MicrostockGroup
Agency Based Discussion => Bigstock.com => Topic started by: luissantos84 on February 09, 2014, 20:16
-
just opened my email account @ gmail and found out that my BigStock account has been hacked because I have an email from BigStock saying that my email address was changed to [email protected]
entered BigStock and it looks like the hacker got a plan that now has 98 credits and downloaded 16 pictures already
after logging out I can't log in anymore because they changed the password
cool stuff BigStock ;D
-
Woah, that's a problem. Keep us posted.
-
Woah, that's a problem. Keep us posted.
Hi Luis Santos,
Your account email address at Bigstock has been changed to [email protected].
Please use this new email address when logging into your Bigstock account. If you did not request this change or have any questions, just reply to this email.
Cheers,
The Bigstock Team
http://www.bigstockphoto.com (http://www.bigstockphoto.com)
just replied, will see how it goes :)
-
Eek! That's crazy
-
Pretty gutsy for the thief to use a fraud.su name. Wonder why that didnt send a red flag to bigstock? Hope you get it straightened out.
-
Pretty gutsy for the thief to use a fraud.su name. Wonder why that didnt send a red flag to bigstock? Hope you get it straightened out.
yeah, quite an usual name for hackers looking at google results ;D
-
Hey Luis, I hope you thought about changing all of your passwords! Sorry that happened to you, and I hope you can let us know that Bigstock is standing by you.
-
Yea, I thought that name was strange... I think some of these hackers do this to get hired somewhere.
My best to you also Luis
My Very Best :)
KimsCreativeHub.com
-
Have you used one of those third party tools / apps which require you to effectively give them your login details ? Or logged in using public or open wifi ?
-
Have you used one of those third party tools / apps which require you to effectively give them your login details ? Or logged in using public or open wifi ?
no, I always login from the same IP, BigStock is now checking this out
-
6 days now
a few replies but still cannot log in and portfolio not online as well, not great indeed, even if they are being extra safe it is taking too long IMO
-
6 days now
a few replies but still cannot log in and portfolio not online as well, not great indeed, even if they are being extra safe it is taking too long IMO
it sucks that an agency couldn't [wouldn't] quickly fix your account. Maybe it's possible that they are trying to use your account to find the person involved and can't say anything. Who knows. I hope they get it resolved soon, Luis. Just SUCKS!
-
It's a federal holiday here in the U.S. on Monday and some offices are closed too. Not sure about BS but it could delay results further too. I hope they get it resolved for you soon.
-
important notice
BigStock just sent me an email saying they believe it was a breach due to a website, I highly recommend you guys (contributors) to check if there is any place in the internet with your FTP credentials, I don't know how but there is one site that is displaying my username/email/password for over 20 agencies, really insane, somebody must have given that information, BigStock believes it was a third party service that uploads our images to multiple stock agencies but the most weird is that I never use that type of services, always on my pc and with filezilla
-
important notice
BigStock just sent me an email saying they believe it was a breach due to a website, I highly recommend you guys (contributors) to check if there is any place in the internet with your FTP credentials, I don't know how but there is one site that is displaying my username/email/password for over 20 agencies, really insane, somebody must have given that information, BigStock believes it was a third party service that uploads our images to multiple stock agencies but the most weird is that I never use that type of services, always on my pc and with filezilla
This is concerning. Just because of this very reason, I never signed up or used any third party uploaders/sales report programs. This is just scary.
Do you know which "site" it was? How do you know that it was for over 20 agencies if you dont mind me asking?
-
on the famous http://pastebin.com/ (http://pastebin.com/)
this is quite a serious matter, don't know what I can do but this should be investigated properly
-
other contributor, it never ends, tons of txts loaded with this information
(https://dl.dropboxusercontent.com/u/8294845/paste.JPG)
-
FileZilla warns of large malware campaign (http://www.infoworld.com/d/security/filezilla-warns-of-large-malware-campaign-235227)
Spoofed versions of the open source FTP program circulating on third-party websites are designed to steal log-in credentials
-
guess I won't use it again, will stick with agency uploader(s)
-
guess I won't use it again, will stick with agency uploader(s)
Or FTP software like Fetch (Mac) or FTP Voyager (what I used to use on Windows pre 2008)
-
guess I won't use it again, will stick with agency uploader(s)
Or FTP software like Fetch (Mac) or FTP Voyager (what I used to use on Windows pre 2008)
how can we be sure that those aren't going to be hacked? ;D
-
Looks like windows FTP upload is the safest way!
-
guess I won't use it again, will stick with agency uploader(s)
Or FTP software like Fetch (Mac) or FTP Voyager (what I used to use on Windows pre 2008)
how can we be sure that those aren't going to be hacked? ;D
In the case of Fetch (http://fetchsoftworks.com/fetch/security), because the data that would be of interest to hackers isn't stored centrally anywhere (it's on my systems behind a firewall) and the software lives on my Macs having been purchased from a developer who would, I trust, inform users if somehow an update contained malware.
-
I stopped using Filezilla ages ago, when finding that all sensitive data is stored in plain text files on local pc. I always had antivirus, firewall and every imaginable security feature but I still didn't like how Filezilla developers actively refused to introduce some sort of encryption to login data - saying that its user's responsibility. I've been very happy with CuteFTP Pro since then :)
-
I didn't want to say anything because of past debates about Mac and security. But here's in the news: http://news.yahoo.com/apple-readies-security-fix-mac-ios-flaw-214138710.html (http://news.yahoo.com/apple-readies-security-fix-mac-ios-flaw-214138710.html)
"Cluley said Apple's iOS update fixed "a critical vulnerability that could allow hackers to intercept what should have been secure communications between your iPhone and SSL-protected websites. That means, potentially, online attackers could grab your user ID or passwords as you attempted to log into popular websites."
Do you have a Mac Luis?
As for Filezilla, if you download from a trusted site, like the source, it's fine. If you just search for "downlad filezilla" you could be at risk. I use cnet.com or tucows. But don't blame the software product for something that's got another cause.
Here's one cause: Trojan.Silentbanker is a Trojan horse that records keystrokes, captures screen images, and steals confidential financial information to send to the remote attacker. Make sure your computer isn't still infected (if it was?)
Just because something steals passwords from one software, don't assume it was THAT software that caused it. Most of the time people get attacked by visiting infected sites or opening a file with the trojan built into something innocent looking.
But no matter what, run a virus software that checks before loading the system files, (in safe mode for you Windows users) or it can just regenerate itself on the next boot.
-
guess I won't use it again, will stick with agency uploader(s)
Did not hack FileZilla they hacked you whole computer. Passwords you stored for FileZilla in unencrypted files. They have everything that was not encrypyed on your whole computer.
-
Filezilla usernames and passwords are indeed saved on your harddisk in plain text. (C: Users/(your username)/Appdata/Roaming/Filezilla/Sitemanager.xml)
But data (usernames and passwords included) are also send over the internet unencrypted.
(That is with all FTP software afaik. It is possible to make a secured connection with FTP, but not with the stockagencies. This must be done from both sides. They all use standard FTP and that is not encrypted. Correct me if I am wrong.)
For better safety you can choose to not save the passwords in Filezilla (or other FTP client), but to use software like Keepass and copy and paste your passwords each time when you need them. Delete the logs afterwards.
Or install a portable version of FTP client on usb-stick and start from there. This way passwords are not saved on your harddisk. (Of course this method is useless when you have your usb-stick added to your computer all the time.)
But using all these solutions, this way the usernames, passwords and data are still send unencrypted over the internet. So perhaps the best (but also most timeconsuming) solution is logging in at an agency and using their upload features.
Filezilla is opensource software, so when data should be encrypted, info about the encryption is also open. As the maker says about this: “It is not a bug, it is a feature.”
By the way: When someone has got access to the useraccount on your computer it is also possible to make your saved passwords visible in Firefox. To avoid people from doing so, you can set a masterpassword in Firefox. (You can find this in: Extra/Options/Safety)
I am not sure about how other browsers handle this.
-
guess I won't use it again, will stick with agency uploader(s)
Did not hack FileZilla they hacked you whole computer. Passwords you stored for FileZilla in unencrypted files. They have everything that was not encrypyed on your whole computer.
easy man, I don't have sex tapes or other ;D
-
Do you have a Mac Luis?
