Windows Secrets might be the source for all things Windows — including security. But even we’re not immune from hackers.
In the past couple of days, many of our subscribers reported receiving spam that appeared to come from Windows Secrets. But we can assure you, the e-mails did not come from us. We’ve always been committed to protecting our subscribers from unwanted junk mail — and we still are.
UPDATE: Since our last update, our IT staff has completed their investigation, and the facts remain unchanged from our original report. We’ve taken steps to strengthen our systems against this type of attack in the future, including limiting the number of sign-in failures from a given IP address.
Again, thank you for your continued support of Windows Secrets.
A brief timeline of the site break-in
Sept. 11: Using a brute-force password-cracking technique, a hacker gained access to the Windows Secrets website via a compromised administrator account.
Sept. 12: The hacker planted malicious code on the site which potentially gave him (or her) the ability to access our database.
Sept. 17: Windows Secrets subscribers (and WS editors) started receiving unexpected e-mails from “Windows Secrets” that were purely and obviously spam.
That was when we first learned there was a problem. Our IT and development personnel quickly identified the exploited account and disabled access. They also then removed the malicious code. They are now making a full audit of Windows Secrets and the rest of the iNET Interactive network.
The critical question: What was compromised?
We know this will be the first question almost all WS subscribers ask. (It was one of the first questions we asked ourselves.) We haven’t confirmed the exact data extracted; however, the information that could have been exposed includes the following: subscriber name, e-mail address, reader number, ZIP code (if applicable), geographic region, and hashed password — all the entries on your profile page.
We do not keep credit-card information on the site. Our credit-card processing is passed to a third-party service with a high level of security. At this time, we have no indication that credit-card information was compromised. If that changes, we’ll notify you.
What you should do to protect yourself
Going forward, we recommend the following:
Passwords: As is common practice, we store passwords as hashes. That said, password-cracking apps can easily decode hashes if a password is relatively simple, as noted in our Jan. 19 In the Wild column.
For that reason, we strongly suggest you immediately go to your Windows Secrets Preferences page and change your password. That’s especially important if you use the same password for WS and other websites. (It’s never good practice to use the same password on multiple sites.)
Newsletter e-mails: We send two regularly scheduled e-mails. The weekly newsletter goes out most Wednesday evenings so that subscribers receive it early Thursday. We send out paid-subscriber renewal notices on Tuesdays; you should receive these once a year, unless you’re a lifetime subscriber. We have no plans to change that schedule.
If you receive an unexpected e-mail from Windows Secrets, don’t click any of the links in the message.
What’s next for Windows Secrets
As a result of this breach, our IT personnel have taken additional measures to strengthen the security of Windows Secrets and our systems. We know that our subscribers put an enormous level of trust in Windows Secrets, and we take your privacy extremely seriously. So this episode is especially painful for us.
Please accept our sincere apologies for any inconvenience this might have caused you.
Thanks for supporting Windows Secrets. — The Windows Secrets newsletter staffAndy Boyd is the Product Manager for Windows Secrets. As the Product Manager, Andy is responsible for supporting the Windows Secrets website; he is the go-between for the editorial, marketing, and technical staff.