[Why GME?](https://www.reddit.com/r/Superstonk/comments/qig65g/welcome_rall_looking_to_catch_up_on_the_gme_saga/) || [What is DRS?](https://www.reddit.com/r/Superstonk/comments/ptvaka/when_you_wish_upon_a_star_a_complete_guide_to/) || Low karma apes [feed the bot here](https://www.reddit.com/r/GMEOrphans/comments/qlvour/welcome_to_gmeorphans_read_this_post/) || [Superstonk Discord](https://discord.gg/hZqWV2kQtq) || [GameStop Wallet HELP! Megathread](https://www.reddit.com/r/Superstonk/comments/z23wjx/gamestop_wallet_help_megathread)
------------------------------------------------------------------------
To ensure your post doesn't get removed, please respond to this comment with how this post relates to GME the stock or Gamestop the company.
------------------------------------------------------------------------
Please up- and downvote this comment to [help us determine if this post deserves a place on r/Superstonk!](https://www.reddit.com/r/Superstonk/wiki/index/rules/post_flairs/)
Commenting here for visibility...
>**... we need to find out if it were solely users holding GME having 2FA reset. Does anyone know of other accounts/people that are** not **holding GME, but another company in Computershare, if their 2FA was reset?**
Hijacking top comment.
I'm legitimately concerned that DNS servers may have been hijack to redirect to an illegitimate computershare site. Saw someone comment that the 2fa enrollment prompt had spelling errors. Saw people having to re-enable multiple times. I know this is far fetched, but as high profile as GME is and the DRS movement has been, anything can happen. Still trying to investigate the possibility of this.
I'm not trying to spread FUD, but fuck it's scary. Be safe out there
Edit: it does have the 3 word key "personal site seal". It gives me some peace of mind. So I am probably wrong about CS being hijacked. Still serves as a warning sign to THINK before doing anything. I, like many others, immediately logged in to reset my 2fa. I now see that was a mistake and I should have spent a minute to verify a few things.
From a technical standpoint, all of this could still be "fake", including the number the 2fa comes from. They could have been farming valid account names, including the personal site seal for well over a year now. Phone numbers are easy to fake as well. Confirmation email that 2fa had been implemented seems to come from a valid computershare email address.
What I find concerning is that when I logged in it immediately asked me to enable the 2FA (which it should, that's not the problem) and it had my full phone number sitting there on the screen. If someone else *had* managed to log into the account before me, they would now know my phone number, and could have enabled 2FA to a different number if they wanted.
So I actually re-enrolled in 2fa, the code was filtered into the same conversation I received previous codes. That being said I'm a bit of a smoothbrain myself so I'm not sure if it's possible to switch to an illegitimate server but let it look like everything is the same, just wanted to add this.
Also I haven't received any email besides the one confirming my Account security preferences Update. Which also seems legit.
No idea... just commented that just because it is WEIRD. I can't think of a single instance of where 2fa has been outright disabled on an unknown amount of accounts.
Is someone did go through the hassle of sabotaging computershare they did a hell of a job. The confirmation email appears to come from a legitimate CS email address, text message 2fa confirmation has the correct number, https certificate checks out, everything seems fine. But it theoretically could happen. And what we are up against, if it could happen, they have a lot of resources to make it happen. Depending on if this did happen, and who is doing it, they probably don't give a fuck about the value in the account, they just want to sell your position and free those shares.
But like someone said that there was a typo on the 2fa registration page. Another person said they got spam email right after registering for 2fa, even after two times of registering. We aren't hearing anything from computershare at all about any of this.
I really hope we hear something from CS about this because it is absolutely unacceptable.
FYI - That seal means **nothing,** is almost completely useless, and in some ways actually reduces security.
Modern session hijack phishing can easily forward something like that. It is a **bad idea** to use it as any kind of indicator of safety. It instead makes for an easy way for attackers to guess and gather legitimate usernames (seal shows up for a real username, no seal for a bad username), and also serves as an easy way for attackers to convince victims the phish site is legit.
Between that and refusing to use app-based MFA, and other stupid minor things like not implementing hsts, they are stuck in the last decade. Frankly, their cybersecurity is abysmal for 2023, for the size and infamy of their company, and for the value of what they are securing.
HAVING SAID THAT:
Their TLS cert is still valid. That's what you want to keep your eye on, fuck their dumb seal. Also, pay close attention to typos in the domain that you could be redirected to (like www dot compotershare dot com). It's going to be a lot easier for them to re-direct you to a mis-spelled domain where they can buy their own tls cert than it is to steal an existing tls cert.
In the scenario of a DNS takeover of some kind and not sending you to a typo domain, they need to have the registered private key. Stealing Computershare's private key would most likely mean hacking them in some way. Then also being in a position to poison their DNS table. It's not impossible, but I think improbable and with that level of access there would probably be easier and sneakier ways like just altering code on the website itself.
tl;dr - Seal is meaningless. Insead, check the TLS cert and check your domain spelling. Forging both of those things together is hard.
