Comments on: Elance Hit By Security Breach

By: Steffan

Steffan — Sun, 22 Nov 2009 21:11:16 +0000

I tried and used this new service OutsourcingRoom. Their support team is rather professional, and there are no fees and no % taken… It doesn’t look like a scary service at all.:) Many people work there and in the days of economic crisis I think they do a great job giving freelancers the way to earn their living. There’re no shill posters and shady bids on OutsourcingRoom. I’m sure it will be the most popular freelance service in the near future.

By: Rori

Rori — Tue, 08 Sep 2009 17:16:56 +0000

I am sorry, but my credit card information was stolen from elance. I’ve got a statement from the bank with some unusual transactions, all from the USA and I live in the UK. Fortunately had no big money in it. Should contact elance now and ask.

By: Security Snafu: Elance Sends Private Messages All Over The Place | Codedstyle

Sat, 29 Aug 2009 11:13:38 +0000

[...] professionals and contractors online, and once again it’s not good news but another security issue. A registered user of the service, Salma Jafri, tells us she has been receiving dozens of private [...]

By: The Far Edge » Blog Archive » Security Snafu: Elance Sends Private Messages All Over The Place

Fri, 28 Aug 2009 20:17:42 +0000

[...] independent professionals and contractors online, and once again it’s not good news but another security issue. A registered user of the service, Salma Jafri, tells us she has been receiving dozens of private [...]

By: Security Snafu: Elance Sends Private Messages All Over The Place | Trinitude Network

Fri, 28 Aug 2009 19:14:47 +0000

By: Security Snafu: Elance Sends Private Messages All Over The Place | Techdare

Security Snafu: Elance Sends Private Messages All Over The Place | Techdare — Fri, 28 Aug 2009 18:15:13 +0000

By: Gaurav

Gaurav — Fri, 28 Aug 2009 14:29:07 +0000

Didn’t realize the thread is from July. The emails I got were last night. I guess most likely some code screw up?

By: Gaurav

Gaurav — Fri, 28 Aug 2009 14:27:41 +0000

There is more to it. I received numerous messages which appear to be daily summary for projects on elance none of them have anything to do with me.

The summaries have private messages for those projects, with project details, email/phone as signature.

Jason – Where can I email a screenshot?

By: Security Snafu: Elance Sends Private Messages All Over The Place

Security Snafu: Elance Sends Private Messages All Over The Place — Fri, 28 Aug 2009 13:34:00 +0000

By: Developerholic

Developerholic — Fri, 24 Jul 2009 02:18:19 +0000

I own an account in Elance so I was surprised that my info were in OutsourcingRoom.com which I do not remember signing up. I think I discovered this way back prior Elance has discovered an attack

By: The Far Edge » Blog Archive » Spammers Running Wild In Latest MySpace Phishing Attack

Mon, 20 Jul 2009 18:39:13 +0000

[...] breach revealing internal documents, while developer-outsourcing site Elance got hit by a hack as well that compromised some user [...]

By: Spammers Running Wild In Latest MySpace Hack

Spammers Running Wild In Latest MySpace Hack — Mon, 20 Jul 2009 17:29:58 +0000

[...] This is only the latest in a long string of recent security attacks against major web services. Last week Twitter fell prey to a massive security breach revealing internal documents, while developer-outsourcing site Elance got hit by a hack as well. [...]

By: Alexander Kornbrust

Alexander Kornbrust — Mon, 20 Jul 2009 11:54:45 +0000

Elance lost also creditcard numbers, The hacker already abused my card. Mastercard locked my creditcard yesterday.

By: Steve

Steve — Sun, 19 Jul 2009 22:07:18 +0000

CEO CyberBionic Systematics Dmitriy Okhrimenko about OutsourcingRoom and Elance

http://outsourc...urcingRoom.aspx

By: Roberto

Roberto — Sat, 18 Jul 2009 14:44:43 +0000

I hope that the credit cards are kept safe. Again, why the fuss if they only took the more-less public data?
Smells bad to me…
I anyway did not work with elance the past 6 months, as the economy collapsed. People from India and China work basically for a “thanks”.
Now, is there a reason to keep my elance profile? Should I trust them? Heh….

