Notice Of Zygor Guides Data Breach

by (2 weeks ago).

We have received reports that some users who signed up with email addresses only used for Zygor services have since had emails sent to those addresses from companies other than Zygor.

First, we want to make it clear that Zygor has never sold anyone’s information. We would never do this.

Based on the information received, we believe there was a data breach that occurred while we were upgrading our vBulletin forum. We are comfortable that this vulnerability has been secured. However, unfortunately, this was not before potential data was leaked.

As for the data that was exposed, it would have been limited to email addresses, first and last names, usernames, and encrypted hashed + salted passwords (not plain text), as we do not store any information beyond this on our server. To be clear, no payment information, home address, or other data of a personal nature was compromised.

We want to express our sincerest apologies, and we have taken measures to correct this issue.

We recommend changing your password for Zygor and anywhere else you use the same password.

24 thoughts on “Notice Of Zygor Guides Data Breach

  1. hellkitten

    I have to agree with others here about the increase of spam emails getting sent to my email address of which i only use for zygor guides,so really what is the whole truth in this situation how much of a data breach was involved how about actually telling the truth here as a lot of our personal information is included in our zygor accounts including our bank details as well.Also why did we or most of us find out about the breach from reddit instead of being notified hours/days after from zygor themselves it should have been an immediate notification,to this day even why have we not been sent a email requesting us to reset our passwords etc that is the simplest of steps to take till this day nothing.I for one will definitely be thinking of keeping my subscription and keeping with zygor guides unfortunately this is a big let down for me as the guides are really good if not a wee bit buggy here and there and not liking other addons etc but then you can put up with this and that but a security breach is an entirely different ball game.Sorry but thats the thick and thin of the matter should we be trusting with our details or not that is the question all subscribers must ask themselves is it worth the risk anymore,its up to each person to answer that not me or anyone else just all the subscribers.As for apologies well they are accepted but it doesnt make it any better unless you really mean it.I trust you do BUT?.

    Reply
    1. Zygor Post author

      As you’ll see in the main post, no payment details were given out as we do not store this information on our servers. And we did send out an email that links to this post which suggests changing your password.

      Reply
  2. Kristi Coleman

    Breaches happen, a lot. It would have been good business practice to advise their customers when it actually happened. That’s all I’m saying.

    Reply
  3. Not putting my name on here to be leaked

    Won’t be using nor paying for this again. Ps since y’all leaked our info I was wondering if your gonna post yours as well?

    Reply
  4. Not putting my name on here to be leaked

    I as well will no longer be using nor paying for this. n ps was wondering if I could have y’all’s information as well since you leaked ours.

    Reply
  5. Jon

    Hello,

    Your e-mail states that your breach occured when the Forums were migrated.

    – When did this migration take place?
    – When were you made aware of the security breach and what actions have you taken since then?
    – What was the avenue of attack? Saying it was during a migration is very vague. Please be specific (Did you email a DB out by accident, did a privledged account get taken over? etc etc)
    – What are you doing to mitigate future security risks?
    – Why have you not sent out an email telling people to reset thier passwords?

    Reply
    1. Fiamma

      I’m with Jon here, why did I have to find this out via a community member linking me a Reddit post which links this blog post? I should have been notified by you via email.
      When did this breach take place? I’ve received a massive uptick in spam email in the last few months, if this has been caused by Zygor, why has it taken this long for it to be discovered unless you were indeed selling our information?
      Have you complied with relevant laws for your country/state in terms of reporting this breach formally? (I can’t find any of your location data, only that of Recurly, Inc and AWeber Communications.)

      Reply
  6. Lmaorektnoob

    Lmao, glad I signed up with fake names and used some shitty password bruh moment for people who give out their real names to websites they don’t trust…

    Reply
  7. Bubble0seven

    Stop ya bitching and just change your passwords not like your information is really THAT secure on the internet for fuck sake, maybe you lot should be more concerned about your own security habits etc and use VPNS and different passwords for every site and stop making it out that the sole responsibility for your security is the company. Take some responsibility yourselves and never trust any site implicitly this shows how stupid some of you are that trust any site on the internet is 100% safe and secure.

