Caravan and Motorhome Club's website down! (1 Viewer)

[seasideBill]

Example: I got a blackmail email. To prove they'd hacked me, they told me my password. Except I use a password manager and unique passwords, so I know exactly which website that password was from. It was a tiny e-commerce site that sold American candy that went bust. That breech isn't on HaveIbeenPwned. Needless to say, I ignored the blackmail.

Had exactly the same experience a few years back…. the data breach was Asda. I know because the disclosed password was based on a formula I use. Also ignored the email.

 

[Pausim]

I came up clear, my wife did not. Her leak was ULMON/City Maps To Go. We have both deleted the app and cleared any connections. She always uses complex unique passwords so we feel we have this covered. Thanks for the link and the reassurances about it being legitimate.

 

[maison]

They still have our £150 worth of vouchers that we paid for and were due to be delivered to our daughter on her birthday. Obviously the cyber attack had laid them low before they were due to be delivered by e-mail.

Now we have to hope that they have a record of our payment or our credit card company will have to get involved.

 

[DT]

We have seen successful attacks on hospitals, banks and airlines to name a few targets. Reading the communication the club are following advice and we all hope that no personal member details have been stolen but the culprits in this event are the hackers probably located out of the UK.

 

[BOOMEL]

I come from a Cyber background. If they have our credit card details they (or their partners) have to comply with a standard called PCI DSS (which has many controls / protections around it). In the case of this breach, in the email they state that they are working with the ICO (Information Commissioners Office) whereas in the majority of cases, to resolve it, they will be working with the NCSC (National Cyber Security Centre - a part of GCHQ). They have not indicated what kind of cyber attack it is (more than likely Ransomware), which will mean they will be off air for a while they look for a clean backup to restore. Looking at the domain, I suspect that they are hosted by a Telecomms company in Germany, who will be doing the majority of the resolution. They should be getting back to us all in 2 days. When / if we do get back online with them, the most important thing is to change your password. If you have virus protection (something like Bitdefender), make sure you run it and check your email addresses for exploitation tracking. Regards, BOOMEL.

^{_{Subscribers  do not see these advertisements}}

 

[Vaman]

Do a google search for MOAB, this is the Mother Of All Breaches at an almost unbelievable 12TB of data.
Thats 12,000 GB of data!! Scary scary stuff.

 

[BOOMEL]

PS use a password manager like Lastpass to avoid same password across multiple sites. Enable two factor authentication wherever possible

 

[starquake]

I've had similar with O2 (who I didn't even use at time as had migrated to another provider 3 years prior). I used a unique to them email on signup, and clearly from what it received they were hacked (no-one could guess the unique email) as it wasn't related to the company in any way. Then had my O2 password disclosed.... all about 3 years after I left them, I think that breach was "publically" disclosed in media though. It's a good thing I've used unique to site passwords and emails for "many" years really.

 

[FrankNicklin]

I use Apple Keychain so all my passwords are unique.

 

[Andyb01]

PS use a password manager like Lastpass to avoid same password across multiple sites. Enable two factor authentication wherever possible

This is good advice and don't re-use passwords. Lastpass is a good app (there are others too: 1Password, Dashlane, Keeper - prices and functionality vary).

I also work in Cyber Sec and I guess my concern about this attack relates to insurance data on units (location, value, alarms etc) but hopefully it isn't targeted for that reason - just good old-fashioned extortion.

Here's a good article from the NCSC that covers staying safe online - well worth a read.

My first post btw as I only joined today - although I've been a 'reader' for a while - I'll post a 'hello post' on the introduce yourself forum.

Andy

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

Indeed thats the best advice, ideally using a password manager so all your sites are different passwords:

I would suggest their response to this is a "matter" of learning, and I doubt they have any rehearsed "playbooks" for this in place at present based on observation.

If the response was better it would have included "We store all our passwords using X method, ensuring they are not reversable, hence we do not require you to change your password, and do not expect the hackers had access to it" if it was an open response. Or if they don't and they already know they store it reversably (ie, a hash with a trivial salt value, with not much defences) they should have advised you to change your password (or any similar password) you use on CAMC on other websites.

The above is what "good" open disclousure requires, and I can't believe 3 days in they don't know the method or hashing used to protect your password, as this would be a day 1 finding on any forensic engagement worth its money. In my mind the disclosure on password change is POOR.

Erm. You quoted someone else (CAB96) and swapped my name in. Thought you were good at IT Give credit where it is due
He is as you have said perfectly correct but I was chasing up SFTP/FTPS confusion at the time of that post

 

[Gromett]

Just as a point of interest and I don't expect anyone to go to the extremes I do.
I have a unique email address for every single service I sign up for. AND each one has a unique and randomly generated password.

