Glad to hear you guys took immediate action and called in experts to fix it instead of trying to figure it out on your own (Not saying you guys couldn't, I'm sure you would have, but going to experts straight away is always the better choice).

Hi....this is a different issue but wonder if anyone can help. Upon receiving notification from zygor about the security compromise I edited my profile by way of changing my password........all well and good. However I now find that when I open up my zygor updater an error box occurs saying username or password is invalid and everything is showing as a trial version even though I know I have fully purchased guides. Yet when I enter my new password to enter the members area it accepts it no problem. Any ideas?

Hi Zygor,

I highly encourage anyone looking for a password manager to take a look at KeyPass. It makes it so much easier to keep track of the different passwords and usernames you use for sites. Thus, hopefully your more likely to use a more secure password.
http://en.wikipedia.org/wiki/KeyPass


Also I'm not trying to flame but I believe that icewolfdw was wrong about password hashing. I couldn't find a better explanation then this. Believe it or not there are password tables (i.e. rainbow tables) for almost all of the popular hashes.
http://en.wikipedia.org/wiki/Password_salting

He was correct in saying that then you would have no way to recover the password. BUT most websites that do salt passwords end up "resetting" the user's password when they provide enough information.

Thats the best idea. it means that NO ONE can decrypt the password. Not the forum, not Zygor, not a hacker. Retrieving a password should let the user assign a new one in my opinion.

I use a different email for WOW than I do for anything else, I kept getting password resets and now I just know they are phishing when they send the reset to the wrong email.

Wow...

Interesting concept but recommending to DO NOT SALT is irresponsible from an IT security point of view. You have to live with an inability to perform "password recovery" to ensure security... Good luck to all, hopefully we will not experience too much bad follow-up to this unfortunate breach of personal information and trust.

^^^
I agree exactly with what gimbel said. NEVER EVER recommend a lesser security method in favor of convenience, for customers or otherwise. Hackers count on site admins doing exactly that, and that's how this crap happens. SALT is one of the main reasons that I chose Joomla! for my framework. Manual password recovery is possible, but its impossible without direct access to the MySQL tables.

@Zygor: Thanks for the heads-up about this hack, and as a bonus it helped me uncover some password repetition that I'd missed, even a couple sites that would be very bad if they'd gotten in. (and I'm sure would be on their to-check list) I thought I'd gotten everything, but missed those few sites.

I have to admit, that normally I usually avoid "guide sites", as most are rip-offs or scams, and I was quite hesitant to purchase at first, but Zygor Guides just came so highly recommended that I decided to take the plunge. So its FANTASTIC to see that you guys are very responsible about things like this, it helps promote your "legit" image more than anything.

I got email too from them, what action is being take against them, have they been reported to law yet?

Trying to get account details

I had the same problem but lucky for me all my WOW accounts have a different email address to the one I use here.
Slim

ok i changed my password but i have a password that they cant any gues anyways because i dont use small passwords

wel dont go on those emails and dont put in your login formation of wow try to stay away from phising links never login on their site asking for you wow password and secret awnser wow would never do that people that fall for it arent that smart