Possible Security Issue, Bandlab PW leaked to dark web

[clnorris]

Good afternoon,

Last night I updated to the latest Cakewalk, and I haven't logged in for quite a long while.

I had to recover my BandLab password, and I used the password reset link.

Today I got a message from one of my monitoring services that my email and pw are now on the dark web.  It is an email address that's never been leaked, and I could tell that it was my new pw.  Needless to say, I have changed it again.  I want to get word to someone at BandLab that it looks like some kind of hack has happened.

I'm pretty sure I wasn't phished, because I couldn't log in to BandLab until I performed the reset action.

Please perform an audit soon.

Thanks!

Chris (Cakewalk user since 1990's)

[John Vere]

The web site is sort of sketchy. I got an email telling me I needed to update my payment method? 
For the life of me it was impossible to figure out where on earth the place I should do this is? 
There was not really anything on my Bandlab page. The link to the membership stuff didn’t seem correct? It says something about donating to other musicians? What  musicians? I thought Bandlad was for Creators not real musicians. 

I finally returned to the hidden links on the Cakewalk by Bandlab / Sonar page and when I clicked the sign up for membership it says I’m already signed up?? 

This is why the last thing on earth I want is some sort of subscription like this!! Nothing worse than your credit card info sitting in a server on the wrong side of the planet!! Or is it in London?  

Edited April 10 by John Vere

[DeeringAmps]

10 hours ago, John Vere said:

Nothing worse than your credit card info sitting in a server on the wrong side of the planet!

Can you spell PayPal?

Rarely do I use my CC on the web. Bad enough that PayPal has access to my CC and banking info, but beats having
the CC at risk everywhere...

t

Edited April 10 by DeeringAmps

[Glenn Stanton]

also, when you get an email "we've encountered a problem with your account, click here to correct the problem" and other fun phishing content, always, as in ALWAYS NEVER click on the link, and certainly NEVER click on a box that says "Click Here, it's safe" etc. (web page, PDF, etc etc) as it runs a script under your account and then your system is owned. basic web sercurity for the past, oh, 30 years or so...

if you get a message - go to your bookmarks and open the link directly yourself. and then, when the site opens, alway look at the address before doing any other steps.

and yeah, paypal is one of the better places - in addition to a single well protected storage and login (esp if you use multi-factor authentication for every transaction) they have one of the best remediation processes to refute payments made to people and businesses who do the wrong thing.

also, make sure whatever CC you use has a $50 liability limit. so if your debit card does not have that, DO NOT USE IT. most times, if someone is re-using your card (like when you went to the gas station, restuarant, shopping, etc) when you file a complaint, most of the better CC companies don't even bother with the $50. but you want to know at the very least this is in your CC policy...

 

Edited April 10 by Glenn Stanton

[mettelus]

9 hours ago, Glenn Stanton said:

make sure whatever CC you use has a $50 liability limit

This used to be dependent on the card issuer, but there is now a federal law mandating this (12 C.F.R. § 1026.12). As most major issuers are based in the US, this will almost always apply, as most third party cards are actually issued by a parent company of VISA/Mastercard/Discover/American Express, but as Glenn mentioned it is definitely worth checking.

PayPal is one I do not overly trust, but some vendors require it. You can actually make a transaction then unlink you card from the account right afterwards so that it doesn't stay on file. I have gotten into the habit of that simply because the phishing emails regarding "PayPal" are frequent enough they never fall off my radar.

[Glenn Stanton]

yeah, phishing and other tricks (in the old days we called it "social engineering") are tough to stop, but if you actually have an account with something, then close the message and use your browser to go directly to the site from your own bookmarks or memory. this avoids redirects, etc embedded in the links to near lookalike web sites. NEVER EVER click on an email link to one of your accounts.