    Reply
    1. Sven Teirlinck

      Just reading the other reactions… yours is the only one here with brains (sorry, for the rest, I know that the truth hurts.)

      I must confess. I know all the rules of security that you gave here but it is thru, I don’t use them like I should and is there anyone out there (on internet) that really does , because off the reason: we are all too lazy too really take care.

      The greatest security risk is our self. We can deny that but if we recognize that, then we have made the biggest (and the first) step to a better security.

      Reply
    2. Fiamma

      For me it’s not entirely about the security. It’s that they didn’t have the courtesy (legal requirement? unsure) to email me to notify me about this breach when they realised.
      I had to find out from a community member posting a Reddit link in my Discord, which then linked to this blog post.
      How was I supposed to know that I needed to change my password if I hadn’t been shown the link? That’s my problem.
      Breaches happen, do the right thing when they do.

      Reply
      1. Mike

        This is basically how I feel about this whole thing. Why was this posted 6 hours ago (as of writing this) and not be sent an email saying that there was a data breach. It won’t do them any good to send me an email but they should have sent an email to all users. Imagine the people who don’t check Reddit or the site.

        Reply
      2. Bubble0seven

        I agree that their way of dealing with this is not as professional as I would of hoped but in all honesty you get what pay for i guess at the end of the day. They should of, could of done a lot of things. It is an assumption that they didn’t respond until it was posted on reddit is simply a assumption made by a rightfully so angry member base. Maybe they were getting legal advice about how they were to handle the situation nobody knows so i would quit getting hung up on particulars that can’t be 100% proven.

        As for their practice of not informing people of important updates, moves, transfers and breaches this ALL should of happened and they should of EMAILED everybody irrespective whether its the law telling them to do so, it would simply be the respectful and right thing to do for those that pay to help them do what they do.

        It has happened and it is a wake up call to all those involved that your security on the internet is not as secure or as safe as you would hope, and not all companies do the right thing to their subscribers/members.

        Reply
      3. Bubble0seven

        This is understandable but the only issue i have with the posts here are people being abusive and childish in their responses, I wonder how many would act the same way if they were not hiding behind a anonymous names. Security always I believe comes down to a the person themselves to ensure they are covered if you feel its not secure enough then do not use the service.

        As i stated to somebody else i understand the anger about not being notified by zygor earlier, whether they did it because they were called out by reddit, or if they were getting legal advice before making it public that is simply an assumption by people that truly do not know the real reason for the delay.

        The usual reply i see is people screaming at zygor to get better security techs but that doesn’t solve the issue there are multi billion corporations that emply teams of security techs etc that have still had data breaches so lets be a bit realistic here it can happen to any company no matter how prepared they are.

        End of the day people should be more angered over the lack of communication from Zygor and a reason why this was not shared or dealt with sooner. Fiamma your streams rock and i think your awesome 🙂 Have a great one

        Reply
  8. Asd

    Please update the post telling us how were the passwords hashed. If it was an old version of vBulletin, it might have been a simple md5 of salt + password which is extremely fast and easy to bruteforce and the raw passwords might have already been exposed.

    Modern hashing on the other hand is almost impossible to crack.

    Reply
    1. Zygor Post author

      Our dev team said, “Apparently vBulletin 4 uses PHP’s built-in “password_hash” function, which tries to be modern, using Blowfish or Argon2i.” Hope that helps.

      Reply
  9. Angela M. Garrison

    Yeah, well, thanks but no thanks . .they got into my Microsoft and EA games pretty quickly, now I cant even recover my account . .says “It doesn’t exist” . .nice.

    Reply
  10. Coty

    Your business practices are disgusting. It took a callout on Reddit before you even said anything. Like, you didn’t know a breach happened until you saw the post?

    Reply
  11. Alex

    Your apologies mean nothing, honestly. You just exposed my real life name and personal email address and the password too (yeah, “encrypted” but can be decrypted by anyone in a matter of hours/days, as with every other data breach), an apology won’t undo this, really. You should think next time and hire some more competent security staff. You just destroyed my day pretty much, with this news. There’s no way ever I’ll be subscribing to you ever again.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *