Laracasts had member email stolen

@jj15 Laracasts are the only people on the planet with that email address, so its a pretty certain thing.

I suppose their payment processor could have been hacked too.

@jj15 Also digging in the raw email, there are a bunch of other email address. This one certainly looks like a laracast user "[email protected]"

Obviously I removed the unique part.

@bluedreamer

It looks like you were right in a way, so my apologies.

If you right-click on your profile picture and open it in a new tab, you'll see your email address displayed in the URL as Laracasts is fetching it through unavatar.io, which is then taking it from Gravatar (which would typically use a hashed version of your email address instead).

EDIT: At least for me, your picture has now changed to what looks to be a default one. It seems that some parts of Laracasts are fetching profile pictures directly through Gravatar, some through unavatar.io (which supports different providers such as Gravatar and GitHub), and some are just default ones. Very odd.

@jj15 It looks like they already patched it. You shouldn't advertise these things publicly since people can abuse it, you should instead notify the support. I did that when I noticed the same thing.

@JussiMannisto Fair point.

@JussiMannisto It was already abused so it matters little. Security through obscurity never worked.

@bluedreamer My reply had nothing to do with security through obscurity, it was about responsible disclosure.

@jj15 I never had a custom avatar - what ever the website sets is what is there.

@JussiMannisto Which is security through obscurity - shhh - don't tell anyone its broken. I already got my email exposed and probably 100's of other. So lets make it public so it gets fixed (like it has been) - rather than swept under the carpet and pretend everything is all ok and there are no bugs.

Now I have to change my email for the site since this has been compromised.

@bluedreamer This has nothing to do with security through obscurity. Nobody's suggesting you should sweep it under the rug. You should contact the people that can actually fix it first. Just because you know that one bot has parsed your email address, it doesn't mean there's no further damage to be done. Not everyone on the internet has good intentions.

I'm not saying you did anything wrong in this case. If you can't figure out where the issue is, it's fine to bring it up publicly. But if you did figure out the actual issue, the priority should be getting it fixed while minimizing damage.

I suggest you read about the concept of responsible disclosure for future reference.

@JussiMannisto I have 33 years programming experience - I know exactly what happens to things reported quietly. Stop treating me like a 16 year old child with your supercilious attitude.

@Snapey Thanks but not relevant - like I said I only used my email with laracasts. I never use the same email twice.

@bluedreamer it is relevant if the site you gave it to, gave it to someone else to ask them if you have a preferred avatar.

I do have an gravatar there so its likely that my email was exposed in their data breach. The difference is, I treat my email address as public and deal with the crap that brings with spam filtering. its rarely ever an issue.

@Snapey I treat all my emails as honey pots so that I can see who loses my email. Hence the ability to start this thread. It is so rare for me to get spam that I look into it.

@JeffreyWay were older accounts affected? I uploaded a new pic to the forum a few days ago.

@jlrdw No, you have an uploaded avatar which means your account didn’t use Gravatar.