July 19 2010

Flippa Was Hacked So Now What – Is Your Personal Information At Risk?

Flippa HackedGeez, a guy takes a few days off (the great blogger’s sin) and all hell breaks loose. The crew over at Is-Hacked.com is claiming they hacked into Flippa’s admin panel late last week. According to the blog post at Is-Hacked.com, they were running some kind of “routine task” at Flippa when they discovered a vulnerability.

According to the post, this was not a malicious hack. They were not trying to hack into their system nor were they trying to do any harm. In fact, according to them they notified Flippa’s top dogs within hours of discovering the breech. Flippa responded quickly and had the “massive vulnerability” fixed immediately.

When I first read about this I didn’t think much of it. For starters, I’ve never heard of Is-Hacked before and only ran across this story via a Google Alert that has been sitting in my inbox. For all I know, this could be a bogus claim and much to do about nothing. Furthermore, there hasn’t been a word from Flippa about this, which would lead one to believe there isn’t anything to the claim.

Havid said that, Is-Hacked has a screenshot of Flippa’s admin panel published on their post. Unless the screenshot is a fake, you can clearly see they had full access to Flippa’s admin panel. They are promising to post a video as further evidence of the breach. The only reason they haven’t posted the video yet is because they are being threatened with legal action from Flippa, according to the post.

Is-Hacked is recommending any users of Flippa to change passwords for SitePoint, Flippa itself, PayPal, Escrow.com, Google Analytics, and any other account Flippa asks their users to associate with them. The reason for their recommendation is because they claim this was a “massive vulnerability” and getting access to Flippa’s private data was too easy. If they could figure it out, any hacker could – and most probably aren’t “friendly hackers” – so says Is-Hacked.

So was the hack real and if you believe it was, should you worry that your personal information may have been compromised? Good questions. These are the same questions I’ve been asking myself.

If there was a breech of any kind, you would think Flippa would alert users directly or at least post something on their blog. I didn’t get any message from Flippa and there hasn’t been anything on their blog about it so who knows what’s going on.

It may be a pain to change passwords for all these accounts but I suppose it’s better to be safe than sorry. I just wish Flippa would have said something either way. If any hack occurred, they owe it to their users to notify them of it. If it didn’t happen or if the breech was harmless, they should have said something to put this story to rest. Their total silence just makes things worse.

{ 13 comments… read them below or add one }

1 Dave Slutzkin July 20, 2010 at 5:18 PM

Guys, we’ve now been able to post about this, read it here:

http://flippa.com/blog/news/flippa-security-vulnerability-reported-and-fixed/

No financial details are stored on Flippa and admins have no access to passwords so these have not been compromised.

Reply

2 Travis July 20, 2010 at 5:27 PM

Dave:

Thanks for stopping by and updating us on this issue. I appreciate it. Good to hear nothing serious (i.e. financial data and passwords) were compromised.

Travis

Follow me on Twitter:

Reply

3 Clinton July 20, 2010 at 8:47 AM

Justin, the only routine task I do there is get my daily fix of laughs.

Reply

4 Travis July 20, 2010 at 8:49 AM

Clinton, you’re so mean to those Flippa folks…lol.

Travis

Follow me on Twitter:

Reply

5 Clinton July 20, 2010 at 9:04 AM

Travis, I get my laughs from the listings, not Flippa. So no meanness to Flippa intended.

However, I’ve just done a blog post about something very disturbing. It seems Flippa admins have access to log in to users’ accounts and read their private messages.

Reply

6 Travis July 20, 2010 at 10:37 AM

Good post – and good catch. I didn’t notice that when I saw the screenshot. This story just keeps getting better and better. Flippa has to come out now to put the fires out. They look really silly deleting a blog post that was even retweeted a few times.

Travis

Follow me on Twitter:

Reply

7 Clinton July 20, 2010 at 11:16 AM

If admins had access to your PMs, the natural conclusion is that hackers have had access too.

So if you sent any Flippa uer any access via PM – access to your GA account, your server stats, FTP login, domain control or anything else – consider it compromised.

Flippa likely deleted their blog post because they jumped the gun and the site isn’t completely secure yet.

8 Travis July 20, 2010 at 11:25 AM

That’s fine – so they jumped the gun but they shouldn’t remain silent at this point. A simple blog post stating they “posted something too soon,” followed by details of the hack is what they should do at this point. I’m sure they’ll eventually say something but remaining silent at this point makes no sense to me, but what do I know. I’m just a blogger.

Travis

Follow me on Twitter:

9 IH-Adam July 20, 2010 at 11:40 AM

Admins do/did have access to users PM’s, disputes and after sales dialogue between buyer/seller.

Follow me on Twitter:

10 IH-Adam July 20, 2010 at 5:09 AM

Is-Hacked.com blogger here.

Just to clarify a few points, flippa did write a blog post about this but then quickly removed it, not sure why. (http://www.burn-blue.com/image/view/UqsNxHP2/flippa-blog.png)

Video not released yet to give Flippa ample time to fix the vulnerability as set out in opening email to them. It will of course remove any doubts of a photoshoped admincp.

The only “data” we where given easy access too was a .csv of all users usernames/email and obviosly users telephone numbers, minimum bid price, or whatever data you type in.
Though more experienced/blackhat hackers than ourselves could have looked further into the system, so recommendation to change password is more of a precaution than a nessesatity.

We emailed them within hours, and even tweeted an admin. A response was immediate, a detailed email the following day notifying us it was rectified promptly.
As least us developers who sell our going concerns, can sleep better knowing flippa will be assessing the security after this breech.

Since your concerns are mostly about users data, here’s an exclusive of what admin’s can see of their users data. This is a screenshot of site admin fotini:
http://www.burn-blue.com/image/view/c6W32JOD/edit-user-top2.jpg
what’s (bellow) screenshot is: Admin Notes, Suspend User, Change Username and Disputes. It usually shows telephone numbers, but fotini has not added any.

Hello again Justin.
Thanks for detailed post TravisVS.

Follow me on Twitter:

Reply

11 Travis July 20, 2010 at 8:31 AM

Adam:

Thanks for stopping by and for providing additional details and screenshots. What I don’t understand is why Flippa would blog about it and then delete it. It just doesn’t make sense. As a marketplace, you would think that transparency would be of utmost importance.

@Keith: Thanks for the Google cache link! Just to make sure we have a permanent record of the Flippa blog post, I took a screenshot of the cache page you provided. Here is the link to it:

http://www.flipwebsites.com/images/flippa-hacked-blog-post.jpg

Thanks for helping out and getting the cached page to me!

@Justin: If you read the Flippa blog post that we now have a permanent record of, it sounds like the “routine task” was just that – a routine task (signing in as a different user at Flippa). It’s good to know that not much was compromised and that Flippa was quick to resolve the issue.

Travis

Follow me on Twitter:

Reply

12 Keith July 20, 2010 at 4:01 AM
13 Justin @ Flipfilter July 20, 2010 at 12:04 AM

It does make you wonder what kind of ‘routine tasks’ people perform on Flippa :)

Follow me on Twitter:

Reply

Leave a Comment

Previous post:

Next post: