BMW MOA Compromised?

[Mike O]

Anybody else get this email;?

 

"On or about January 27th our Forum membership database was compromised. We believe user names and email addresses were exposed in a readable format. Passwords were also exposed, but in a highly encrypted format that is difficult to decode. However, since these are common credentials for both the Forum and your membership account on the MOA web site, we strongly recommend that you change your password on the MOA web site."

 

Or is this bogus? When I go to the web site there is NO mention of this.

 

Mike O

[Paul Mihalka]

I got the same mail.

[ltljohn]

Me too.

[johnlt]

I did also but I haven't been a member for nearly 10 years.

[SageRider]

Me too.

Password already changed.

http://www.bmwmoa.org/forum/showthread.php?t=58115

 

edit:

Link above is BMWMOA post describing the event and the mass emailing.

[upflying]

No email here.

Phishing?

[mrzoom]

Got it too. I called them and it is real. Changed pass word and as luck would have it the e mail they had is no longer valid so I fixed that.

[hopz]

I got it too...

 

Changing P/W on the MOA site does not seem to be helpful.

 

If you use the same P/W for other sites, then change them.

 

 

[SageRider]

...

Changing P/W on the MOA site does not seem to be helpful.

...

 

Why not?

[marcopolo]

Got the same e-mail and I changed my password on their site with no difficulty whatsoever.

[99Roadster]

...

Changing P/W on the MOA site does not seem to be helpful.

...

 

Why not?

 

Your email address was compromised along with your password.

[Mike]

Got it, too.

 

If I could also make a recommendation for folks here: We, of course, don't store any financial info since we're non-commercial, but I've seen some pretty weak passwords used here. It would be wise to make sure you have a strong password and that you are using something here other than the username/password combo that you use for websites that may have your financial information.

 

The dipsticks who are hacking successfully into websites like the MOA will probably eventually try it here.

 

 

[Jaguar]

Thanks for the heads up. It's been a while since I've been to MOA's website. I didn't receive the e-mail because all my info was out of date. E-mail address, phone number, model of bike, etc. I went in and changed my password and updated everything.

[SageRider]

...

Changing P/W on the MOA site does not seem to be helpful.

...

 

Why not?

 

Your email address was compromised along with your password.

Changing the board password (to a complex and unique password) does not address the email related issues, but does address the compromised board user name and password issue. Hopefully BMWMOA will also implement an account lockout policy (Account locks after 3-5 incorrect login attempts within an hour or something similar).

[hopz]

Michael, and others, what I was saying was that changing your password on the MOA site was good, now that the horses are out of the barn. It will not do anything for the places on the web where you are using the same password since the scofflaws already have it. If they wanted to get into your account on MOA they would be able to read your posts and not much else... just my first thoughts.

If you have others I am happy to learn from all.

[Joe Frickin' Friday]

Changing the board password (to a complex and unique password)...

 

Re: password strength, an interesting perspective here. Summary: you can make a password that's easy for you to remember but extremely hard for computers to guess. all you need to do is string together four common words in an unusual phrase, ideally something you can visualize. No caps, no weird characters, no numbers, just four lower-case words.

 

[SageRider]

Hopz, the same BMWMOA Forum account can be used on the BMWMOA store with a stolen credit card number...

But yes, a major risk is if one uses the same password in multiple places.

[SageRider]

JFF, another perspective is one I encountered recently:

One only needs to use complex passwords they can remember on sites they constantly access such as online banking, email, BMWST, etc.

For the remainder, a complex password can be used, but there is no need to remember. Simply use the forgot password function on the site logon screen. This will typically either email the password to you or reset the password and allow you to set a new password.

[tvguy]

I to received the same email. I went out and changed the basic info. BUT the real problem I am seeing on my own motorcycle site is the bogus people from someplace in Africa and surrounding areas joining the site and then trying to phish info from the members.

 

Like this site you really have to look at the people trying to join. My site has 3 Q's you have to answer and then I look at the IP address to see what part of the country you are from. Its good to have great admins that keep and eye on this site.

[Robus]

I to received the same email. I went out and changed the basic info. BUT the real problem I am seeing on my own motorcycle site is the bogus people from someplace in Africa and surrounding areas joining the site and then trying to phish info from the members.

 

Like this site you really have to look at the people trying to join. My site has 3 Q's you have to answer and then I look at the IP address to see what part of the country you are from. Its good to have great admins that keep and eye on this site.

 

BMW MOA is overzealous I'd say. I tried to register a year and a half ago when I bought the RT. Never was able to activate. Contacted the site master. No reply.

[Mike]

I to received the same email. I went out and changed the basic info. BUT the real problem I am seeing on my own motorcycle site is the bogus people from someplace in Africa and surrounding areas joining the site and then trying to phish info from the members.

 

Like this site you really have to look at the people trying to join. My site has 3 Q's you have to answer and then I look at the IP address to see what part of the country you are from. Its good to have great admins that keep and eye on this site.

 

There's quite a bit that goes on behind the scenes here; in the last year we've seen a significant increase in attempts by spammers and general dirtbags to get obtain accounts. We've gotten to the point where we're pretty good at heading them off at the pass, but the bad guys are evolving in response to the efforts of the attempts to thwart them.

[Selden]

A well run web site is like a duck on a lake: it looks smooth, but beneath the surface there is a tremendous amount of paddling. Hats off to people like admins who rarely receive recognition for what they do.

[Glenn Reed]

+1

[Kathy R]

I'm mad that the BMWMOA site has to deal with that crap. We have been lucky and we have all been vigilant.

 

I'll add that another reason this site works well is that the members make efforts to keep it that way. Giving Admins a heads up when you see something smarmy goes a long way to keeping the surface water smooth.

 

OK, you want me to say it? GROUP HUG!

 

[enfoman]

I think the BMWMOA has been working on it since there was weird activity happening in the For sale section. Somehow those strange offers from Africa and such were popping up to sellers. I don't know a thing about web browsing code, but when things like that happen in a for sale by only members with access, things should send huge red flags and smoke signals for alerts IMO.

[RoyTemple]

Got it & password changed.

[motorman587]

The problem with my strong password is I will forget it..........lol Got the same and changed all my passwords. Better safe than sorry I guess.

[BrianT]

Got the same email. Haven't accessed that account in years. Won't let me change the password because it says my account is expired so I guess it doesn't matter. Just gotta remember to change it if I ever reactivate.