Need a cybersecurity contact for my.uniden.com

Status
Not open for further replies.

mrf1022

Member
Premium Subscriber
Joined
Apr 10, 2006
Messages
34
Location
Portland, OR
Can someone point me to a person responsible for cybersecurity at Uniden - particularly for the my.uniden.com portal? Feel free to DM me the info. I'd prefer not to report a security issue via the customer support path, but I can't find a good contact.
 

mrf1022

Member
Premium Subscriber
Joined
Apr 10, 2006
Messages
34
Location
Portland, OR
my.uniden[.]com credentials compromised

Since I haven't received a reply and it looks like some people are falling victim to this, I wanted to pass along a word of caution:

The my.uniden[.]com site appears to have been compromised and the credentials stolen. The stolen credentials are being used to send phishing emails attempting to social engineer people into paying a ransom in Bitcoin. The email campaign is nothing more than a scam, but based on transactions to the Bitcoin wallet in the phishing email I received there are people paying the requested $926 ransom.

I've attached a redacted version of the email I received here. The email address and password I use for the my.uniden[.]com site are only used with that site. Additionally, the Uniden passwords are stored in lowercase (your passwords are not case sensitive when you login) and the phishing email I received showed the password in lowercase, so I'm confident in saying the Uniden credential database was compromised rather than some other explanation for how the credentials were compromised.

The Bitcoin wallet from the email was 1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL and you can see here https://www.blockchain.com/btc/address/1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL that people are paying the ransom.

I hope Uniden will investigate this (and at least stop storing the credentials in plain text). If you re-use the password you use for the Uniden site then you should change your password with other sites/services immediately. There's probably no point in changing the Uniden password since there's no guarantee the attacker doesn't still have access.

Code:
Delivered-To: SNIPPED_EMAIL
Received: by 2002:aa7:c554:0:0:0:0:0 with SMTP id s20-v6csp1719403edr;
        Sun, 4 Nov 2018 07:55:25 -0800 (PST)
X-Google-Smtp-Source: AJdET5djyTwGwWa088ynA65ZvvVRNw55JU+VhZLIYX/0mv22R/RdUYwoGlTbOpVxr9OpQ0V7eqoa
X-Received: by 2002:a63:c54a:: with SMTP id g10-v6mr16895104pgd.201.1541346925791;
        Sun, 04 Nov 2018 07:55:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541346925; cv=none;
        d=google.com; s=arc-20160816;
        b=eHHO/xzIvrzoS9P4KBNB3UKrm5Y0myRia6KewsAyIgtrDB+Bl25+VB1Bmsc+iKudGH
         dFHyd/I8qY9mm8Hb96t/JU+abW16DTrfIdLsHrBSft7tNJgV9YjpRhArDFCyxfIKEjRM
         VAjUzi0ARivdaKz8XFxKetNKs0cQDOda/fJksuvDnXJZhX0whRhYt5kkhgBHowUIUNvF
         KmZ0flUQNp+oo8TraDM8F4U2K/iDQW7mTNyPieIj/qvIT7mi32heKheQUv8X2gok22Fn
         pJisiieUJnCtLTvaN40qhvnEBCW1q8xIKDDU6ul62mmYYyrxC/eZxdvwWS1SjZvmLXXa
         c9+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:to:mime-version:user-agent:from
         :date:message-id;
        bh=w6IdL9vtpq9SWp7WVTphpmsAfJlHnTEQ5NOIJLTcZnM=;
        b=KIxAn+D9wJXHzfgBDmrmJgGDHje8+TOktzYYPRNb6Ivx1VVEF8QkQYhqec8HGTl3cz
         3d/8fhPmaZg+minQNOnxxp7QNN9cQhXM0+ETDE1f6WHDYgEsrIvxKqvgyD4LaAvLX+0O
         qSpfCOzpbAUcmYIDL/YMufX59TnBCtFSg8lPm8+KsQ7iRIVd7WbULKz/Vty5EckbzbeM
         grZlPAaqSlvVtCd+YjecpXWVRCzbhdYGtUwRsOXy8QTWF9I63H3ZEcMCH7PVGwvBagMr
         zw4vgWtoMPdSfkHww/XLRep9uDN7EfP8mzIDszha2rQ4lawq1Qj1b4nbPSVtrYopj83x
         mJ2A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) smtp.mailfrom=SNIPPED_EMAIL
Return-Path: <SNIPPED_EMAIL>
Received: from 57.233.45.133.sconfibras.com.br ([45.233.57.133])
        by mx.google.com with ESMTP id o22-v6si37853866pfi.279.2018.11.04.07.55.14
        for <SNIPPED_EMAIL>;
        Sun, 04 Nov 2018 07:55:25 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) client-ip=45.233.57.133;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) smtp.mailfrom=SNIPPED_EMAIL
Message-ID: <5BDEFA36.5020702@SNIPPED_DOMAIN>
Date: Sun, 04 Nov 2018 10:55:02 -0300
From: <SNIPPED_EMAIL>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: SNIPPED_PASSWORD <SNIPPED_EMAIL>
Subject: Change your password SNIPPED_PASSWORD immediately. Your account has been hacked.
Content-Type: text/plain; charset=IBM852; format=flowed
Content-Transfer-Encoding: 8bit

