Subeta security risk

[Seerow]

We are currently investigating a security issue that just sprung up.

If you clicked on the link that was posted in the news, to a 'jellyneonews', and have a neopets account, I suggest you change your password. There is a NEOPETS cookie grabber going around, that will steal your account.

That was on the Subeta is Down page for a brief span, but seems to be removed now. I don't know how serious it is or how long the news post in question was up as I never saw it, but if you did click that link I would change your passwords. And maybe Subeta's too to be on the safe side.

[Officer 1BDI]

I missed this, too, so thanks for the heads up Seerow.

I wonder what's up with the Neo-related hackings (?) lately.

[Goldenchaos]

Seems like they just want to give them a bad name. Or trying to start a "war"

[lamia]

this bites, I saw it, clicked it.. have now changed my passwords for subeta, neo, and gaia just to be safe...

[Jessi]

There's another new post on the down page:

We are dealing with a security issue.

When the site comes back up, I suggest changing your password.

As always, thanks for your patience and support!

Blah. I have no problem changing our passwords, but aren't they supposed to be 100% encoded now so people CAN'T find them out? I haven't been on Subeta all day, so I doubt I was 'cookie grabbed' or anything, but still. It's not exactly encouraging news.

[bonecrivain]

I clicked on the link without really looking at the news post, which was stupid, I know. I closed the window as soon as I saw that it was leading offsite, and I cleared my cookies, added a PIN, changed my password, and am running Spybot just in case. I'm not too worried about my Subeta account, but I am wondering if it's possible for something like that to collect saved password information for other sites. Like online banking or email, things like that. Should I be concerned enough to change all my passwords?

[Usul_Princess]

I'm not too worried about my Subeta account, but I am wondering if it's possible for something like that to collect saved password information for other sites. Like online banking or email, things like that. Should I be concerned enough to change all my passwords?

I was wondering the same thing too. I was on moments before the site was forcefully shut down for "security". How serious is this? If we're talking about CG'ing and changing passwords and drastic things for Subeta, how do we know that other private info is safe?

[Keith]

Change your neopets password, that's what they were after. They linked to a page with a neopets cookie grabber on it.

Your Subeta account is really actually pretty safe, I'm just saying to change passwords JUST to be safe. They couldn't see passwords, even on my account (and if they could, they're hashed) so it wouldn't have done them much good.

As for how they're DOING this, I assume it's via some sort of code exploit, and today we pushed out over 100 file updates for security changes. Basically, it's what we've been working on, we were going to finish, test, and push out like, parts of the site at a time. Instead, today, we pushed out what we've done so far all at once, so there might be bugs.

Mostly, it seems like they were just after neopets information.

[Jessi]

THIS just got posted on the news:

Posted by Keith at 05:39 pm
Click here for your free 100000 SP for today only!
Limited time offer!

In place of Keith's warning. Obviously somethign fishy is still up. Want my advice? Avoid Subeta until this is 100% over, heh.

[Goldenchaos]

This reminds me of all the spam links on DA ...that lead you to a fake login screen when you clicked on the provided link.

[AngharadTy]

You should change all passwords everywhere once a month. Few people indulge in this. ;)

Trying to change my password on Subeta, it did seem to change my password, but I got a blank error. It brought me back to the password page, but with this line of text added:

The following error has occured:

Even the errors are misspelled. >.<

[Goldenchaos]

..so I suppose I should change my Neo password.

The thing is that a handfull of people tend to use the same password as everything else, thus, they get your Neo account they can get everything else.

I learned my lesson the hard way.

[mellaka]

I got into the habit of playing Subeta in a different browser from other sites at home because, honestly, I didn't trust the site's security 100% when I joined. Unfortunately, I've gotten lazy at work and visit it in the same browser as Neo and other stuff. I think I'm going to use a separate one at work now too.

[Seerow]

I guess Keith self froze his account earlier this evening, and Amber's had the admin abilities taken away. So I guess this is more serious then they are letting on in the news post, though that's hardly surprising.

I changed my pw for Subeta, but arg, I hate changing pws for sites. I always forget what I change them to later

[lavender]

One of the bugs: Buying from a usershop with an apostrophe in the shop name will eat your sp and not give you an item. I probably wasted around 50k (or more!) during quests 'cause I didn't notice my sp was being taken. If your shop name has an ' in it, change it so people can GET the items they're trying to buy from you I feel bad for anyone who bought anything from my shop since I had an ' in it

Luckily one of the prizes I got from Maleria more than makes up for the sp I lost!