The following thread was posted on AQ.  I do not know if you have to be an AQ member to read it.

http://www.atlasquest.com/boards/message.html?msgId=928828;threadId=134128

=========

Here is the first message --

It appears that LbNA's database was breached and all of the trailnames, emails and passwords are compromised. I've seen the list--and sure enough, it included the password I used on LbNA. (I use different passwords for every website I know so I know it came from LbNA.) The list has over 58,000 accounts, so it appears to be a complete list as well.

I won't share that list (for obvious reasons!), but it is highly advisable to immediately change your passwords on LbNA and, if you use those passwords on other websites (most notably on AQ), to change it there as well. I'm planning to create a script that will automatically try these passwords against AQ's passwords and sending a notification to anyone with a match, but that'll take some time.

In the meantime, you can protect yourself from hackers by changing passwords immediately.

-- Ryan

============

I am not associated with LbNA, so I will not be able to answer specific questions.  Hopefully, someone from LbNA will offer more color.  If this is true, it is a big deal, and you should change passwords on other sites where you have the same username/password as on LbNA.

If any of you are wondering about how much truth there is to this, I posted a message about how it came to my attention at http://www.atlasquest.com/boards/message.html?msgId=928860

It was actually another letterboxer who brought it to my attention saying that they signed up for a service to monitor for data breaches that might affect them, and they got a notification that their email address was found in one particular data dump. They contacted me first thinking it was a breach on Atlas Quest along with a link to the data that was dumped. So I've seen the link, but I'm not posting it publicly for obvious reasons. The data didn't come from AQ, though, it was definitely from LbNA. Besides being labeled "letterboxing.org", I use different passwords for every website and my account information was in this list including my password used ONLY on LbNA. It's quite literally, the ONLY place I've ever used this particular password. So I'm completely convinced of the file's authenticity and source. It's real data, and it came from LbNA.

The file included account information for exactly 58,645 people. I'm not exactly sure how many accounts are on LbNA right now, but AQ has less than 40,000 accounts so it's a LOT of account information--I suspect it's everyone. (The number of people in the list might be a way to check when the data was leaked--if it's possible to determine when LbNA had exactly 58,645 members.)

I have absolutely no idea how or when the database was breached, and don't even know if the hacker is still able to get into LbNA's database. I still think it's a good idea for everyone to change your LbNA password along with any other websites that use the same password, but until Choi or someone can be certain that the database is secure again, don't use the same password on LbNA that you would use on other websites.

The file I saw included everyone's trail name, email address, last IP address, and password (in plain text), but that was it.

-- Ryan

 

If any of you are wondering about how much truth there is to this, I posted a message about how it came to my attention at http://www.atlasquest.com/boards/message.html?msgId=928860

It was actually another letterboxer who brought it to my attention saying that they signed up for a service to monitor for data breaches that might affect them, and they got a notification that their email address was found in one particular data dump. They contacted me first thinking it was a breach on Atlas Quest along with a link to the data that was dumped. So I've seen the link, but I'm not posting it publicly for obvious reasons. The data didn't come from AQ, though, it was definitely from LbNA. Besides being labeled "letterboxing.org", I use different passwords for every website and my account information was in this list including my password used ONLY on LbNA. It's quite literally, the ONLY place I've ever used this particular password. So I'm completely convinced of the file's authenticity and source. It's real data, and it came from LbNA.

The file included account information for exactly 58,645 people. I'm not exactly sure how many accounts are on LbNA right now, but AQ has less than 40,000 accounts so it's a LOT of account information--I suspect it's everyone. (The number of people in the list might be a way to check when the data was leaked--if it's possible to determine when LbNA had exactly 58,645 members.)

I have absolutely no idea how or when the database was breached, and don't even know if the hacker is still able to get into LbNA's database. I still think it's a good idea for everyone to change your LbNA password along with any other websites that use the same password, but until Choi or someone can be certain that the database is secure again, don't use the same password on LbNA that you would use on other websites.

The file I saw included everyone's trail name, email address, last IP address, and password (in plain text), but that was it.

-- Ryan

I'll check into sending emails to everyone but my first priority is doing something I should have done years ago -- encrypt the passwords in the database instead of storing them in plain text.