I greet you!

I have bad news for you.
27/08/2018 - on this day I hacked your operating system and got full access to your account SNIPPED_EMAIL
On that day your account (SNIPPED_EMAIL) password was: SNIPPED_PASSWORD

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $926 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.
 

Hit_Factor

Member
Joined
Mar 6, 2010
Messages
2,028
Location
Saint Joseph, MI
Nice job figuring this out. I too received the email and wondered about the capitalization of the password. If I recall correctly, the email arrived every 3 or 4 days for about 2 weeks.

No, I did not pay the ransom.

A low tech, but absolutely cyber proof, solution for the camera is covering the lenses with black tape. I don't know of a way to turn off the microphone.
 
Last edited:

Linkero

Member
Joined
Sep 5, 2018
Messages
97
I know exactly how you ended up getting the email, and rest assured, it wasn't because uniden was hacked. There's a reason they mention the "naughty sites" ;) How did it get your info tho? Probably from saved password fields, cookies, etc. The fact of the matter is they basically take the first stored info they can get and send it in an email. For me, the user/pass combination they sent didn't match any site I visit, or the email itself. But hey, at least they tried! Oh and I've been getting quite a few variations of this email for nearly 2 years on my one email! Just ignore it, it's spam. If you want to feel more safe, run a malware scan, make sure your browsers are updated, router firmware updated, the works.

In the end it's just some crafty javascript and an automated email. More than likely, my.uniden.com isn't the cause tho
 

mattimac

Member
Joined
Oct 12, 2015
Messages
91
Location
Europe
Since I haven't received a reply and it looks like some people are falling victim to this, I wanted to pass along a word of caution:

The my.uniden[.]com site appears to have been compromised and the credentials stolen. The stolen credentials are being used to send phishing emails attempting to social engineer people into paying a ransom in Bitcoin. The email campaign is nothing more than a scam, but based on transactions to the Bitcoin wallet in the phishing email I received there are people paying the requested $926 ransom.

I've attached a redacted version of the email I received here. The email address and password I use for the my.uniden[.]com site are only used with that site. Additionally, the Uniden passwords are stored in lowercase (your passwords are not case sensitive when you login) and the phishing email I received showed the password in lowercase, so I'm confident in saying the Uniden credential database was compromised rather than some other explanation for how the credentials were compromised.

The Bitcoin wallet from the email was 1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL and you can see here https://www.blockchain.com/btc/address/1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL that people are paying the ransom.

I hope Uniden will investigate this (and at least stop storing the credentials in plain text). If you re-use the password you use for the Uniden site then you should change your password with other sites/services immediately. There's probably no point in changing the Uniden password since there's no guarantee the attacker doesn't still have access.

Code:
Delivered-To: SNIPPED_EMAIL
Received: by 2002:aa7:c554:0:0:0:0:0 with SMTP id s20-v6csp1719403edr;
        Sun, 4 Nov 2018 07:55:25 -0800 (PST)
X-Google-Smtp-Source: AJdET5djyTwGwWa088ynA65ZvvVRNw55JU+VhZLIYX/0mv22R/RdUYwoGlTbOpVxr9OpQ0V7eqoa
X-Received: by 2002:a63:c54a:: with SMTP id g10-v6mr16895104pgd.201.1541346925791;
        Sun, 04 Nov 2018 07:55:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541346925; cv=none;
        d=google.com; s=arc-20160816;
        b=eHHO/xzIvrzoS9P4KBNB3UKrm5Y0myRia6KewsAyIgtrDB+Bl25+VB1Bmsc+iKudGH
         dFHyd/I8qY9mm8Hb96t/JU+abW16DTrfIdLsHrBSft7tNJgV9YjpRhArDFCyxfIKEjRM
         VAjUzi0ARivdaKz8XFxKetNKs0cQDOda/fJksuvDnXJZhX0whRhYt5kkhgBHowUIUNvF
         KmZ0flUQNp+oo8TraDM8F4U2K/iDQW7mTNyPieIj/qvIT7mi32heKheQUv8X2gok22Fn
         pJisiieUJnCtLTvaN40qhvnEBCW1q8xIKDDU6ul62mmYYyrxC/eZxdvwWS1SjZvmLXXa
         c9+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:to:mime-version:user-agent:from
         :date:message-id;
        bh=w6IdL9vtpq9SWp7WVTphpmsAfJlHnTEQ5NOIJLTcZnM=;
        b=KIxAn+D9wJXHzfgBDmrmJgGDHje8+TOktzYYPRNb6Ivx1VVEF8QkQYhqec8HGTl3cz
         3d/8fhPmaZg+minQNOnxxp7QNN9cQhXM0+ETDE1f6WHDYgEsrIvxKqvgyD4LaAvLX+0O
         qSpfCOzpbAUcmYIDL/YMufX59TnBCtFSg8lPm8+KsQ7iRIVd7WbULKz/Vty5EckbzbeM
         grZlPAaqSlvVtCd+YjecpXWVRCzbhdYGtUwRsOXy8QTWF9I63H3ZEcMCH7PVGwvBagMr
         zw4vgWtoMPdSfkHww/XLRep9uDN7EfP8mzIDszha2rQ4lawq1Qj1b4nbPSVtrYopj83x
         mJ2A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) smtp.mailfrom=SNIPPED_EMAIL
Return-Path: <SNIPPED_EMAIL>
Received: from 57.233.45.133.sconfibras.com.br ([45.233.57.133])
        by mx.google.com with ESMTP id o22-v6si37853866pfi.279.2018.11.04.07.55.14
        for <SNIPPED_EMAIL>;
        Sun, 04 Nov 2018 07:55:25 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) client-ip=45.233.57.133;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning SNIPPED_EMAIL does not designate 45.233.57.133 as permitted sender) smtp.mailfrom=SNIPPED_EMAIL
Message-ID: <5BDEFA36.5020702@SNIPPED_DOMAIN>
Date: Sun, 04 Nov 2018 10:55:02 -0300
From: <SNIPPED_EMAIL>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: SNIPPED_PASSWORD <SNIPPED_EMAIL>
Subject: Change your password SNIPPED_PASSWORD immediately. Your account has been hacked.
Content-Type: text/plain; charset=IBM852; format=flowed
Content-Transfer-Encoding: 8bit

I greet you!

