[Plugin: wpStoreCart] WP Storecart site's registered members hacked by spammers

Nope, not hacked. Your username on wpStoreCart is:
[ redacted ]

and username’s are public. Meaning, a simple web harvester can recognize your username as an email address, and pulled it from web results or from crawling our site directly.

We adhere to a strict privacy policy and never release information to 3rd parties. In fact, we no longer even use Google Analytics as we do not agree with their privacy implications.

Here’s our privacy policy.

Wasn’t questioning your privacy policy, or your intentions.

Where are the usernames public, other than the forum? Since we have not posted to your forums, how would the username become public?

But since you mention your privacy policy…

When our team manages forums we never use emails as usernames. To us, doing that IS a disclosure of private information to third parties. (And your answer above seems to support that doing so discloses the information to third parties.)

As I mentioned via email, please delete all of our information off of the WP StoreCart site. That will make me feel more secure.

Also we do not appreciate your disclosing our private information on this forum (our email, listed above). Doing so also goes against your privacy policy. Or so it would seem, in my opinion.

One would have thought it was self-evident that email addresses are private information. Sigh.

You choose your username, not us. You didn’t have to choose your email address, but you did. You disclosed that information. Our forum lists the username of members, last members, etc of anyone who joined our site (our forum is WordPress native.) I will delete everything of yours off the site.

I agree that emails are personal information. However, when you choose a public username and then choose your own email address, you are clearly exposing this information to anyone.

Updated the privacy policy and added this:

Certain parts of our website are public. For example, if you register an account on our site, then the username, signature, and any forum posts or comments you make will be public. That means, if you disclose any personal information in your username, signature, comments, in our forums, or in any other publicly displayed content that you provide, then we cannot protect your personally identifiable information in those situations. It is your sole responsibility to only publicly disclose information you are comfortable with.

Okay, where do the usernames get exposed on your site?

Having never participated in your forum or posted any comments on your site, are you able to point to a place where all the usernames are listed? If not, then hacking of your site is still an unfortunate possibility.

The bottom of the forum lists the latest user/username who joined the site. Since our site is 100% WordPress, registering on the site anywhere registers you for all our services, including the forum, regardless if you use the forum or not, so your username would still appear there as the latest user.

After your email this morning I looked at the members list and noticed several other users who had used email addresses as their username, so I trashed the page. My guess is one of our many registration forms label wasn’t clear that were asking for a username. I’ve disabled registration during checkout and I removed the member’s directory page to try to stop this type of situation from recurring. The page is in my trash, if you like I can restore the page if it will give you piece of mind.

The site is certainly not compromised, but I do appreciate the heads up regarding the situation. What I did not appreciate was the assumption that my site is hacked. It most certainly is not. It’s on a dedicated server, I’ve hardened the hell out of everything, and I’m sitting here looking through the logs for tell tale signs of exploitation. I do see a lot of bot and script kiddie attempts at XSS and SQL injection, but none of them were successful. I have fine tuned the entire server, have a hardware firewall, SSL encryption, mod_security with my own custom implementation, hardened httpd.conf and php.ini, and even custom core WordPress modifications for better security.

The first business website of mine to get hacked was in 2006, and it was replaced with Islamic jihad propaganda. I’ve been an obsessive, compulsive security nut since then, because there’s nothing worse than having some script kiddie take down years of hard work by copying and pasting.

Yes, agree the assumption that the site was hacked was premature.

It does sound as if by removing those pages where usernames were published automatically, spambots will find it harder to collect e-mail addresses from the site.

Perhaps the forum and comments are still points of vulnerability, if the usernames are still published there without obfuscation. Maybe a notice should go out to WPStoreCart customers to make certain that their usernames are not email addresses…

In any case, thanks for deleting our info off the WPStoreCart site. The time has come for us to sign off of this thread.