FraudRecord Public Dumps User / Customer Info

[drmike]

Folks who use FraudRecord should note, your details have been public outed / displayed ....

http://www.fraudrecord.com/emails/email1.php

 

[drmike]

Some other exposure of public directory:

http://fraudrecord.com/emails/

 

[XFS_Duke]

dammit, you were supposed to just contact harzem! lol

Awesome...

 

[MannDude]

Well that's concerning.

I like FraudRecord in theory and on paper but @harzem needs to step it up and make it worthwhile. Instead of sending unwanted promotional emails ( ) he could instead charge a reasonable fee for the service assuming it gets hardened and implements features others have requested that'd make it better and more appealing. Well intentioned in the beginning I'm sure but this is a blow and people aren't a fan of the promotional emails either.

Luckily the leak is just email addresses, most of which appear to be public addresses that you could find in WhoIS information or by browsing a website. Hopefully nothing worse comes from this.

 

[drmike]

dammit, you were supposed to just contact harzem! lol

Awesome...

Plain text, open directory.... Been such....

If people in that database who are fans of FraudRecord didn't prior mention it or get it done and done, well... Not my feeling bad...   

People should be slightly concerned about company details and data correlations that can / make / perhaps will be made from accounts.  Probably a bunch of accounts that funnel to one email that in public are multiple unrelated companies... Ho hum.

How hard is an ACL to protect things like this?   Exposure happened,  people got sunburned.

 

[TruvisT]

This explains all the spam.

 

[harzem]

Thanks a lot! It was clearly a security issue on my end,   all I can see is there was a problem uploading the blank index.html so the directory got exposed. 

But instead of alerting me, which a professional would do, you posted it publicly, not only allowing multiple people to access the data, but also run the email script over and over again, causing multiple emails per person.

Really professional thing to do. 

The whole "our emails are exposed" could be prevented if i had checked the directory integrity, or if you contacted me first instead of posting publicly right away. 

Exposure didn't "happen". You exposed it to everyone. 

Anyone who wants to contact me regarding this can send an email to contact@fraudrecord.com as i will not be participating in this discussion. 

 

[drmike]

Blank index.html isn't how you protect a directory.

Index.html isn't how you protect a directory either.

That was the problem and remains the problem.  Not best practices, not good practices. 

 

[DomainBop]

But instead of alerting me, which a professional would do, you posted it publicly, not only allowing multiple people to access the data, but also run the email script over and over again, causing multiple emails per person.

Really professional thing to do.

You sent out another SPAM email blast tonight @harzem after promising that no more SPAM would be sent and you actually have the nerve to make comments about professionalism? What a motherfarking joke.

You need to try reading the FTC guidelines on SPAM and you need to try really hard to stop violating the US federal CAN-SPAM act buddy.

From December:

As for the "emailing practices involved", this was a single e-mail which will be the last according to Harzem. If he does send another e-mail then there's something to discuss but so far Harzem hasn't given me any reason to distrust him.

Well hey, today's email blast would indicate that there is a definite reason to distrust @harzem and that his word doesn't mean crap.

Complaint just filed with the FTC about FraudRecord's violation of the CAN-SPAM law because I have zero tolerance for spamming farktards who think they're exempt from following the anti-spam laws..

 

[XFS_Duke]

I got an email earlier about Phychz or something network dedicates. Although I like the service, I do not like the fact that I get emails which do not pertain to anything that I signed up with them for. I do not care about those dedicated servers. I care about using FraudRecord. Not being spammed by crap none of us care about. 

@harzem, how much do you need to run FraudRecord? I can donate some money if needed, but the emails need to stop.

 

[serverian]

It's offline due to DDoS now. Hope you guys are happy now.

 

[Aldryic C'boas]

And this is why I have always done in-house, and will continue to do so.

 

[DomainBop]

It's offline due to DDoS now. Hope you guys are happy now.

I'd be happy if SecuredDragon and WiredTree would actually act on SPAM reports instead of giving this spammer @harzem a free pass to continue spamming from the same IP addresses he spammed from and was reported for in December.

