# Zopim live-chat may have been compromised.



## MannDude (Nov 14, 2014)

I had a list of WebHostingTalk's 'unanswered' posts open on another screen, and saw:



Clicked on it, thread was removed and user apparently banned as I can't see his profile either. Though you can read the Google cached version here: http://webcache.googleusercontent.com/search?q=cache:RO7AOsnHcWkJ:www.webhostingtalk.com/showthread.php%3Fp%3D9291666+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

According to: http://www.custombuttonco.com/custom-button-co-blog/zopim-chat-security-breach/ , which was posted today, they were breached but there is no other source from what I can find online.

Anyhow, heads up.


----------



## Geek (Nov 14, 2014)

If that's true, it marks the 4th or 5th time that's happened I think...

I was emailed the last time they were breached, not sure why I wasn't this time.

Figure I'm pretty well done with them if this turns out to be valid.


----------



## Artie (Nov 15, 2014)

Looks to be real: https://blog.zopim.com/2014/11/15/important-security-update/


----------



## Hxxx (Nov 15, 2014)

> Recently, we deployed a patch to fix performance issues for the system that powers advanced search capabilities in Zopim. That patch inadvertently led to Zopim account holders being able to access the chat records and transcripts of other accounts if they were to run an advanced search of account history. This vulnerability also permitted a limited export of records that included end user email addresses from certain Zopim accounts.


Really bad developing practices. Super disappointing. Looks like the patch went directly from the workstation of the developer to production.

Also somebody got fired.


----------



## drmike (Nov 15, 2014)

Bahaha....

Wonder why WHT pulled the post?


----------



## Hxxx (Nov 15, 2014)

drmike said:


> Bahaha....
> 
> Wonder why WHT pulled the post?


$$$$$$$


----------



## wlanboy (Nov 15, 2014)

Performance patch without penetration tests?

Ouch.


----------



## MannDude (Nov 15, 2014)

drmike said:


> Bahaha....
> 
> Wonder why WHT pulled the post?


It's possible they believed the link he posted in the thread was his own, I don't know. I'm posting it over there now, simply because it's important for customers/users of the service to know.


----------



## MartinD (Nov 16, 2014)

Steven's security list sent out an email about this earlier today I think.


----------



## Askforhost (Nov 16, 2014)

If its true why they havent updated their clients?
Never received any update from them, no emails at all.


----------



## fixidixi (Nov 16, 2014)

maybe you are all looking at it the wrong way ..

its not a security hole.. its a feature..


----------



## vRozenSch00n (Nov 16, 2014)

Aaaaw Sheldon....


----------

