Kivlov wrote:
Sorry, but I don't think it's the forum users database, because I didn't have a forum account here until I made one last week to report this issue.

The email address I received the fishing mail on had only ever been used to purchase CCD in 2011.

Kivlov wrote:

The website was hacked a few months ago and this is only coming out now? Very unprofessional. Users need to be notified of these sort of things asap, not months later. Wth

Do you know if they just got emails? Or did they also get passwords? Because if you used on a different site as Johey stated, they could be bad.

quax wrote: This is quite strange, as this information is not stored on our website. All purchases are made through PayPro servers.

NewSimulatorPlayer wrote: As I already said the issue was resolved promtly. And we didn't know that any data could be hijacked. Even now we still have some doubts that this website attack was the source, where the intruders got the emails, as this doesn't look like a mass effect - we got only 2 complaints about that on email, plus some here.

NewSimulatorPlayer wrote: The passwords are never stored in "open" form. All they could get - password hashes, but they're completely useless, as hash cannot be decrypted.

Kivlov wrote:
Even if it was resolved quickly, you should notify your users/clients about the potential breach. Doing this harms the trust, that's true, but not doing it harms even more the trust as the data is always likely to come out someday,and in addition this put the users at risk as they can't take the adequate measures to protect their other accounts on other platforms using the same password.

About password hash, that's not enough, rainbow table cracking can Crack most in a few seconds. I hope you used a salt that is not stored anywhere in the db to make cracking a bit more difficult, but I guess that's not the case as designing a good salt system is famously difficult.

Everybody gets hacked nowadays, just do like all the other businesses : notify your users.