Storage Battles Makes Huge Security Blunder

I got an email from Storage Battles that said, hey we ported your account over to storagetreasures.com - Please log in with your email address and the password of "Storagebattles", and you can change your password if you want. 

That just rings of security and privacy issues.  If you knew your friends email address, I bet you could of easily logged into their account, and changed their password :/

I also got the email, hey we ported your account over to storagetreasures.com - Please log in with your email address and the password of "Storagebattles", and you can change your password if you want. 

That just rings of security and privacy issues.  If you knew your friends email address, I bet you could of easily logged into their account, and changed their password :/

Houston, we have a problem!
So anyone can take over another person's account (with their credit card information attached) simply by knowing or guessing their email address? That's disturbing. Can someone post a copy of that email please?

I also got the email, hey we ported your account over to storagetreasures.com - Please log in with your email address and the password of "Storagebattles", and you can change your password if you want. 

That just rings of security and privacy issues.  If you knew your friends email address, I bet you could of easily logged into their account, and changed their password :/

OMG! What idiots. Its like the target thing all over again....but at least target was hacked...these idiots handed our credit card information over in an email blast!!!! Tell Storage Battles what you think https://www.google.com/#q=storage+battles&lrd=0x872b0bc33d3a52ff:0xbe58d239a20f797d,1&lrd=0x872b0bc33d3a52ff:0xbe58d239a20f797d,1]HERE.  Then click write a review.

Travis:

Just to clarify your comments, StorageBattles.com took all security measures and precautions in transferring over our clients information recommended by our CIO and an external security consultant.  No credit card information is being transferred over, and actually through our security procedures, is not even saved in our system.  All that was transferred over was contact information.  You can use the site without entering a credit card.  However, if you do wish to bid, then you will be required to enter your credit card information and change your password.  As we continue to be the leader in the online storage auction business segment, our StorageTreasures.com web site will continue offer many more benefits than our StorageBattles.com web site including the most comprehensive list of live auctions in the US, over 6,000 online auctions per month, and now the ability of trading, selling and buying items online through our new TreasureChest FREE online store. 

Thank for yours and your contributors concerns and comments.  Keep them coming as they help make us better.

Jim Grant
CEO StorageTreasures/StorageBattles

Jim, just for clarification, did these emails go out to all registered users? The reason I ask is that some of our members, which use your platform as well, reported that they didn't receive notification.

Just to clarify your comments, StorageBattles.com took all security measures and precautions in transferring over our clients information recommended by our CIO and an external security consultant. 

I would fire them both, they obviously have no idea what their doing.

No credit card information is being transferred over, and actually through our security procedures, is not even saved in our system.  All that was transferred over was contact information. 

So let me get this straight, ONLY our personal information was compromised?

our StorageTreasures.com web site will continue offer many more benefits than our StorageBattles.com web site including the most comprehensive list of live auctions in the US

As someone who produces a comprehensive human edited storage auction schedule for Texas, I can honestly say that your aggregated schedule is not comprehensive. It's plagued with problems and it misses tens of thousands of auctions a month. I can go into more detail if you'd like, but I'll have to charge you a consultation fee.

And apparently you haven't heard, we're launching our storage auction schedule for the U.S. and Canada this month. It will be, at least, comparable in quality to your schedule, except we won't be charging a fee for it.

and now the ability of trading, selling and buying items online through our new TreasureChest FREE online store. 

Have you had any luck with that so far? It just seems like most resellers would prefer to use eBay or Craigslist.

So let me get this straight, ONLY our personal information was compromised?

While that might sound bad, it really isn't when compared to the possibly of having CC information exposed.

While that might sound bad, it really isn't when compared to the possibly of having CC information exposed.

Some would argue that their privacy is equally important.

Some would argue that their privacy is equally important.

Some would argue that on the internet, there is no such thing as privacy.

Some would argue that on the internet, there is no such thing as privacy.

Be that as it may, one still expects a reasonable amount of care to be taken by entities they entrust with their personal information.

Travis:

Just to clarify your comments, StorageBattles.com took all security measures and precautions in transferring over our clients information recommended by our CIO and an external security consultant.  No credit card information is being transferred over, and actually through our security procedures, is not even saved in our system.  All that was transferred over was contact information.  You can use the site without entering a credit card.  However, if you do wish to bid, then you will be required to enter your credit card information and change your password.  As we continue to be the leader in the online storage auction business segment, our StorageTreasures.com web site will continue offer many more benefits than our StorageBattles.com web site including the most comprehensive list of live auctions in the US, over 6,000 online auctions per month, and now the ability of trading, selling and buying items online through our new TreasureChest FREE online store. 

Thank for yours and your contributors concerns and comments.  Keep them coming as they help make us better.

Jim Grant
CEO StorageTreasures/StorageBattles

Jim,

   First off your not making smart decisions, but yet you have success.  I can think of a few people that fall into this category. Sometimes clueless people just get dealt the right cards. I'm not saying Travis is right, lord knows he and I disagree on just about everything.

  Secondly, using the same password for all accounts is not smart, most people will say it's stupid, any external security company would not advise that. So I personally don't believe you and if by some chance you're telling the truth, see my first comment.  This decision alone makes me feel un-safe to use your system.

  Thirdly, when I was in my new "Storage Treasures" account, I went to add my "Credit Card" and well it said my credit card was already on file. So they might not get my Credit Card #'s because you are using Authorize.net CIM solution. The hacker will still gain the ability to use my account and bid on auctions and my credit card would be charged and when those people complain you will be charged with Charge-back fee. Get enough of those and well, we both know what happens.

  Forthly, Title's like "CIO", "Security Consultant" - Doesn't means it implies intelligence or removes you from accountability. They are just people and nothing special, companies go bankrupt all the time and they all have CIO's and CEO's, CFO's, CPA's etc.  Title's are meaningless it's the person's knowledge and experience that counts. For example keep reading.

  Fifthly, Your Programmer and external security adviser *Cough*, must of not informed you that you are not even PCI Compliant.  For example, I can register for an account at http:// www. storagebattles.com/register/ - Notice it's not "SSL"  - Then I can advance to the next screen and put my data in, not under SSL.  Just because your link on the front page takes you to a SSL Page, doesn't make you PCI Compliant. If I sent the register link to a friend or posted the register link on a forum with HTTP not HTTPS and then they sign up. Their CREDIT CARD data can be comprised.

So that about sums it up Jimmy, I'm not even trying to audit your system and processes. Imagine if I did? Just make smarter decisions and hire the right people.

This blunder just turned into a catastrophe.

Check this out.

Google "site:storagebattles.com gmail" or insert any other email provider, and you'll get a bunch of winning bidder's email addresses of people who used their email address as the "screen name" (I guess).

So, you didn't even need to know someone's username, you could just do a Google search and find plenty of accounts to hack. 

I wonder if the spam bots picked up all those poor user's email addresses?

I wonder if his "security analyst" and "CIO" approved of this practice?

Jim, if you're reading this, I think it's time to notify all of your users that their accounts may have been compromised. It's the responsible thing to do at this point.

This thread is great.

I wonder if his "security analyst" and "CIO" approved of this practice?

They probably got a promotion :/ 

Now if this happened, in a public-ally traded company the company board would be forced to replace the CEO.  Bad decision making :/

Also if JIM fails to take action and doesn't have google remove those listings with peoples addresses in it..

Then he's opening himself up to a class action lawsuit. Doing nothing and not notifying people of the breach in their security protocols and publishing email addresses will be costly.

Also if JIM fails to take action and doesn't have google remove those listings with peoples addresses in it..

Then he's opening himself up to a class action lawsuit. Doing nothing and not notifying people of the breach in their security protocols and publishing email addresses will be costly.

All he has to do is delete all of his completed auctions. It's real simple, but that doesn't change the fact that he needs to notify his user base that their accounts may have been compromised. Sure, it's going to be really bad for business, but ignoring it is going to make matters worse, especially if a self-storage industry news site were write a story about it.

Just thought of something else. Most storage facilities publish their email address on their website, so their accounts may have been compromised as well.