Data Safety

Thomas JackermeierThomas Jackermeier Member
edited March 2019 in Blog
Let’s talk about data safety. We have discovered a potential safety leak on our website which could have theoretically been used by an attacker to obtain some customer data, including names, addresses, and passwords. Payment and credit card details were never in danger.

Popular websites like Fanatec.com are the target of hacker attacks every week, and usually they fail on our firewalls; in this case we cannot 100% guarantee that all attempts were unsuccessful. If we found the leak someone else might have found it as well.
There is no evidence that any data was stolen but due to the new data protection laws in Europe we want to be extra cautious and therefore are implementing a mandatory password reset. 

Here is the direct link to do so:

Of course we are now working hard to improve the security on our website. The new website with a state-of-the-art shop system will be launched in April/May. 

If you also want to improve your personal data safety, I would personally like to recommend a database for your passwords (Password Manager) which is convenient and 100% safe. I’ve used it for 2 years and couldn’t live without it anymore. This is a great solution for passwords on the internet because it is safe and very convenient.
Use an individual and very complex password for every website you need to log-in.
No need to memorize dozens of different passwords.
All the passwords and website links are available on all your devices and in one place.
Use it for all your website log-ins, credit card details, banking details, passport data, etc.
Super convenient because you only need to memorize ONE password, and you can even log-in with your fingerprint. Auto-fill of forms on websites is also supported.
The passwords are not saved in the browser or cloud (which is NOT safe) but locally on a super encrypted and personal database file on your mobile phone, tablet, or PC.
The tool is free of charge and from a non-profit organization which uses open-source code. Your personal password database is protected with the same algorithm which is used by the NSA.

If you like to do this, you need to install two things:
1. A data cloud service like Microsoft OneDrive (free)
2. The database tool KeePass (free)

First you install OneDrive (or similar) on all your mobile phones, PCs, and tablets. There is now a data folder which is synced to all your devices.
Then you install KeePass on all your devices and create a new password database. Store this database file in your OneDrive folder so it will be available on all your devices.

You can now access all your passwords with one single master password, or your fingerprint, and don’t need to worry that your 12345678 password is used by a hacker to log-in to your iRacing account then drives like a maniac in your name.

«1

Comments

  • Ulrich WitschaßUlrich Witschaß Member
    edited March 2019
    KeePass is also my goto choice for password management, stored on an also encrypted drive. It's an awesome tool, especially since it's free (as in beer). 

    Having been the target of a (sadly successful) hack on one of our servers once, I know the feeling and trouble one has to go through and what it means for the admins and devs in that moment. 

    Kudos to Fanatec to be open and transparent about this! 

    Ulrich
  • Joseph GossenJoseph Gossen Member, Moderator
    edited March 2019
    Quick reaction. Thanks Thomas ! I've been using 1Password for years and love it. Highly recommend users have a password manager.
  • Ryan HammRyan Hamm Member
    Hopefully your new website contains multi-factor authentication through an authenticator app or FIDO key.
  • Paul LarivierePaul Lariviere Member
    My account seems to be gone. Password recovery says it doesn’t know my email address which I’ve used for years. There was a preorder DD1 in there too.
  • Benjamin KusBenjamin Kus Member
    edited March 2019
    Hmm, my account appears to be missing too in AUS. 
    Edit: request a password reset, and then it will email you a new password & you can log in again!
    My DD2 & Paddles are still there 
    :-bd
  • Brian van den BoschBrian van den Bosch Member
    Bram Ueffing said:
    My account seems to be gone. Password recovery says it doesn’t know my email address which I’ve used for years. There was a preorder DD1 in there too.
    @Bram: Did you select your own region before checking? I had to first select EU and then everything was fine (and did also a password reset). 


  • Rami AholaRami Ahola Member
    edited March 2019
    I also had to request pw change, before that couldn't log in "no email/pw" was message. But now ti work.


    btw, how I change new, own password now for my account? Can't find that option...
  • Paul LarivierePaul Lariviere Member
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
  • Dominic BrennanDominic Brennan Member, Administrator
    Rami Ahola said:
    I also had to request pw change, before that couldn't log in "no email/pw" was message. But now ti work.


    btw, how I change new, own password now for my account? Can't find that option...
    Hi Rami, once you are signed in, click 'My Account' and then 'Change your password'.


    Bram Ueffing said:
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
    Hi Bram, are you sure you are trying to sign in to the correct region?
  • Paul LarivierePaul Lariviere Member
    Bram Ueffing said:
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
    Hi Bram, are you sure you are trying to sign in to the correct region?
    Yes, I tried it a number of times with the correct region. Both from forum and from the homepage.
  • Paul LarivierePaul Lariviere Member
    Dominic Brennan said:
    Rami Ahola said:
    I also had to request pw change, before that couldn't log in "no email/pw" was message. But now ti work.


    btw, how I change new, own password now for my account? Can't find that option...
    Hi Rami, once you are signed in, click 'My Account' and then 'Change your password'.


