Announcement

**keliika** · January 16, 2010, 02:48 PM

They emailed my username and password to me without a request! DOWNRIGHT SCARY

After I posted this information below, found an automated email from them in my inbox with both my Username and Password. eMail is NOT SECURE. In fact, by design, eMail was designed to pass mail to other mail servers quickly, NOT SECURELY. If you have a Zygor account and haven't used a unique password, I HIGHLY RECOMMEND CHANGING YOUR PASSWORDS ON ALL ACCOUNTS THAT USE EITHER THIS USERNAME, EMAIL ADDRESS OR PASSWORD.

Originally posted by keliika View Post

I just purchased the Zygor guide and have emailed this concern to their webmaster. However, I wanted to warn people of this security risk before they purchased and potentially compromised their battle.net accounts and more.

The first page that displays after you click the Order Now button from http://www.zygorguides.com, is a standard, non-secure http (port 80 non-secure) site, http://www.zygorguides.com/amember/signup.php. All customers who submit their data today or providing the following unencrypted data:

1. Name
2. eMail address
3. username
4. password

Since most people like to stick to a few passwords so they can remember them, this is a high risk issue. For example, since the new Battle.net logins require our eMail address, hackers will already have the first half to getting in. On this site, they currently will have both the username and password if you use the same information for your Zygor account. If I were a hacker, I would surely be monitoring these submitted orders to steal accounts.

If you want to buy, I recommend using a password that isn't the same as any other and changing this password as soon as they secure this page and their password page. Yes, believe it or not, when you change your password after enrolling, this site is also not secure today. BUYER BEWARE.

Hope they fix it quickly,

Teresa Lee, MCSE

**keliika** · January 16, 2010, 02:58 PM

Virus emailed to me after purchasing Zygor..... Cooncidence or not? You be the judge

Sadly, after submitting this information to the customers of Zygor, I received a notice that my eMail security filter had caught a virus sent to me. It was sent the same minute that I received my username and password email from Zygor. =(

*****************************
VIRUS BLOCKER MESSAGE STATUS
*****************************

MESSAGE QUARANTINED

Virus Detected: CMU-10717-20100114

Message Details:
From: "UPS Manager Jodie Miranda" <support@ups.com>
Subject: UPS Tracking Number 7490531.
Date: Fri, 15 Jan 2010 01:04:29 +0000

For your protection, Virus Blocker has quarantined a message sent to you because it contains a virus.

Note: We do not recommend that you view a message that has a virus attached, even if you have up-to-date antivirus software. However, if you choose to view it anyway, you can: Sign in to Web Mail (https://webmail.earthlink.net), then click the Virus Blocker folder on the left.

Sincerely,

Support

************************************************** *******************
This is an Administrative Message. It is not spam.
From time to time, we will send you such messages in order to communicate important information about your subscription.
************************************************** *******************

Originally posted by keliika View Post

After I posted this information below, found an automated email from them in my inbox with both my Username and Password. eMail is NOT SECURE. In fact, by design, eMail was designed to pass mail to other mail servers quickly, NOT SECURELY. If you have a Zygor account and haven't used a unique password, I HIGHLY RECOMMEND CHANGING YOUR PASSWORDS ON ALL ACCOUNTS THAT USE EITHER THIS USERNAME, EMAIL ADDRESS OR PASSWORD.

**crownedwithgrace** · January 16, 2010, 03:24 PM

What does Zygor have to do with UPS?

**kcmatt** · January 16, 2010, 03:33 PM

So in other words you got a spam e-mail and believe the people should take extra steps when buying Zygor's Guide to make sure they don't get hacked.
Surely the two things are unrelated?

**keliika** · January 16, 2010, 03:37 PM

UPS Question

In answer to your UPS question, whenever malicious emails are sent with viruses, they usually send with a commonly trusted subject and/or sender in order to get people to open it.

I haven't received a virus by mail in ages, perhaps even years. The fact that I received this malicious email the same minute as my username and password email is

suspicious.

**keliika** · January 16, 2010, 03:41 PM

I'm an email engineer. If you want to send your username and password in the clear to strangers on the web, feel free. However this is the way that accounts become compromised. I'm not picking on Zygor here. There are many sites that do this. I just happen to care about the Zygor community. My hope is that the web administrators will fix this soon.

**kcmatt** · January 16, 2010, 03:49 PM

In all fairness though if people use common sense and don't use their WoW email, username or password they should be fine tbh

Even if they did use their WoW email I don't think that a hacker could do very much with a single email. I might be mistaken but as long as they don't know the email password then they haven't really got anyway to get your information.

**crownedwithgrace** · January 16, 2010, 06:15 PM

I can't help but think about why this hasn't happened to anyone else out of the over 33,000 zygor members. That's a lot of people to not have even 1 other person mention this happening to them. Maybe they have? One thing I've learned from the zygor team, though, is that they tackle any issues right away so I would think they would've changed things by now. I don't know. I can't say that it is or isn't but without any kind of real proof, I just don't think it's fair to go around pointing fingers. I agree with kcmatt - use common sense and don't use your WoW email, UN, or password.

**keliika** · January 17, 2010, 05:30 PM

I put this post out there for the more than 80% of users who like to use the same email address and passwords. If you don't fall into that category, this post isn't for you.

The fact that Zygor has their username and password account creation AND password recovery on http is still security problem. Their web admin still has not responded. It has now been 26 hours and counting. I have also emailed the owner of this website to let them know what's going on.

I have to ask the techie question... "Where do you think the hijacked battle.net accounts are coming from"?

**cabby** · January 17, 2010, 06:19 PM

I'd say that the hijacked accounts probably have nothing to do with this site. We've had maybe half dozen to a dozen people talk about their accounts getting hijacked out of the thousands of users here.

I understand your concern when it comes to the security aspects of the site, but please don't be posting trying to scare people. I'm sure that this is an issue that Zygor will look into with his webmaster, but it is a holiday weekend and Zygor and the rest of the team do this stuff because they want to, not because it's their job. This is their hobby, just like playing WoW is your hobby. Everyone is entitled to have a personal life and for all we know they might be visiting relatives or something.

One last thought, patience is a virtue.

**silverhawk11** · January 17, 2010, 08:29 PM

I'll help answer the "techie" question. Phisher sites. I honestly find it hard to believe, and this is my sole opinion, that the UPS virus was sent to you because you signed up on Zygor's website. Honestly, people should know by now to not use their World of Warcraft username and password on a website, especially one particulary for a guide inside of the game.

From what the rumor is, again this is a rumor that I've heard from god knows where it originated, that WoWArmory has a glitch in it's system (the bookmarking system), but it could be wrong, and probably is. If the website was as unsecure as you're saying, then you don't think Blizzard would have caught on by now that most users that were attacked contained the guide as an addon?

I think you're overhyping a lot of your stories, and putting a lot of blame on something you have no proof on. You just tried to blame a spam e-mail on a guide, for goodness sake. Thread closed, and from what I can tell Zygor is already looking at this thread as I type. Please, I understand you want to keep the community informed over a very serious issue, however I ask that you don't attack a specific company without providing any facts except claiming you're an "e-mail engineer" whatever that may be.

Thanks,
Silverhawk11

Announcement

Zygor is paying lip service to security

Zygor is paying lip service to security

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment