Security issue

[Theo]

UPDATE:

Sedo, please check your email as there is confirmation of a security breach with your system!

I received 3 notifications of password request for my account. To do that, they must know either my username or my email with Sedo. Do you keep track of IP's that request account info and what can be done to add another layer of safety, such as a securty question before emailing the info?

Thanks.

 

[Domagon]

How would it be a security breach for Sedo to email the information to the email address from which the account is controlled?

Ron

 

[fini]

valuenames,, i think you've misunderstood.. people are phishing sedo.

Sadly almost every website's been phished at some point.. and usually there's very little they can do about it except send out an e-mail as soon as they hear of it telling everyone that people are phishing and reminding them not to click on links in e-mails asking for pwords..

fini

 

[Domagon]

Oh ok ... still not sure how that's a "security breach" of Sedo though.

Until email itself is changed - not holding my breath for that to happen, the most one can do, as you suggest, is educate folks and explain that:

* email is easily forged
* email can't be trusted
* email is not private
* don't open file attachments
* don't click links in email
* don't copy links in email

That doesn't leave much left for one to use email for ... in a nutshell, email itself is extremely flawed and nothing Sedo does will change that - all Sedo could really do is to stop using email for communication, which would upset many of their customers and likely result in substantial loss of business and numerous hassles.

Point is that folks need to be educated for phishing isn't going away until SMTP is greatly changed/replaced - not going to happen anytime soon ... until then it's up to users to track their accounts; use of "freebie" email and/or many multiple email addresses is asking for trouble due to missed/lost emails, but I digress ...

Ron

 

[Theo]

It's an ongoing investigation and therefore I can't say much. I suggest that you a) change your account passwords b) check your offers list for any suspicious activity e.g. lowball counter-offers that you never made.

 

[Theo]

I have not received any updates on the matter, detailing how my account & at least another account were compromised.

I have not seen any improvements either, for example logging over a Secure Transaction is mandatory nowadays.

 

[Domagon]

You might as well spill the beans - at least privately ... otherwise, many folks reading your thread will misunderstand the problem and think it's just an email issue while Sedo will likely continue to ignore the issue - out of sight, out of mind ...

Ron

 

[Theo]

Not a an email issue. Someone managed to gain access to two Sedo accounts and interact with eachother. So it's some sort of database breach.

 

[Theo]

No updates, 2 months later.

 

[RTM.net]

Caught my eye, only because of the thread title, which doesn't mention SEDO. Just to say, on our accounts, we haven't received any abnormal SEDO phishing attempts in the last quarter.

Plenty of banking / eBay / Amazon offers, LOL

Nothing on the newswires about a SEDO phishing scenario either... g

Rob