that there have been many, many more huge companies who have been compromised in the past.

It is interesting that while many computer users are wary of storing data in the cloud, very few cloud companies were hacked.

By law, Amazing Charts is obligated to advise anyone whose information was compromised that his or her information was obtained and what was obtained. This is what AC did. They sent emails notifying THOSE USERS whose email addresses and passwords were taken. I do not believe their intent was to notify every Amazing Charts user since they were taking the right steps to rectify the situation, which they have. There seems to be nothing positive to be gained by informing the entire user base, when such a small subset of those were compromised. I do not mean to downplay what happened as it happened to me as well, but, again, according to the DBIR, this year authored by Verizon Security Risk Division which collects data breach information from all over the world, if you are even a fairly well known company with a public website or forum, it is only a matter of time before hackers exploit your weaknesses. The important thing is that you detect it quickly and correct the security holes.

It should be known that any email, whether it is your current profile email or one no longer used, can be harvested as long as it was used at any time in the past.

I suppose it is up to each user who received notification to decide if it is in AC's and/or their best interest to post the events on the board. This is likely the reason it was not posted as a status update.

From my perspective, I wish we could stop this thread right here and use PMs. Just my perspective.