By Zach Arnold | January 21, 2014
When we posted our series of articles on the UFC Fight Pass web site, one thing we did not address were potential security issues that could be exploited by hackers. Once that topic was explored on Bloody Elbow, the intensity of the scrutiny was raised a few notches.
With security issues on the minds of UFC Fight Pass subscribers, this message for Underground Forum users surely was not comforting for hardcore MMA fans who are active on message boards. A hacker pretended to be Dana White for a chat on the Underground. Then the hacker pretended to be Dan Henderson.
Take note of the … diplomatic tone Kirik is using regarding the hacker.
The hacker’s actions are one thing, but it’s an entirely different issue when that same hacker allegedly attacked the site previously… and users were not told about the severity of the hack or the hack itself?
Two years ago, MentaL found a way to hack into the site, and very helpfully alerted us to it. We immediately fixed the hole. By immediate I mean someone started on it within minutes.
MentaL says that at the time we should have forced everyone to change their passwords, in case someone else had found the same hole that he did, and had bad intentions. I did not think anyone else but him had found the hole, and so with the fix in place, we did not force a wholesale change of PWs.
The site got hacked two years ago, users weren’t told, and the hacker warned the site to take action?
Update (evening of 1/21/2014): From the comments section by Kirik:
The above sentence is factually incorrect. The hacker did not warn the site to change passwords. That is something that was apparently on his mind, and two years later, he decided to make a point over. You can’t mix together incorrect supposition with quotes, and then say hey the quotes are right.
If the hacker proceeds to use information gleaned from the site and accesses/opens credit card accounts or hacks into sites for banking or shopping with information obtained from the Underground, then what liability issues are raised by the failure of the Underground to not disclose the previous site hacking from two years ago to users?
As you might imagine, a lot of people are freaked out. Has the FBI has contacted? If not, then why not? If no complaint is filed with the FBI, does it open the door for a potential class action civil lawsuit?
Next question: how was the hacker able to access the passwords?
— Jackson Chase (@JacksonChase) January 21, 2014
The Underground Forum is asking all users to change their passwords. That’s where another freak out factor is happening. One source, who happens to be a very sharp lawyer, contacted me with the following:
I changed my password and the email address associated with [the account] because of the attack. When I changed the email address, they sent me my password in clear text!
Date: Mon, Jan 20, 2014 at [redacted]
Subject: Mixed Martial Arts Registration Confirmation
To ensure delivery to your Inbox and to have images displayed properly, please add MixedMartialArts.com to your safe sendors list.
I would like to thank you for taking the time to register at MixedMartialArts.com, the worldwide leader in Mixed Martial Arts information. We hope you enjoy the site and look forward to your participation.
To complete your registration, follow the link below:
(If clicking on the link doesn’t work, try copying and pasting it into your browser. If you still have issues, then please goto the url below and use this key: [redacted password])
As with any large gathering of people, there are basic guidelines to follow so that everyone can enjoy the community. These will be covered in a following email.
President, Mixed Martial Arts LLC
Mixed Martial Arts LLC.
1240 South East St.
Amherst, MA 01002
Phone: (508) 443-3376
Check us out on Facebook
If you would like to unsubscribe and stop receiving these emails click here.
What’s the next shoe to drop?