So when I get a spam email from say amazon6343@mydomain.com and it is not from amazon I know they are the source of the spam.

It is a tiny bit of work up front. When I sign up or order from a new company I have to add an alias. But I have been doing it for 25 years now so not really any hardship more of a habit.

But it means. If anyone has a data breach, or sells my email address or otherwise lets it escape... I KNOW without any exception or prevarication who was responsible. And occasionally I have been able to help a company before they knew they had a problem.

My advice if it is possible is. Get your own domain name. Pay for an email service where you can add aliases. Use a unique email address and password per login. It will save you time and effort in the long term.

But probably more trouble that in is worth for most people.

The current situation is. I have an email address caravanclub@mydomain.com (not giving the domain away) If I get spam or phishing emails from that address I will change it to caravanclub3527@mydomain.com and that is all I need to do.
I do not need to worry about them using the same login anywhere else. OR using that same email address and guessing passwords on other services. The problem is exclusively and literally isolated to the company with the problem
Without either sharing email or password the hackers get what I have given to the company linked to that login which is rarely very much.

 

[Gromett]

PS: the other advantage is with unique email/password combos is. I tell caravanclub@mydomain.com to change my email to caravanclub3527@mydomain.com and then delete the caravanclub@mydomain.com alias.
This stops all future spam from that mailbox. As the hackers will sell it on... If you use a single email address they will sell it on and you will then end up with every hacker and his dog trying to phish/scam you.

 

[FrankNicklin]

Just as a point of interest and I don't expect anyone to go to the extremes I do.
I have a unique email address for every single service I sign up for. AND each one has a unique and randomly generated password.

So when I get a spam email from say amazon6343@mydomain.com and it is not from amazon I know they are the source of the spam.

It is a tiny bit of work up front. When I sign up or order from a new company I have to add an alias. But I have been doing it for 25 years now so not really any hardship more of a habit.

But it means. If anyone has a data breach, or sells my email address or otherwise lets it escape... I KNOW without any exception or prevarication who was responsible. And occasionally I have been able to help a company before they knew they had a problem.

My advice if it is possible is. Get your own domain name. Pay for an email service where you can add aliases. Use a unique email address and password per login. It will save you time and effort in the long term.

But probably more trouble that in is worth for most people.

The current situation is. I have an email address caravanclub@mydomain.com (not giving the domain away) If I get spam or phishing emails from that address I will change it to caravanclub3527@mydomain.com and that is all I need to do.
I do not need to worry about them using the same login anywhere else. OR using that same email address and guessing passwords on other services. The problem is exclusively and literally isolated to the company with the problem
Without either share email or password the hackers get what I have given to the company linked to that login which is rarely very much.

Just get an iPhone and use the hide my email address option, so much easier than creating email aliases.

 

[Gromett]

Just get an iPhone and use the hide my email address option, so much easier than creating email aliases.

Sorry that makes no sense If you don't give your email address for instance to this forum, how would they then know who to login and who to send emails to?
Think you may either not understand what that feature does or .... Sorry am at a loss there.

Deleted a big paragraph of extras. I think you may be misunderstanding something here, or I am not explaining myself well?

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

I understand they use World Pay for site bookings but what about annual subscriptions? Would they hold bank details for those?

Just my guess. But they keep bank details for those who use Direct Debit which is a different system and cannot be abused like a credit/debit card.

For Credit/Debit cards they don't keep the details only the auth/token. Which cannot be abused by hackers.

 

[FrankNicklin]

Sorry that makes no sense If you don't give your email address for instance to this forum, how would they then know who to login and who to send emails to?
Think you may either not understand what that feature does or .... Sorry am at a loss there.

Deleted a big paragraph of extras. I think you may be misunderstanding something here, or I am not explaining myself well?

Hide my email creates a random email address that forwards emails to your legitimate email account and is handled via your iCloud account. If one is compromised you just create a new random email address. Your real email address is never exposed.

 

[Gromett]

Hide my email creates a random email address that forwards emails to your legitimate email account and is handled via your iCloud account. If one is compromised you just create a new random email address. Your real email address is never exposed.

ok. That is a specific to apple services that achieves exactly the same as I was suggesting. A unique email/password per service. But not all of us have Apple size budgets
And not all of us trust apple or even any cloud service.

 

[FrankNicklin]

ok. That is a specific to apple services that achieves exactly the same as I was suggesting. A unique email/password per service. But not all of us have Apple size budgets
And not all of us trust apple or even any cloud service.

So where do your emails reside, downloaded via POP3 to a device, if not they are on a remote server or cloud service. I guess you have a personal domain from the content of your post and you mentioned your mailbox, so your hosting company is keeping your emails safe I presume. Also Hide my email is not unique to Apple, it’s also available on Android albeit not a native function. Cloud isn’t ether, it’s a physical server somewhere. If you don’t like any cloud service, don’t use the internet. If you use Android, you trust Google with your data in the same way I trust Apple with my data. The issue with your solution is the domain is common across all your email addresses and the domain is unique to you as I guess you own it.

 

[Gromett]

So where do your emails reside,

On my own server. I do not use any cloud services.

downloaded via POP3 to a device,

No, Stored on the server which is secure and accessed using IMAP4 via my desktop, laptop and for a single mailbox on my phone. My phone only has access to one non essential mailbox as I don't trust google/android.

if not they are on a remote server or cloud service.

Remote server or cloud service is exactly the same thing. What matters is who owns it and how is it operated.

You have a personal domain and you mentioned your mailbox, so your hosting company is keeping your emails safe I presume. Also Hide my email is not unique to Apple, it’s also available on Android albeit not a native function. Cloud isn’t ether, it’s a physical server somewhere. If you don’t like any cloud service, don’t use the internet. If you use Android, you trust Google with your data in the same way I trust Apple with my data.

What you are saying is that apple knows your real address and hands out a temporary fake email address to services you sign up for? Apple I agree are more trustworthy than pretty much any other tech company on that front but you are still reliant on them and need to have paid for their services and bought into their eco system. No thanks.

You use google services you are the product.
You use apple services you have to pay through the nose so you are not the product.

^{_{Subscribers  do not see these advertisements}}

 

[zac]

Seems there are quite a few this time Mother Of All Breaches released 24/01/2024

Keep an eye out all that's for sure in the days/months ahead.

 

[starquake]

On my own server. I do not use any cloud services.

I do same as gromett, but moved away from running it on my own server (I am quite capable of this, and still have the server).
I now just use office365 with my own domain name and many aliases. It's quite reasonably priced and my company pays for it technically as the primary alias is my business email today, but in reality it's one of those costs of doing business as they actually give my company more credit for another service we use as part of the deal than the deal costs. (its about 350/yr for 1000usd of credit). (Gromett you may want to look at this for your business if you ever need azure credit, it's the partner network action pack deal, it's 5 full o365 licenses including domain name support + 1000usd in azure credit for 350gbp).
The Microsoft and Google run a domain options both support domain names, and I do reccomend both to family.

And apologies for misquote earlier gromett this forum screws up when you are editing multiple replies and I don't always notice.

 

[FrankNicklin]

On my own server. I do not use any cloud services.


No, Stored on the server which is secure and accessed using IMAP4 via my desktop, laptop and for a single mailbox on my phone. My phone only has access to one non essential mailbox as I don't trust google/android.


Remote server or cloud service is exactly the same thing. What matters is who owns it and how is it operated.


What you are saying is that apple knows your real address and hands out a temporary fake email address to services you sign up for? Apple I agree are more trustworthy than pretty much any other tech company on that front but you are still reliant on them and need to have paid for their services and bought into their eco system. No thanks.

You use google services you are the product.
You use apple services you have to pay through the nose so you are not the product.

In what way am I paying through the nose for Apple. I don’t pay for Apple services only paid for the device I’m using And get free iCloud capabilities.

Android Phones can be more expensive than Apple phones depending on spec, paying through the nose is subjective. A rolls Royce still gets to from A to B in the same way as a bicycle does only some prefer the comfort of the rolls Royce because they can afford it. I use Apple because I like their Eco system.

 

[Gromett]

I do same as gromett, but moved away from running it on my own server (I am quite capable of this, and still have the server).
I now just use office365 with my own domain name and many aliases. It's quite reasonably priced and my company pays for it technically as the primary alias is my business email today, but in reality it's one of those costs of doing business as they actually give my company more credit for another service we use as part of the deal than the deal costs. (its about 350/yr for 1000usd of credit). (Gromett you may want to look at this for your business if you ever need azure credit, it's the partner network action pack deal, it's 5 full o365 licenses including domain name support + 1000usd in azure credit for 350gbp).
The Microsoft and Google run a domain options both support domain names, and I do reccomend both to family.

You couldn't pay me to go anywhere near Microsoft. I run my own server and probably pay more than I need to. But when it comes to security I pay the price to ensure I am secure/safe.
I do not use ANY cloud services. They can change the terms, ramp up the prices, change the offering or even withdraw the service all together and you are screwed. I do everything I need myself.
I use Libre Office. Host my own mail server/service and manage my own DNS and spam filtering.
I have 12 different mailboxes with over 500 email aliases (built up over 25 years) and in the last 30 days there has been 1 spam email hitting my mailboxes.

and apologies for misquote earlier gromett this forum screws up when you are editing multiple replies and I don't always notice.

No problems.

 

[coopc]

May have been said before. It’s a long thread
From Director General Nick Lomas letter
“Data security is of paramount importance, to us, our members, guests and suppliers”

Clearly a lie as they would not have been hacked if that was the case !

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

In what way am I paying through the nose for Apple. I don’t pay for Apple services only paid for the device I’m using And get free iCloud capabilities.

Android Phones can be more expensive than Apple phones depending on spec, paying through the nose is subjective. A rolls Royce still gets to from A to B in the same way as a bicycle does only some prefer the comfort of the rolls Royce because they can afford it. I use Apple because I like their Eco system.

I paid £112.89 for my phone back in 2018. It does exactly what I need it do... I am not in the market for a Rolls Royce to get me to the local Coop and I don't need to buy an expensive Apple device just to give me email aliases.
I am not criticising you for doing so. But you are paying a high price for that service. So when you say

Just get an iPhone and use the hide my email address option, so much easier than creating email aliases.

You are demanding a very high price for something that is basically an email alias.

 

[Gromett]

“Data security is of paramount importance, to us, our members, guests and suppliers”

Clearly a lie as they would not have been hacked it that was the case

That is a little unfair. Even the best of us make mistakes, and system errors can happen even when you are careful. They may have trained their staff extremely well but still the temp who came in to help out may have got caught by a phish email. etc.

My view is. Every company at some point will get exploited/hacked. How they handle it is the important part. The 5 days that CAMC didn't admit to it and give good advice to their members is what they should be criticised for.

edit: PS: I am not defending them. They have responded badly and the new system was atrocious. but even if the new system was perfect how they handled it was sub par in my view.

 

[FrankNicklin]

You couldn't pay me to go anywhere near Microsoft. I run my own server and probably pay more than I need to. But when it comes to security I pay the price to ensure I am secure/safe.
I do not use ANY cloud services. They can change the terms, ramp up the prices, change the offering or even withdraw the service all together and you are screwed. I do everything I need myself.
I use Libre Office. Host my own mail server/service and manage my own DNS and spam filtering.
I have 12 different mailboxes with over 500 email aliases (built up over 25 years) and in the last 30 days there has been 1 spam email hitting my mailboxes.



No problems.

That’s fine, each to their own. You clearly have the time to manage your own services in that manner, many of us don’t.

I presume you are running Linux on your server, desktop and laptop if you dislike Microsoft so much.

I ran Sun Solaris Unix systems back in the 80s and 90s, love love Unix/Linux, but I my line of business it’s Microsoft all the way to Support my clients day to day business including M365.

All Apple devices run versions of Linux including MacOS, another reason why I like it. I also develop for Apple and Android so need cross platform compatibility.

 

[FrankNicklin]

I paid £112.89 for my phone back in 2018. It does exactly what I need it do... I am not in the market for a Rolls Royce to get me to the local Coop and I don't need to buy an expensive Apple device just to give me email aliases.
I am not criticising you for doing so. But you are paying a high price for that service. So when you say

You are demanding a very high price for something that is basically an email alias.


View attachment 858643

I also have an Honor Android phone I bought for £100 last year and an Android Samsung Tablet for testing Android Apps I develop. Needs must.

 

[Gromett]

That’s fine, each to their own. You clearly have the time to manage your own services in that manner, many of us don’t.

It is what I do for a living. But that aside my advice about buying your own domain and getting a mail service with alias was not meant for everyone and I did say

Just as a point of interest and I don't expect anyone to go to the extremes I do.

I presume you are running Linux on your server, desktop and laptop if you dislike Microsoft so much.

Yes, Linux on everything these day. Although I do have a separate hard drive with Windows on it for when I need to support clients and can't remember how to do things.

I ran Sun Solaris Unix systems back in the 80s and 90s, love love Unix/Linux, but I my line of business it’s Microsoft all the way.

If your work requires microsoft then fair play. We all have to make compromises to earn a living.

All Apple devices run versions of Linux including MacOS, another reason why I like it. I also develop for Apple and Android so need cross platform compatibility.

No Apple devices are based on BSD not Linux. Both related to Unix kind of but different beasts. OS/X and IOS are related to linux like 2nd or 3rd cousins but more different than alike after recent years with Systemd etc.
BSD is getting more an more attractive as I miss the init.d days.

^{_{Subscribers  do not see these advertisements}}