{"id":13989,"date":"2018-12-04T10:10:03","date_gmt":"2018-12-04T18:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/04\/news-7756\/"},"modified":"2018-12-04T10:10:03","modified_gmt":"2018-12-04T18:10:03","slug":"news-7756","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/04\/news-7756\/","title":{"rendered":"Humble Bundle alerts customers to subscription reveal bug"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 04 Dec 2018 17:20:27 +0000<\/strong><\/p>\n

You\u2019ll want to check your mailbox if you have a Humble Bundle account, as they\u2019re notifying some customers of a bug used to gather subscriber information.<\/p>\n

\"bug<\/a><\/p>\n

Click to enlarge<\/p>\n

The mail reads as follows:<\/p>\n

\n

Hello,<\/em><\/p>\n

Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.<\/em><\/p>\n<\/blockquote>\n

Now, this is the part of a breach\/bug mail where you tend to say \u201cOh no, not again\u201d and take a deep breath. Then you see how much of your personal information winged its way to the attacker.<\/p>\n

Oh no, not again<\/h3>\n

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn\u2019t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.<\/p>\n

The email continues:<\/p>\n

\n

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.<\/em><\/p>\n<\/blockquote>\n

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you\u2019re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have\u00a0 <\/span>no interest in the upfront preview titles, you can temporarily pause your subscription for a month.<\/p>\n

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.<\/p>\n

Security advice from Humble Bundle<\/h3>\n

Let\u2019s go back to the email at this point:<\/p>\n

\n

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.<\/em><\/p>\n

As a reminder, here are some tips to keep your account private and safe:<\/em><\/p>\n