BundleStars / Security PSA [OT] Skip unless you are a BS customer:
For those that haven't seen it, BundleStars had issues with accounts that may or may not have been compromised recently. They're asking everyone to change their passwords. You might be able to get access to your account for a second, if you were logged in before, but they'll log you out quickly (based on the date of your cookie?), and force you to reset your password.
if you're account's been compromised, it's possible all of your steam keys are floating around on those shady key-reselling sites. I hope that this didn't happen to anyone here.
They only say that the logins were made with a stolen account list. Perhaps it was one of the bundle sites that shut down recently, like BIAB or Desura or that 3rd bundle site. Who knows, it may have even been Origin, Steam, or BS themselves. That said, scuttlebutt on other websites says it that the list was email addresses and either unprotected passwords or completely unsalted Crypt or MD5s of the passwords, which were probably fed into one of those rainbow table services to get the real passwords to fall out. If any of you guys are tasked with a website authentication or Single Sign On (SSO) system, please do the right thing and learn how to properly salt those passwords. Oh, and SHA256 or better, SHA1 and below are subject to collision attacks, which is why SHA1 SSL certificates are no longer any good in the major browsers.
Anyway, back to the password business, it may be better yet, if don't reuse passwords, but most especially not between bundle or gaming sites.
Good luck all! Apologies if this has it's own thread.
Edit: GOG thread on BundleStars attack found
here