    Bram Ueffing said:
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
    Hi Bram, are you sure you are trying to sign in to the correct region?
    Yes, I tried it a number of times with the correct region. Both from forum and from the homepage.
  • Dominic BrennanDominic Brennan Member, Administrator
    Bram Ueffing said:
    Dominic Brennan said:
    Rami Ahola said:
    I also had to request pw change, before that couldn't log in "no email/pw" was message. But now ti work.


    btw, how I change new, own password now for my account? Can't find that option...
    Hi Rami, once you are signed in, click 'My Account' and then 'Change your password'.


    Bram Ueffing said:
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
    Hi Bram, are you sure you are trying to sign in to the correct region?
    Yes, I tried it a number of times with the correct region. Both from forum and from the homepage.
    Then I recommend that you contact our sales team via the email webshop (at) fanatec (dot) com. I apologise for the inconvenience.
  • David BurtonDavid Burton Member
    Cant believe this post. No only did you guys leak hundreds of email addresses (including mine) from an incompetent member of staff. Now you have let data get leaked probably due to cutting corners with security software etc.

    Be glad when my items are delivered then I can cut all ties with this company. REAL REAL shame as liked your products but this is getting beyond a joke now.
  • Paul LarivierePaul Lariviere Member
    Dominic Brennan said:
    Bram Ueffing said:
    Dominic Brennan said:
    Rami Ahola said:
    I also had to request pw change, before that couldn't log in "no email/pw" was message. But now ti work.


    btw, how I change new, own password now for my account? Can't find that option...
    Hi Rami, once you are signed in, click 'My Account' and then 'Change your password'.


    Bram Ueffing said:
    Password reset does not work for me: Warning: The E-Mail Address was not found in our records, please try again!
    Hi Bram, are you sure you are trying to sign in to the correct region?
    Yes, I tried it a number of times with the correct region. Both from forum and from the homepage.
    Then I recommend that you contact our sales team via the email webshop (at) fanatec (dot) com. I apologise for the inconvenience.
    I have done that yesterday late afternoon. No reply yet though..
  • mario weingartmario weingart Member
    edited March 2019
    PLEASE FREEZE OUR DELIVERY ADRESSES !!!

    PLEASE FREEZE OUR DELIVERY ADRESSES !!!

    Otherwise the hacker just need to change our delivery adresses to get our dd´s !!

    Please freeze all delivery adresses from all dd1/dd2/dd ps4 preorders until they are shipped!

    If someone realy move to other location in this time, he can write email to support.

    Check here if your email have already been compromised   https://haveibeenpwned.com

    If yes, create a new email and password that you only use here on fanatec store.

    To everyone who preordered,  check if your delivery adress is untouched. And better check it every day from now. 



  • Charles FierensCharles Fierens Member
    @Thomas: Question about the stolen passwords... do you mean that these were stored in plain text? Not hashed?
  • Thomas JackermeierThomas Jackermeier Member
    Charles Fierens said:
    @Thomas: Question about the stolen passwords... do you mean that these were stored in plain text? Not hashed?
    The passwords were encrypted.
  • Thomas JackermeierThomas Jackermeier Member
    edited March 2019
    David Burton said:
    Cant believe this post. No only did you guys leak hundreds of email addresses (including mine) from an incompetent member of staff. Now you have let data get leaked probably due to cutting corners with security software etc.

    Be glad when my items are delivered then I can cut all ties with this company. REAL REAL shame as liked your products but this is getting beyond a joke now.
    Wenn did not cut any corners. We have a full time website developer to avoid those things. Many websites had a leak but most of them don't tell you. And as mentioned in my post there is no evidence that data has been stolen. We just informed our customers that we pro-actively had to reset all passwords. Looking at your reaction, I assume this costs us some business but I still don't regret that we made this step. Because we DO care about your data.
  • Remco Van DijkRemco Van Dijk Member
    edited March 2019
    David Burton said:
    Cant believe this post. No only did you guys leak hundreds of email addresses (including mine) from an incompetent member of staff. Now you have let data get leaked probably due to cutting corners with security software etc.

    Be glad when my items are delivered then I can cut all ties with this company. REAL REAL shame as liked your products but this is getting beyond a joke now.
    Amazing how you are accusing Fanatec of something for which there is no evidence at the moment and that Fanatec probably even avoided (data leak), and how your accusation is based on an unfounded assumption ("probably due to cutting corners with security software").

    Fanatec found a security risk, as do many companies all over the world every day, and fixed it. Furthermore, there are hundreds of companies with security holes in their systems, that have your personal data stored and that are not even aware that they have a security problem.

    Instead of being grateful that a) Fanatec found and solved the issue and b) was open about it to its customers, you're jumping to false conclusions and accuse Fanatec of having done something wrong. When there is no evidence that anything bad has happened.