By: Paul Anderson

Paul Anderson — Sat, 18 Jul 2009 05:51:59 +0000

Soon we’ll see our credit card info on rapidshare… Hate elance(

By: Dan Grossman

Dan Grossman — Sat, 18 Jul 2009 05:51:33 +0000

There are too many factors we’re not aware about to speculate. But if I were a member there with stored payment information, I’d be logging into online banking every day to watch for fraudulent charges.

By: Dan Grossman

Dan Grossman — Sat, 18 Jul 2009 05:49:32 +0000

Passwords “encrypted” with a poor hash function (which is not encryption at all) are just as good as plain text. Grab an md5 dictionary and if they have a password that generates the same hash as yours, they can log in to any other site using the same type of hash to “encrypt” your password… as you.

By: Dan Grossman

Dan Grossman — Sat, 18 Jul 2009 05:46:58 +0000

Why would you say such a thing?

I know a wonderful lawyer who taught the most interesting business law classes at university then gave me personal recommendations to grad school.

And another great lawyer who’s a wonderful mother, balancing her home time and work as a lawyer, and recently defended a small site owner against a big company that wanted to take their domain for trademark infringement, when there was not even a semblence of similarity!

By: Paul Anderson

Paul Anderson — Sat, 18 Jul 2009 05:26:55 +0000

I thing Elance sold the database…

By: Paul Anderson

Paul Anderson — Sat, 18 Jul 2009 05:23:44 +0000

I found the phones database of Elance…
Look to the twitter!

https://twitter.com/denparker
Download it – http://rapidsha...phones.zip.html

By: Stuart

Stuart — Sat, 18 Jul 2009 02:47:22 +0000

@Shamit Khemka

> even the passwords were encrypted so the
> theives cant do jack s**t with the data

Actually, they can indeed do s**t with the data. And probably are doing s**t with it.

This topic is covered in most books on cryptography, but you can also read a very quick overview on wikipedia (see “Password cracking”).

Depending on their system design, it may not even require cryptanalysis to recover at least some of those passwords (e.g., if any of the hashes can be found in the variety of rainbow tables out there).

It is best to look at the vendor’s claims of security with a wary eye. In this case, I believe that Elance is understating the risk. Consider your password on Elance to have been compromised and change it on any sites that you may have re-used that password on.

By: shady

shady — Sat, 18 Jul 2009 02:40:26 +0000

that’s fun, OutsourcingRoom.com database comes not from elance – i know it for sure as i have used different emails for elance and scriptlance (sl was hacked on 4th and they have no balls to issue emails about it, they just switch off forum and keep silence), so basically OutsourcingRoom.com have data from sl database as they spaming me utilizing email dedicated to sl, not generic one i’ve used for elance.
heck it looks like a war, 2 freelance sites hacked within a month.

By: Stuart

Stuart — Sat, 18 Jul 2009 02:31:11 +0000

> that contained protected versions of user
> passwords, in an unreadable format called a
> one-way hash.

The story evolves. The site now says “passwords were protected with encryption.”

Maybe Elance is naive about encryption and password hashes. Passwords that have been “encrypted” through a one-way hash are not necessarily “secure” — There are a number of factors that affect how easy/difficult it is to recover the original passwords. In the absence of additional information about their system design regarding password hashing methods, it is difficult to determine the risk. However, it is interesting to note that Elance is requiring all users to change their passwords. That is a veiled clue to users. It would be helpful if Elance was more specific and to-the-point:

Elance users should consider their passwords to have been compromised.

If the password you used on Elance has been used on other web sites, your other web site accounts are at risk, and you should absolutely change your passwords on those sites, and strongly consider using unique passwords for each site [reference this weeks' Twitter/TC debacle].

By: Bart

Bart — Sat, 18 Jul 2009 02:09:47 +0000

Just got that email actually, do you think there’s no possibility of those hackers getting financial data?