It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
I didn't have a chance to investigate this further, but I wanted to let everyone know who has keys on Bundle Stars. I got the following email today:


We have noticed attempts to access Bundle Stars customer accounts by entering, what we believe to be, stolen email address and password combinations, so we have taken the precaution of resetting all user passwords across the website. Customers' financial information, such as PayPal, credit or debit card details is not stored on the Bundle Stars website, so has NOT been compromised and is not at risk.

We have reason to believe that a number of customer accounts may have been accessed without the permission of the account holder. We think it is likely that an individual or individuals obtained, from the public domain, a list of compromised accounts which have been stolen from other websites.

If your account has been affected, then your email address, password, order history and purchased Steam keys may have been accessed.

Next time you sign in, you will be required to change your password. You will then be able to access your account and order history as normal.

WHEN ENTERING YOUR NEW PASSWORD WE STRONGLY RECOMMEND THAT, TO PROTECT YOUR ACCOUNT, YOU USE A UNIQUE AND PREVIOUSLY UNUSED PASSWORD.

We would also encourage you to update your password across any other websites where you have used the same or similar passwords, and do this as soon as you possibly can.

If your previous email and password combination was unique to Bundle Stars, then your account will not have been affected.

We apologise for the inconvenience and concern that this may have caused you as a member of the Bundle Stars community. We have acted quickly to investigate and take security precautions to protect our customers by removing all passwords so that every customer must choose a new password. We also invalidated the session so that all customers were logged out, and implemented reCAPTCHA.

It is important to stress that our investigation indicates that this breach has not been caused by any compromise of our internal security systems but has been caused by an attack by an individual or individuals that have obtained user and password details from compromised accounts stolen from other websites. Robust security systems and processes are critical to our service and we continuously invest in our information security system to meet evolving threats.

If you have any concerns about your account, please click here to view our FAQ page, or alternatively please contact our support team: support@bundlestars.com

Thank you for your understanding on this matter, and we apologise unreservedly for any inconvenience.
Obligatory link.
(...) Customers' financial information, such as PayPal, credit or debit card details is not stored on the Bundle Stars website, so has NOT been compromised and is not at risk. (...)

At least, the worse didn't happen.
Post edited February 17, 2016 by Vythonaut
But let's also be clear. Seems Bundle Stars security was fine. More than fine, because it noticed the abnormal number of login attempts.

All that seemed to have occurred is somebody was trying a list of previously stolen passwords taken from somewhere else. This is why you should use the same password everywhere.
avatar
RWarehall: [...]
All that seemed to have occurred is somebody was trying a list of previously stolen passwords taken from somewhere else. This is why you should not use the same password everywhere.
The main points here are to make sure to use any keys in your Bundle Stars library that haven't been activated and change your password on any other site that had the identical password used on Bundle Stars.

RWarehall is correct (though I think his post has an omission error): Don't use the same password for different sites.
I use unique insane line noise passwords on all sites so it sounds like I've got nothing to worry about other than having to regenerate a new insane line noise password for Bundlestars. There is no way to "test" unused Steam keys that I'm aware of unless you are a game publisher perhaps, so all we can do is either redeem our as yet unredeemed keys if we do plan on using them ourselves, or trade/giveaway them, or keep holding them with the caveat that if they don't redeem at a later time that Bundlestars support may need to reissue new keys.

So far in all my time bundlinating, I've only encountered 2 dead keys for purchased games and the site(s) in question (I forget which sites) gave me new keys right away without asking questions when I contacted their support, so it's been a good worry-free experience so far.

It's a good time to redeem keys we know we want for ourselves though I imagine, but I wouldn't panic unless people start reporting a wash of bad experiences.
avatar
skeletonbow: So far in all my time bundlinating, I've only encountered 2 dead keys for purchased games and the site(s) in question (I forget which sites) gave me new keys right away without asking questions when I contacted their support, so it's been a good worry-free experience so far.
How much time passed between the purchase of those 2 dead keys and the time you tried to redeem them to find that they were invalid?
avatar
chadjenofsky: How much time passed between the purchase of those 2 dead keys and the time you tried to redeem them to find that they were invalid?
About a year and a half or so.
avatar
RWarehall: But let's also be clear. Seems Bundle Stars security was fine. More than fine, because it noticed the abnormal number of login attempts.

All that seemed to have occurred is somebody was trying a list of previously stolen passwords taken from somewhere else. This is why you should use the same password everywhere.
Including on your luggage.
avatar
chadjenofsky: How much time passed between the purchase of those 2 dead keys and the time you tried to redeem them to find that they were invalid?
avatar
skeletonbow: About a year and a half or so.
Thanks. That's actually very comforting as I'm admittedly behind in some err-- "administrative" work with my library.
avatar
RWarehall: But let's also be clear. Seems Bundle Stars security was fine. More than fine, because it noticed the abnormal number of login attempts.

All that seemed to have occurred is somebody was trying a list of previously stolen passwords taken from somewhere else. This is why you should use the same password everywhere.
avatar
LoboBlanco: Including on your luggage.
https://www.youtube.com/watch?v=a6iW-8xPw3k
Thank you for the warning, +1.
Thanks for this.... all in all Bundlestars is a damn fine group of people, great to see them burn all the passwords and start fresh. Also good move on notifying the afflicted accounts though Mandrill.

Permalink on INFO release
deleted