    Security issues are part of digital life these days, everyone following the news regulary should be fully aware of this. It's always unfortunate when these things happen, but firstly there is no evidence that anything bad happened here, and secondly Fanatec took action immediately after finding the issue. I personally think your reaction is highly misplaced.
  • Joseph GossenJoseph Gossen Member, Moderator
    100% Remco. As I said in my first post “Quick Reaction” and we should be thankful that Thomas and team are transparent with the community unlike many companies.
  • Ulrich WitschaßUlrich Witschaß Member
    Totally ACK. 

    On most cases, similar scenarios are brushed under the rug, because they mean bad PR. And these scenarios happen more often than people might think. Read up on how many webservers to this very day are vulnurable to heartbleed, and should actually be offline. 

    Fanatec did the right thing to pro-actively inform their customer base that the hashed passwords of their accounts might have been leaked, allthough there is no proof at the moment that they were. They informed us because they care about the customers. Dozens of companies inform you after the fact, basically after they have be ransomed for god-knows-how-many bitcoins. 

    Fanatec did the right thing, and I applaud them for that. They conformed to what the GDPR from 2018 is all about: care about personal data, and treat it how it should be treated. 

    As a happy customer of Fanatec, this move actually assured me that they care about the data I give them.

    Data leaks happen. Every day. If you know what to google for, you will be in possession of something like 1,5 billion email/password-hashes within minutes, which all stem from leaks that didn't get discovered, and pose an active threat to anyone on that list who wasn't informed that his mail/password-hash combo might have leaked to a third party. 

    Cut Fanatec some slack, they did the right thing in informing us all, and didn't simply close the leak and got on with their business in the hope noone noticed it.

    Ulrich
  • Chris HarteveldChris Harteveld Member
    Hi guys, I might have a problem. My McLaren GT3 wheel is stuck on my Fanatec CSW V2.5 base, no matter how hard I try it won't come off, it also makes a squeeky noise when I give it a small push, it sounds like its coming from the base. Has anyone experienced this issue? And why can't I get my Fanatec McLaren wheel with QR off the wheel base??
  • Marc-Antoine ThibaultMarc-Antoine Thibault Member
    really time to get the shipping notice. screw 30th of april
  • Josh OskamJosh Oskam Member
    edited March 2019
    Hmmm. Seems a lot like the last two messages have nothing to do with data security. Pretty soon I expect someone will start blaming Fanatec for giving their dog an unpopular name and then posting their rant in the wrong thread.  8-}
  • Joseph GossenJoseph Gossen Member, Moderator
    edited March 2019
    Can we keep these questions to the relevant threads? @Chris I’ve responded in the McLaren thread on page 2.
  • David BurtonDavid Burton Member
    @Thomas. Apologies for assuming data was leaked due to yourselves cutting corners. Still sore about my email being leaked before. Know you have done the correct thing by following the GDPR rules anyway.
    As for losing a customer.....well that remains to be seen yet. Have the DD1 and complementary wheel coming and will see how that turns out. Your product are good.

    With regards to someone's comments on shipping. I would agree about freezing the address or even fanatic re confirming the address before shipping via email.

    Not related to data but would like to put it out there about shipping for others. 
    Wish Fanatec would offer a "sign for" option on delivery, as UPS just dumped my last Fanatec package on the doorstep without making an effort to knock on the door and deliver in person.  Know this is UPS policy now having looked into it but think it stinks. Here in the uk we normally get a courtesy tap on the door to say things have arrived.

    Emailed both UPS and Fanatec about this when it happened. Had a call from UPS explaining their delivery procedure and was told Fanatec hadn't requested a signature on delivery.
    That's fair enough....but for an extra few £/$ etc , I would prefer paying it rather than letting somebody steal it from the doorstep.
  • Christopher MannChristopher Mann Member
    Lucky that I frequent the the forums regularly cause I just received an email about it today (8 days after this was posted!) Initially I thought that it had been hacked again.... Could have been that my data was at risk for a good week if I had not read about it here. A bit of a worry.
  • Maurice BöschenMaurice Böschen Member
    Christopher Mann said:
    Lucky that I frequent the the forums regularly cause I just received an email about it today (8 days after this was posted!) Initially I thought that it had been hacked again.... Could have been that my data was at risk for a good week if I had not read about it here. A bit of a worry.
    you should have got the mail already on March 18, but that mail was in English. 
  • Christopher MannChristopher Mann Member
    Maurice Böschen said:
    Christopher Mann said:
    Lucky that I frequent the the forums regularly cause I just received an email about it today (8 days after this was posted!) Initially I thought that it had been hacked again.... Could have been that my data was at risk for a good week if I had not read about it here. A bit of a worry.
    you should have got the mail already on March 18, but that mail was in English. 
    nope
  • Benjamin KusBenjamin Kus Member
    I never got an email (in AUS). Only found out from being on these forums
Sign In or Register to comment.