If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

I am not sure how NATS works from the inside. If they have admin access, do they also have access to affiliate info as well?

Exactly and how many sponsors are we talking, how much info in total has been compromised?

Yes, you can of course.

We have nothing that leads us to believe that. Everything indicates that it is an outside person who has accessed passwords somehow. There are a number of ways some of these passwords may have been compromised including but not limited to them getting the admin password by accessing a client's server and taking it from the DB. Passwords in NATS3 are 2 way encrypted. This is changed to 1 way encryption in NATS4 and we are also going to be putting out a patch for NATS3 which changes this to one way encryption.

additional info... not sure how important it is:

Joined
Last Login
12/21/07 17:03:59
12/21/07 16:02:46

I've had nats since about July... but the user naqIPksxjBioBI who was admin since time of install says joined today. ???

It says it logged in today or it says it joined today? It would much better assist us and you to contact us and work with us on resolving the issue rather than just posting all of the info you find here. The person doing these things may very well monitor here.

Oh I know, that's why I'm surprised people are only going off about the emails.

Think of all the other info they had access to ...

it says they logged in and joined today.

i will be submitting a ticket now. thanks for the help and attention in this matter.

They would have access to that, yes.

Thank you. We are doing a mass change of any password our guys have, but I believe that should not affect the join date. I appreciate your help on this.

With this post and the people I have spoken with personally, its about 10 to 15 confirmed. But ya have to think it many more, if its that easy. After everything is changed and locked down on the server level, there wont be any, easy fix.

This is not new as of today justsexxx as I've found out from current nats clients this has effected in the past. But NATS did finally alert every single one of their clients to this issue on 12/21/07 - Merry Xmas

The ICQ's I have been getting all day are fucking unreal as to who knew about the exploit as it effected them as far back as a YEAR. This has been going on for a long time to lots of programs and I am totally disgusted right now.

Take it a step further - The programs benefiting from these lists being used/mailed promoting their products :disgust Anyone here feeling fucking violated?

John again thank you for your support and getting that email out. I'm still shaking my head as to why it took you so long. You've know about this for a long time there is 100% no question about that. But at least you did it and now people are aware and can lock down to stop this shit.

Instead of covering this issue up you now look like a hero just from that one email. Go figure

yeh ive just swapped all details on current admins and disabled the nats admin, ill look over their other info to secure it.

Showing they joined today as well.........

What we have found in the past lead us to believe it was not widespread and that we could prevent it via doing what we did. I think we prevented a lot of it and I do not believe it as far wide spread as some people here seem to enjoy making it out to be. As we have now seen the issue pop up again we have taken even further action against any problems continuing.

Nothing is going to prevent this from happening 100% in the future. The average server security in this industry is horrible. And many people with very bad security insist they know everything about it and are 100% secure. We have assisted a number of clients privately in helping them secure their servers which they claimed were bullet proof.

Unfortunately we are dealing with criminals here. They will continue to hack servers, be they NATS clients, clients of other software, or whatever. If NATS could magically prevent people's servers from being compromised I would be a very retired man.

Please submit a ticket also so we can have our guys get a good look. This is making me worry someone is somehow injecting these. Our code is routinely audited for SQL injections however that doesn't guarantee there are other ways to do it, or that someone is doing it directly to your MySQL server or in some other way. Please get a ticket submitted so we can take a look.

According to Fred in v3 the Join Date you are being shown is the date the account info was last modified and it is the password update that is causing the dates to be showing as today.

through your username/password, you mean. you couldnt call up your clients, one at a time and ask them to change the pw and upgrade their security?

Those who we had an indication had a problem were notified. And we changed all passwords.

It is my belief that someone is accessing the server that NATS is on and retrieving the admin password directly from the server. Then using that password in whatever script they have to login as it is less obvious than them accessing your box directly on a regular basis.

We are however changing our policy to no longer keep any NATS admin passwords as we have done with SSH info in the past to be sure it is not something on our end.

How is making people aware of an exploit that's been going on for some time a security issue? Nobody has posted how the exploit is achieved - just forewarning others that the issue is a real issue, which has made you sit up and take action. Isn't that a Good Thing??

I did not say pointing it out is a bad thing. I said discussing the details of it, what is being done, and what is being done to combat it isn't the smartest.

It takes all of 1 min to back up your nats templates. I would suggest you do that now

They all are, not the point.

I'm not quite sure what you mean by discussing the details of it. All that has been posted are a set of IPs from a scammer, so that others can check their logs. Like you said:

Through this very thread, started by someone wanting to know what was happening, other people have stepped forward with information that has helped others realise what has gone on. Followed on by your email, now all NATS clients realise there is a problem. Nothing untoward or compromising to others has been discussed.

for those that aren't sure - just a mysql dump/backup, which you are all doing regularly anyway right :winkwink: takes care of all that

You're right, the end result has been a good thing. It has also resulted in us making a policy change. Although I don't think it is the root of the issue it is better to be safe than sorry.

I am not saying things people have said are horrendous. People have asked me to go into details about what we know and what we have done in the past here. I'm simply saying I think this is not the place for that.

Im still in a state of utter disbelief that they knew or so long and didnt think to tell us.

Not to bust balls, but hasn't the only indication so far been members who have signed up and cared enough to sign up with a unique email address to then determine they were receiving spam? That's a pretty rare thing to happen..

I'm wondering if you have or are going to contact the authorities?

We were not under the impression it was a widespread problem or we would have made an announcement as we have in the past.

I still do not believe it is a completely widespread issue but we are taking strong action anyway.

After we collect all of the info we can we will see what we can do with it. However, I'm sure they will wish to speak with those who are having their systems accessed. We can not act on your behalf in that regard.

Strong action doesnt mean shit now its happened, you have totally lost my confidence in your software, there has been a lot of talk everywhere about whats best NATS or CCbill, I think this turn of events has just answered that common thread topic!

I'm sorry to hear that.

tdfcash3 raised this point and a very valid one. European law for example is extremely strict and clear on this matter, and all programme owners anyway, but especially Europe need to take data security very VERY seriously. The end user of any software that implements personal data storage is ultimately responsible for the security of that data. Not TMM. Most all business software is closed source, so everyone in this industry needs to not be complacent that because XYZ is their software that it's secure.

It looks like NATS has a security hole which is/is being/has been closed, I dunno. But you all need to be taking your customer's data security seriously and checking login logs periodically. You, the user are ultimately responsible for that.

We are proactive on these matters, which is why we've been breach-free for some time now

I am out of town and getting on a plane shortly. This will be my last post in this thread for at least hours. Please submit tickets if you have any further questions.

It seems clear to me until TMM sorts its issues out sponsors can either wait and see or move now, theres plenty of options that john seriously needs to address namely MPA3 and Epoch are looking like a better option right now.

Thats a good point.

I know firms in the UK facing BIG fines. I presume that websites based in the UK could also be subject to BIG fines.

Looks pretty widespread to me...

The scary thing is how easy MPA and Nats are to hack. The even scarier thing is both of those companies think their program can not be hacked. If they'd get off their high horse for a second they'd realize how many exploits each of them has they may be able to actually secure their script. Instead they are too busy getting drunk on their own kool aid.

Anybody thinking of buying Nats should read John's posts in this thread. Is that the type of guy you want to do business with?

You think MPA doesn't have issues like this? Or any other software paysites use for that matter like the various number of CMS's? Ask around...

People in this thread are funny. Noone cares about their security untill it's either
a) posted on a public board
b) starts receiving complaints from members