Plus, the fact that @harzem can't even follow basic security on his own website brings into question just how secure the rest of his site is and whether consumers' info that is stored in the FR database is truly secure or if the same lax security is followed with consumers' info.   Combine the poor website security with the fact that  FraudRecord isn't even a registered business and consumers' info (need I mention FR also allows credit card numbers and PayPal email address "hashes" to be submitted to its database and searched) is being transmitted to a database  which is controlled by an individual who is in a different jurisdiction than the majority of consumers' whose info he is being entrusted with and I'd say there is a definite reason for consumers to be concerned about the safety of their info (anyone who feels like saying "but it's a hash" should see TRUSTe's comments on why hashes should be considered personal info, especially in the case of a service like FR where anyone who registers with FR can do a search of the database and info about the consumer is returned)

And this is why I have always done in-house, and will continue to do so.

In house manual checking, as well as Kount and/or Authorize.net's fraud suite here.  The difference between using services like  Kount/Authorize.net fraud suite which are registered companies and using a 1-man show unregistered business "fraud prevention" outfit like FraudRecord is like the difference between night and day in terms of properly safeguarding consumer's info.

 

[drmike]

I got an email earlier about Phychz or something network dedicates. Although I like the service, I do not like the fact that I get emails which do not pertain to anything that I signed up with them for. I do not care about those dedicated servers. I care about using FraudRecord. Not being spammed by crap none of us care about. 

@harzem, how much do you need to run FraudRecord? I can donate some money if needed, but the emails need to stop.

This was already discussed in December I think it was... about the ad spamming - started with selling ad in the module area, then to outright email.

The emails were to stop and all that fun.  No more were to happen.... but here again, fundraising.

Lots of people would sponsor the project and it appears at least three do as per the front the site company call outs.

Inconsistent ideas vs. actions is what I see from FraudRecord.   Good intentions initially, but dev happened, site launched, providers used and misused and yeah monetization continues in ways people aren't happy with.  While stuff gets filed that isn't fraud in nature, where customers have no rights really, where the system is open but I can't see way to query it in truly open way (outside of that email API play), where transmission of customer data to such third party likely violates privacy regulations in EU and elsewhere.... Those are my points... and best practice fail points....  

Reminds me of Diebold voting machines years ago and their plaintext web disclosure of their source which lead to many revelations about those rigged systems, "unintentionally". 

 

[KuJoe]

It's offline due to DDoS now. Hope you guys are happy now.

Where did you hear this? I see a few attacks today but nothing above 2Gbps which isn't enough to even cause any packet loss. Unless they are targeting their webserver directly, in which case I'm curious how the IP got leaked this time.

 

[drmike]

https://fraudrecord.com/sign-up/

Why can't people sign up now / that pulled and displaying another public directory?  At least that one is empty...

 

[Joshua-Epic]

Oh fantastic news! I don't mind people emailing me, but I do mind unwanted spam.

 

[Munzy]

[snip] all I can see is there was a problem uploading the blank index.html so the directory got exposed. 

[snip] but also run the email script over and over again, causing multiple emails per person.

[snip]

This is honestly, scary......

Are you saying you had a php file that would just execute a whole email event by simply browsing to the link?

 

[k0nsl]

Thanks, by constantly visiting the email script, which I mistakenly left vulnerable temporarily, you have re-sent the emails all over again. Apologies for those who received multiple copies of the email due to re-runs. If you have any questions or criticism, you may direct them at contact@fraudrecord.com - Harzem Yalçýnkaya FraudRecord

KEK  :lol:  :lol:

 

[lbft]

Really professional thing to do. 

The whole "our emails are exposed" could be prevented if i had checked the directory integrity, or if you contacted me first instead of posting publicly right away. 

Exposure didn't "happen". You exposed it to everyone. 

If you were professional you'd recognise that:

1. You hold private information and have a responsibility to adequately secure it, and trying to deflect the blame is unprofessional.
2. The fact that information could leak by you forgetting to upload a blank index.html is strongly indicative of you being unprofessional in your approach to development (unless we suddenly took a trip back to 1998 when I wasn't looking).
3. The fact that you could forget to upload a single file is strongly indicative of an unprofessional deployment process.
4. You exposed it by failing to competently run the site, and if it wasn't made public your arse-covering attitude makes me think your users would never have any idea their information was ever exposed.

It doesn't take a genius to see that the low end of the VPS industry is infested with skids, as evidenced by the scumbag apparently DDoSing you - and your behaviour of sticking your head in the sand when you got busted making such an incredibly fundamental error has convinced me that you're not up to the task of building a system that can survive in that sort of environment.