Notified to change password after attack?

[Matt Bernard]

I just finished reading the latest post from today and it does seem that FSL is starting to move things in the right direction. There was however one thing that did not sit well with me. Here is the direct quote.

         " As is customary after such incidents, we immediately advised our forum users to change their passwords. "

I am not sure where or how I was notified but I most certainly did not receive an email from FSL advising me to do any such thing. In fact, I only learned of the attack from numerous 3rd party websites. For those curious about the regulations regarding notification I have attached a link to the actual GDPR Requirements

Please do not mistake this as an attack on FSL or any member thereof. There has been enough drama and controversy lately for a lifetime. Maybe this was just a simple case of not proofreading a post but the fact remains that proper notification was never sent and should not be claimed as having been sent. Like many others I am currently keeping FSL "at arms length". I never requested a refund nor am I interested in one now. I really do like the product and can appreciate all the efforts that went into its creation. And you will not find a single post created by me bashing FSL anywhere on the internet nor will this question be posted anywhere else.

My question is, how exactly were we notified? I have received a few emails from other companies and websites recently that advised me of a potential security breach and a suggested remedy. Is this not what should have happened to those of us who were affected by the attack here? Thanks for reading this and I am genuinely interested in your replies.

[O_l_i_v_e_rM_a_e_r_t_e_n_s]

Good point, Matt.

 

I have not received an email from FSL notifying me of the server attack.

[Chris Kreuzbichler]

It hasn't been a mail, that is correct, it was rather a yellow notification after opening up the forums after the attack (was persistent on top of the page in your browser the whole time) and on the main page of the forums just below the Forums, Activity tab etc. 

EDIT: I have just quickly checked up on the forums, looking for the announcement but I failed to find it. What I am sure of is that it has been there for some days

[Mike Ionas]

6 minutes ago, Chris Kreuzbichler said:

EDIT: I have just quickly checked up on the forums, looking for the announcement but I failed to find it. What I am sure of is that it has been there for some days

The announcement was there until this morning when the news update was posted.

[Chris Kreuzbichler]

Ah, that makes sense. Thanks!

[Matt Bernard]

Quote

6 hours ago, Mike Ionas said:

The announcement was there until this morning when the news update was posted.

 

 

There is a big difference between Notifications and Announcements. We should not have to come to the scene of the crime to learn that our information was breached. 

[Aaron Brand]

Matt, I believe you will find that the way the breach is communicated will most likely pass any GDPR scrutineering.  The legislation does not say that they have to email you.  Just that "the controller shall communicate the personal data breach to the data subject without undue delay".  Method of delivery is up to the controller.  Nitpicking about how it was communicated is up to you.  Easiest way to get the information to hundreds/thousands of customers would have been via a highlighted post in their forums as most right minded people, when hearing of the breach, would have visited the forums.  With all the spam I get, I ignore a large portion of the emails I get daily unless I am expecting something, so I would have missed any email from FSL.

 

Aaron

-oOo-

 

[Ray Proudfoot]

I only received an email today advising I change my password. A little late really. I changed it soon after after reading the announcement back on the 11th I think.