Subject: Important information regarding your buyit.spellings.net password Date: Fri, 01 May 2015 18:02:50 +0100 [Apologies if you've received multiple copies of this email. In our urgency to contact everyone ASAP we reached the max email limit on the server] We have been alerted to the fact that a list of registered email addresses and password hashes from our online store have appeared online. We have taken immediate action to find the source of this leak, and whilst the work is still ongoing, we have identified a SQL injection weakness in some very old (12+ years) PHP code that formed part of the original aemulor.com store. Whilst we have never stored plain-text passwords, the un-salted one-way hashes that have been obtained could potentially be used to try and crack your actual password. There is no evidence that any other information was obtained, and we don't store any payment or credit card details so these are safe. What you should do: - If you have used the same email address and password combination as you used for aemulor.com or more recently buyit.spellings.net on another website, you should change the password immediately. It's always good practice to never use the same password on multiple web sites. - If you are likely to need to login to our site again, request a new temporary password by visiting http://buyit.spellings.net/password_reminder.php then login and change it to a move convenient password. What we have done: - We are auditing the website code looking for further potential weaknesses to protect against attacks. - We have reset your password so that anyone who obtains the hash and manages to crack your real password can not use it to log into our site - We have also reset the password on our support forums, as the same password was used to automatically create an account there. You will be prompted for a new password if you ever log into the support forum again. - We have changed the reset password procedure so that usernames and passwords are not sent together in the same email - We have re-written the password hashing algorithm from MD5 to a much stronger SHA256 and also added salt - We have stopped the automatic creation of PHPBB accounts on our support forum when you register. You will now need to create a separate login on the support forum. - We have taken advice from the information commissioners office on our reporting obligations. We have kept the online store operational for the convenience of the few RISC OS users and more recently Raspberry Pi users who need access to the latest versions of their software, but unfortunately the security of the code written a decade ago has not been sufficient to protect against the multitude of miscreants out on the internet today. The on-going code review, starting with the new password hashing and salting algorithms should allow us to keep the store online for a while longer, whilst protecting your data. I sincerely apologise for any inconvenience this breach may cause you. If you have any questions about the above, please reply to this email. Regards Neil Spellings buyit.spellings.net