Was Paxum.com Hacked?
 

What a strange e-mail!

Normally when a company sends out an e-mail like this it is because they were compromised.

Of course, they usually admit they were compromised, so that any users who also used the same login credentials on other sites could take appropriate action.

Has Paxum been compromised-- in any way?

Pathetic thread...

Could have been.

No, we are simply upgrading our login security to a better system. Thanks for your concern, but everything is fine. :thumbsup

Until when this update will be done Ruth? this has been 6 - 7 hours now!! Its not normal.

Not that it affects me but would one not give a warning well in advance for a downtime due to a planned upgrade?

Fuck your couch

Nneexxtt

Now serving #774

Atleast they're not trying to hide some shit and sending out the email with ZERO links in it was a good idea IMO

sounds dangerous

For a company concerned about security, it seems a bit odd they would send everyone new passwords in the clear.

Change your passwords... lol

There's two options here.
1) They got hacked and they were using plaintext passwords, and don't want to look stupid so they aren't admitting to it. The fact they recommend 'not using any passwords used before with them' supports this.
2) They really did change "login engines" (whatever that is supposed to mean...they are just authenticating off a database anyways), changed the passwords to use a different cipher and couldn't port over the current logins because they were already hashed and didn't know the existing one.

It does seem pretty fucking stupid to send over new passwords in plaintext via email. What's even stupider is their 'automatic authentication'. Ever notice how no online bank has this? How paypal does not have this? There's a reason... There should be no automatic login, and they shouldn't even have you entering the entire password to begin with - only a few random letters from it to prevent keyloggers/etc from getting access.

what a joke sending passwords via email

So my perfectly randomized unique many character password has been replaced by a password that was emailed to me without any type of security? That alarms me.

Imagine if a program has $55k in there and the password was sent to an email address employees have access to. Wowza.

lol at sending out passwords via email...a company that handles other people's money should NEVER do that

edit: nevermind, i'll just msg ruth about this on icq

No site of any kind should have to do this. Does Paxum actually store passwords in plain text too? Ie, is it possible to get your password by email as a 'reminder'? I doubt it, but then again I wouldn't expect any site to be so colossally inept as to send passwords via email under any circumstances in this day and age.

They store it in an md5 hash, you can see it in the cookie named 'toplabs' that they store when you login:
a:3:{s:4:"user";s:25:"[email protected]";s:4:"pass";s :44:"passwordhashhere";s:2:"no";i:13;}

What they store in the cookie is what appears to be a base64-encoded md5 hash. It appears to be salted.

that really the cookie they set when logging in? :upsidedow
wow

That's what i thought when I got the email.

It also didn't let me use my old password, told me to change to something different.

Hmmm i feel like paxum was hacked. Anothet one bite the dust

SHA-256: Generates a 44-character string using the SHA-256 algorithm specified by FIPS-180-2.

No problem. You're being paranoid. Put all your money in there and use it like a bank.

I'm sorry but anyone with half a brain and who knows anything at all about security knows this is bullshit.

You do not take your system down for 'scheduled maintenance/upgrades' that haven't been previously scheduled. If this were really the case, your clients would have had at least a weeks notice, if not more.

Companies who are simply upgrading their security do NOT manually reset all of their clients' passwords. And they certainly do NOT email them in plain text. Especially considering you are a financial institution so to speak.

So please, just come out with it so people know what to expect when trusting their funds with your company. Your shit was compromised, and your clients have a right to know the truth. Lying about it here only makes people (who know better) distrust you.

Agreed. Lying about this stuff just makes it worse.

Unable to confirm new password.

Errors :

"The Username must start with a letter, not contain more than one consecutive . or _ . Please enter a value for this field."

What username? There is only a Email and Authorization key field :upsidedow

Illegal too.

If they got hacked and you just got lied to, please sue them and complain to the DOJ.

Really can't *believe* they sent out passwords in plain text emails.

WTF?

Errors :
Funds were not transferred. Please try again later

I have enough funds (and i'm sending below the daily limit) in my account however i'm getting this message..

Epass part 2 ?

Sending out passwords through mail. Especially a company like this.

Seriously, wtf.

The same thing i cannot transfer funds to my master card

Try not to scare people. I'm sure your funds will soon be in motion.

Why the heck do you carry this on the login page?

• automatic authentication

L.E. I'll just leave it to that.

I'm shocked!
Shocked, I tell you!

http://www.radio-popcorn.com/images/SmileyPopcorn.gif

Drama drama drama! Fucking exciting!

Hope its worked out more and more clients using paxum to pay me everyday.

People actually pay you?

I've never used Paxum before and glad about this.

Doesn't look like redpass allows you to save passwords.

same shit here:
Errors :

Funds were not transferred. Please try again later

Yes, but that hash that is stored can be base64 decoded without errors (at least in the case of my hash) - leaving me with a 32-char hash. Give it a shot on yours and see:
http://www.opinionatedgeek.com/dotne.../base64decode/

gonna re-change my password again

Considering you are the one who has no adult business and ive been in business for over 13 years doing adult, one should ask you the same question?

Look DirtyF I know you cant stand me, but doubting my success is absolutely mind boggling.

in my sig there are links to what i do.... you? Nothing you arent even in adult for the most part youve even said this on gfy..., when you actually run a business in adult, then maybe you could address me, until then,... run along

run along and go pay some kid 5 bucks on fiver to make harry potter videos (thats what you recently bragged about is your new promo method) LOL

leave adult to those of us who are professional.

I stopped reading here :1orglaugh

oh id be willing to bet you read the entire post. LOL :)

you read every other post i make, why stop now.

you quote me every single day trolling, you have a hard on for me always have.

LOL