after tracing some steps of an account that I know is affected, I can still only assume the email box of that person was compromised.
I see a lot of password retrieval attempts in the logs. Unfortunately up till now I did not log password retrievals so I don't know which emails have been entered.
I have looked very closely over my code regarding that page, multiple times, and cannot see a flaw there. So I have to conclude (unless I'm blind, but I'm fairly sure that's not the case atm) that some email boxes have been compromised.

Seeing that the person(s) responsible seem to like to hack servers (I've come across a handfull when doing my activity traces) perhaps they've hacked a website where the affected germans also had an account and perhaps used the same password as their email account. Perhaps they're trying to enter a load of email addresses on our website to see if anyone has an account here and if they do, they read the password retrieval email using their access to the compromised email box.

It's just a theory, but it wouldn't be the first time.

And one of the reasons why I think it's not our server that has been compromised is that only a certain group of people are affected and not a wide range of random accounts, including dev accounts.
And that certain group of people might have something else in common that has been hacked.

Now, the question regarding whether our password retrieval page is good or not, that's another matter. Though the only real improvement I can think of is adding something like a personal question and answer. All the other options like sending a link to click, leading to a page where password can be changed or reset, all result the same when an email box has been compromised.

Victor, go to bed!

Seriously though, this is true dedication isn't it? Up at nearly 2am to help us LFS guys!

well, I'm trying to make sure it's not a problem of mine! Can't sleep not knowing that

Well, again, what a motivated guy!

btw, now that I'm on it anyway, what textual improvement would you make to the email? To me it sounds good, but since you're a brit ..

Quote from Victor :

btw, now that I'm on it anyway, what textual improvement would you make to the email? To me it sounds good, but since you're a brit ..

The words hereby and we should be the other way around,

It should read 'we hereby send you', not hereby we send you.

Not trying to nitpick, just an observation.

np, updated

hereby sounds weird though doesn't it? Sound like a word from a will or on a "i hereby sentance you to death" kind of thing.

It's entirely up to you, Vic, but I'm firmly of the belief that you cannot burden yourself with the responsibility of defending LFSers from hack attempts on their personal email boxes.

It's up to them to ensure that their email password is secured, and it's up to them to ensure that, if they join a website for example, they don't sign up with guessable or re-used passwords, or (god forbid) their email inbox password. There are even some LFS-oriented websites about that, frankly, I wouldn't trust as far as I could throw a fit. If LFSers are being compromised that way it's not YOUR error, Vic. It's theirs.

Or, 'I hereby command you to do 10000 laps on BL1 driving the UF1000 or you will be hung by the fingers until they break'

it does make more sense the 'we hereby' way round tho.

Quote from danthebangerboy :

The words hereby and we should be the other way around,

It should read 'we hereby send you', not hereby we send you.

Not trying to nitpick, just an observation.

Meh.. it shouldn't say that either. It's a bit medieval, "hear ye, hear ye..."

I recommend

Please find, below, your account username and WEBpassword. Please keep them safe. DO NOT share with others. Nobody at LFS will EVER contact you to request this information.

Quote from SamH :

Meh.. it shouldn't say that either. It's a bit medieval, "hear ye, hear ye..."

I recommend

Please find, below, your account username and WEBpassword. Please keep them safe. DO NOT share with others. Nobody at LFS will EVER contact you to request this information.

Sam is right, that is gooood wording.

:throwrose

alrighty then

Quote from SamH :

:throwrose

Couldn't help laughing.. I support your words though!

Ok the Email Acccoutn theory is not that was the problem is, i used a other password on every page, my passwords are not the same, i have changed the email password and my game password and i use a other game password and web password.

I think that anyone has doing a joke and has entryed some emails and send the account data, i canot belive that anyone has hacked 6 different email accounts and only has used the password forget button on the lfs page...

Hmm strange i dont know what the problem is...

Could still easily be your email account that was hacked. If the guy knows the pass, it's in his best interest to leave it, so you don't suspect anything. Then he requests the password from LFS and he has another password of yours. Are you following this?

But its a really hard work, again 6 different email accounts on different isp's hmm sorry i dont think anyone has hacked 6 email accounts to get 6 lfs accounts...

I think anyone has do a joke and has click the password reset button and give in our email adresses, i dont have a hack and i hav asked my provider he say "no all ok"...

maybe the guy hacked 1 or 2 and then did the requestpassword thing on several others to throw vicc off the scent. I don't know, I got the impression you HAD been hacked, my bad.

It's more likely that you have a some sort of keylogger on your PC, if you have LFS unlocked and the forum set to remember your password the cracker wouldn't have direct access to the LFS password, but if you don't use remember password on your email acount then he can gain access to it and use the LFS password retrieve option to get a hold of the password.

Keylogger is what I was thinking too.