As for Filezilla, if you download from a trusted site, like the source, it's fine. If you just search for "downlad filezilla" you could be at risk. I use cnet.com or tucows. But don't blame the software product for something that's got another cause.
don't have a Mac and I have downloaded Filezilla from their website not from a torrent somewhere, its freeware anyway ;D
case is solved and portfolio online for a few days
-
As Colette wrote, plain FTP - in use at every agency except Veer - transmits login and password unencrypted over the internet; and some web uploaders too. So it's easy for an hacker to capture that information not just from your pc but from packet sniffing.
So the only secure thing to do would be to use two different passwords, one for safe https login and one for FTP, but unfortunately most agencies don't; I guess hackers are more interested in stealing our money than uploading pictures to our account.
-
As Colette wrote, plain FTP - in use at every agency except Veer - transmits login and password unencrypted over the internet; and some web uploaders too. So it's easy for an hacker to capture that information not just from your pc but from packet sniffing.
So the only secure thing to do would be to use two different passwords, one for safe https login and one for FTP, but unfortunately most agencies don't; I guess hackers are more interested in stealing our money than uploading pictures to our account.
which FTP program are you using?
-
which FTP program are you using?
Cross FTP. Because it works on Linux too, and while I use Windows for editing, I use an old Linux netbook for nighttime uploads: silent, energy-saving way to avoid keeping my main PC on at night.
Anyway, I don't think the FTP client makes any difference as far as safety is concerned.
-
About the why and who of the hacking I have no idea. It is done by accident I suppose. Hackers search for money. Stealing images doesn't make much sense, (although perhaps it is possible that some websites with dubious content get their unwatermarked images this way. There is a huge market for all sorts of data, so it is also sellable.)
People are always the weakest chain. When they find someone using the same password for all the agencies AND paypal account… bingo!
The reason to try to avoid this is, of course, the trouble that it brings, not the risk of stolen images in the first place.
Most likely (or is it propably?) Luis has done nothing wrong, but only had bad luck.
-
Absolutely no blame or criticism for Luis. I think the answer has been cleared up, what I was trying to say and didn't do very well, was anything that stores passwords unencrypted, Filezilla is one, and ftp itself has security issues.
Classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks. It's not limited to Filezilla.
I use ws_ftp which encrypts passwords but as has been pointed out, if someone hacks the site that I connect to, or reads the data transfer, or gets into my system and copies that file... I'm not any better off.
Glad to hear it was repaired. Hope to not hear any more of these from anyone else.
-
Hi all,
My Bigstock account got hacked, similar to Luis, except the email and FTP is now [email protected]. That's changed from my original email, and my earning have been taken too. I know this because the Bigstock account is open on another computer.
Can't log back in once I log out since the hacker changed my login password.
The forum is quite long. I shall try and read the threads, but if someone could help in the meantime, that'll be great.
Thanks in advance.
-
Luis got burned by using filezilla FTP program, he contacted big stock and they restored his account. Filezilla data dumps were posted online with lots of usernames/passwords in them. I stopped using filezilla after this incident.
Contact big stock through their website, they should be able to restore your acct.
-
I just got an email from them saying that I can reset my password by following a link. The link was legit, but I had not requested my password be reset. I first went to the site and saw that I had been logged out and it wouldn't let me log in with my current password. I changed the password and sent them an email.
-
I changed my password at bigstock, cause someone changed the password from my girlfriend at bigstock. She resetted the password and now it works. But someone looked in her account, has now her adress and paypal-mail. Not good. She asked bigstock why this could happen and wait for a respond.
-
But when I tried to login a second time, it doesn't work. So bigstock thought I stealed my own password or what ?
So, I mailed the support and wait for an answer.
-
I also could not log in as they would not accept my password. Had to change password and was able to log back in without issue. But, I am very concerned over personal info and how password was changed in the first place. Sent email to bigstock. Waiting for reply.... I am really hoping this was an internal glitch and not a hack.
-
I just received three emails from Bigstock:
- the first email prompts me to resetting my password and announces the second one
- the second email provides a link to reset my password
- the third email knows nothing about the first two and announces me that my password was changed and I should contact support if I didn't request the change.
After reading the first email, I was wondering if it was authentic but when I went to sign in with the old password, I couldn't so I was forced to changed it.