I have bad news for you.
27/08/2018 - on this day I hacked your operating system and got full access to your account SNIPPED_EMAIL
On that day your account (SNIPPED_EMAIL) password was: SNIPPED_PASSWORD

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $926 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1LwibmKAKu4kt4SvRLYdUP3aW7vL3Y78zL

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.
I can confirm that there was vulnerabity that exposed data of customers who bought any upgrades, data included:
Order number
Order date
Surname, name
full postal address
email address
phone number (if provided)
price paid

i reported it to uniden and they fixed it in 30 minutes. there was no https also at the time.
every user of my.uniden.com could easily find the bug (i am sure someone did before me) and acquire this data even without account and my.uniden.com
i reported like 3 years back that it is shame no https there

there was also bug letting everyone having account on my.uniden.com registered person to view details of other registered devices (dont remember if was able to edit others data also)

statement i received after asking for official statement after i make full disclosure:
Thank you for contacting us and your follow up. The issue has now been corrected, and we have confirmed that none of the following categories of information were disclosed with respect to any Uniden customer: (1) social security number; (2) driver&#8217;s license or other government ID; or (3) bank account or credit card information. A disclosure is only required when the inadvertently disclosed data includes a person&#8217;s name in combination with any of the following: (1) social security number; (2) driver&#8217;s license or other government ID; (3) bank account or credit card information; or (4) protected health information. None of those circumstances are present in this instance. To the extent you need additional information, we suggest that you contact our outside counsel: Chad Arnette, Kelly Hart & Hallman LLP, 201 Main Street, Suite 2500, Fort Worth, Texas 76102.
I never got a statement on if they had the logs to evaluate if someone exploited it and if they have what was the result of analysis, probably those were there for years but i cannot prove it 100%. No doubt it was easy to automate and acquire full database of the data desribed of all customers who bought any scanner upgrade using my.uniden.com

Overall i must say the reaction was very fast and direct, I appreciate it.
This was written out of memory so there may be some errors but no doubt it is high probability many people exploited this vulnerabities IMHO.
 
Last edited:

UnidenSupport

Uniden Representative
Uniden Representative
Joined
Jul 16, 2018
Messages
538
Location
Wisconsin
Thank you for the heads up, I am not sure if anyone is aware of this, but I am sending this on right away.
 

zz0468

QRT
Banned
Joined
Feb 6, 2007
Messages
6,036
I know exactly how you ended up getting the email, and rest assured, it wasn't because uniden was hacked.
I received a similar email, and the password was one I only used in a LinkedIn account. The naughty sites reference is just to try to guilt a victim into paying, and is a complete fabrication.

A number of sites have been hacked, and user names and login credentials have been sold to hackers. It then becomes possible to attach a real name to a real address to a real password.
 

UnidenSupport

Uniden Representative
Uniden Representative
Joined
Jul 16, 2018
Messages
538
Location
Wisconsin
I received a similar email, and the password was one I only used in a LinkedIn account. The naughty sites reference is just to try to guilt a victim into paying, and is a complete fabrication.

A number of sites have been hacked, and user names and login credentials have been sold to hackers. It then becomes possible to attach a real name to a real address to a real password.
strikingly similar to a specific episode of "black mirror"
 

EMSJohn

Member
Joined
Jan 4, 2007
Messages
24
Location
Bloomington, MN
Does this have something to do with why my.uniden.com is down at the moment? I was going to do a firmware upgrade on an old scanner and the site is down. Found this thread looking for answers!
 
D

DaveNF2G

Guest
12 hours since above post. my.uniden.com still not responding.
 

mattimac

Member
Joined
Oct 12, 2015
Messages
91
Location
Europe
12 hours since above post. my.uniden.com still not responding.
This is something they should have done years ago probably. We still have no idea how the password were stored, i would bet it was plaintext or MD5 without salt so this is why the password could get compromised. No honest statement on this is a shame and shows how Uniden still has no idea how to profesionally deal with cybersecurity and public relations.
 

Attachments

racing1

Member
Joined
Sep 6, 2011
Messages
412
My.uniden.com is working great for me as of yesterday. When logging back in it'll advise you to press reset password and change it before it lets you log in again.
 
D

DaveNF2G

Guest
But see the "Now I'm Ticked" thread in the Tech Support Forum. If your email address is misconfigured or out of date, you're screwed.
 
Status
Not open for further replies.
Top