I changed my password at bigstock, cause someone changed the password from my girlfriend at bigstock. She resetted the password and now it works. But someone looked in her account, has now her adress and paypal-mail. Not good. She asked bigstock why this could happen and wait for a respond.
This is not a Bigstock problem, unfortunately it is much bigger than that. In this case you should change all passwords on the double, gmail, PayPal..........
Here is an interesting article about this year's compromised emails (http://siliconangle.com/blog/2016/05/04/200-million-emails-compromised-is-yours-on-the-list/). You can check if yours was compromised here (https://haveibeenpwned.com/) and/or here (https://isleaked.com/).
-
Yeah, apparently I missed the first email, so all is good.
-
We got these e-mails today, too. Does anyone actually have knowledge of what the concerns are here? The e-mails were suspicious and we didn't act on any links in them. But we did end up having to request a password change and making it.
-
I got the email too this morning. What alarms me is the lack of detail:
Dear Marina,
To make sure you continue having the most secure experience possible on Bigstock, we’re regularly monitoring our site and the Internet to keep your account information safe. As part of this routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Bigstock-related, we know that many customers reuse their passwords on multiple websites.
As a precaution, we would like to validate that your account information is up to date and accurate. You will be receiving a second email shortly with a link to reset your password.
If you have any additional concerns please contact Bigstock support.
Sincerely,
Bigstock Security Team
They are quick to say it's not Bigstock related - Who did it originate from then if it wasn't big stock? How many email an passwords are involved? Hundreds? Thousands?
Bigstock is now part of Shutterstock - is it SS's fault? Is my SS account in danger too?
I don't trust these emails so I went to the site (did not click any link on any email) and changed my password that way.
-
They are quick to say it's not Bigstock related - Who did it originate from then if it wasn't big stock? How many email an passwords are involved? Hundreds? Thousands?
Bigstock is now part of Shutterstock - is it SS's fault? Is my SS account in danger too?
I don't trust these emails so I went to the site (did not click any link on any email) and changed my password that way.
It's true, it is not BS related. I myself sent them an email on an irritated tone and now I regret it.
I left a link above about how these gangsters sell stolen accounts for 50 roubles.
Btw, how could you change your password without clicking on the link in the email? Once they send out the email they also block your account so you can't sign in with the old password any more?
-
Mine got hacked to. Today I received a message from Bigstock that my e-mail was changed to my original e-mail the one I always had with them. But I did not change anything. At the same time I got a message "Your Bigstock payout email address has been updated to (PayPal) "
This was around midnight. Then I logged in to Bigstock this morning and saw that there was a payout of over $450 on July 11th . But I never requested it and it never reached my paypal account.
-
So many of us - I failed to log in to Bigstock with my old password yesterday. Then saw the same password reset email. I reset and logged in without problems afterwards, my earnings are untouched and so is my paypal account. Sorry to read someone's payouts are gone :o
-
I also got those two emails. As I don't like clicking on links in emails (even if they do look legit) I sent a message to Bigstock support if this really came from them. No answer yet...
But, as others, I can't log in to my BS account any more with my old password...
-
I also got those two emails. As I don't like clicking on links in emails (even if they do look legit) I sent a message to Bigstock support if this really came from them. No answer yet...
But, as others, I can't log in to my BS account any more with my old password...
same here!
-
I also got those two emails. As I don't like clicking on links in emails (even if they do look legit) I sent a message to Bigstock support if this really came from them. No answer yet...
But, as others, I can't log in to my BS account any more with my old password...
Same here !
-
No reaction from bigstock, but for me problem solved. clicked->forgot password. after this I got mail from bigstock to reset the password. I can login with new password.
-
Got a response from them, their emails were legit.
Clicking on the link in the second email just leads to the "forgotten email" page anyway. Could have had that easier...
-
I received an answer too, they are just protecting us.
We apologize for the confusion.
This was not a breach to the Bigstock database.
There have been high profile breaches that have been made public recently and we occasionally scan this data programmatically in an effort to protect our users. As a precaution, we have reset passwords on accounts that may or may not have been compromised.
We can confirm that data in your account does not appear to have been changed.
We see that you were able to change your password and login.
Please let us know if you have any additional questions.
Kindest regards,
-
We also got an answer from bigstock and resetted the passwords.