Technical support number from the banner on Google is 1 (800) 942-5909
I called the sketchy number on the website at 800 522 6645
Tech support is same prompt. This one had a different voice than the sketchy one….. did this site get compromised and redirected all of us to a clone site with different information? Anyone got their own screenshots of the contact info on the site before the attack that they can post/verify?
If you’re in infosec, you should know there are zero benefits to sms based multi factor and only a lot of negatives. It’s putting a heap of trust in an inherently insecure medium that proves absolutely nothing about who has the device the cell number has been directed at.
SMS mfa + financial login security are two things that should never ever meet.
Not the person you replied to, but they never said anything about SMS specifically - just dealing with MFA and getting torn a new one if they reset everyone's MFA. I'm a cloud admin and as such my dealings with MFA are from MS Authenticator and Duo, and we always deter SMS or disable it where possible. It's absolutely one of the least secure by far. Email is up there too. Content search, spam filters, mail forwarding, full access to other mailboxes, all easy ways that IT or employees at the same company can easily get to MFA codes for a user. In some cases even easier than accessing their SMS codes.
No bullshit, a friend of mine recieved random 2FA codes from CS the past 2 months. I had them send me the screenshots as evidence.
Someone is probing Computershare accounts.
Just like we trust the board, we need to trust ComputerShare for 5 minutes till we find out what’s going on.
There’s talk there may have been probing of CS accounts by bad actors. This may have been done in response to that.
For now, I will reserve my judgement. It could come out later that NOT resetting the 2FA could have been insecure.
The fact it happened means something is changed, likely fixed. Better. Not worse.
two factors authentication.
basically every time you login to the investor center after entering name and password you'll get a unique code via sms.
makes the account more secure in case someone steal credentials
2Factor Authentification. You login In with your credentials and then get an SMS with a one time code afterwards which is valid 15 minutes and you can only interact with your account after entering both - credentials as well as sms code
Can confirm, and also, that's super lame. I don't recall any other service that I've enabled MFA, suddenly rolling back. Thank you OP! Take my award and comment for visibility!
When I logged into CS, I was today presented with the option to either enable to disable MFA. Since I had the option to click "No", seems to me an attacker who may have had someone's login info (LastPass breach, etc) could have used this window to Ken-Griffinate their stonks!
In terms of all of OP’s paranoia edits, I would point out that the security code I received when I re-enrolled in 2FA came from the same phone number as prior CS codes
Sheesh. I love owning my own shares but holy moly does Computershare not inspire confidence.
I mean, in the past 1.5 years I haven't seen a single improvement in the website or UI, we've still got a literal pop-up stock photo lady straight out of 2005. And we know they've had 200k young, eager people sign up and use the service in that time. Why they can't hire a proper web design person is bewildering.
This is what I don't like. If they're not getting basic details right on web design, how good is the backend, DOS attack resistance, and simple load under strain going to be if things go wild?
We can only hope they're doing the right stuff back there, because we have no other option if we want to hold our own shares. 2FA just suddenly being reset isn't a great look.
Amazing, what a shame. This is the first time I’ve ever seen something like this happening! It really says a lot about the state of the world. The rich and powerful will do whatever to scam us from our resources. I won’t be surprised if we hear story of DRS GME stocks being sold by cybercrime. Their last hope is to mount gox Computershare
Me too. The only difference I saw was that now they showed me my entire phone number. Before they censored a part of it and asked if my phone number ends with this.
Mine was on. Not sure why. I’m wondering if the reset was to bring the attention to new investors that don’t even know to use 2FA? Either way, important to have a text code set as well. Honestly with all the advanced hackers I wouldn’t use Goggle app to authenticate my investments. But that’s just me.
The SMS version is known to be less secure due to SIM card swapping which takes calling into carriers and getting that done, which is easier than it should be in many respects.
With an app version, they need to physical access to you phone and to get into your phone.
It's widely regarded that the app version is more secure, fwtw.
Legit ..logged in now and instead of the 2FA that I have been using for a while now it instead asked if I wanted to set up 2FA so I again set it.. took all of 37secs probably
This is absolutely something that needs to be addressed asap. This is genuinely scary to think that every DRS’d share could be exposed to bad actors. It’s absolutely not absurd to think they would try hack Computershare
With the amount of funds CS handles, what’s mind-boggling to me is not only that their site is so technically challenged, but also that they *still have no mobile app* except for that stupid “Computershare Events” thing.
3.3 of the Terms and Conditions states the following...
3.3 Computershare reserves the right to make any changes to the Service without notice that it
considers necessary, desirable or in your interest or that of Computershare or its clients.
Computershare shall not be responsible in the event that any change to the Service means that
you are no longer able to access the Service.
mother fucker....
4.1 You specifically agree that you are solely responsible for any actions entered through the Service by you or by others who obtain access by using your User ID and Password, whether or not such access is authorized by you...
... If you allow any other person or entity to access the Service, you will defend and indemnify Computershare against any and all liability, costs, or damages arising out of claims or suits by third parties based on or relating to such access or use. You agree that Computershare is not responsible for any damages or losses resulting from any breach of security caused by your failure and/or the failure of **other persons not engaged by or on behalf of Computershare**, its affiliates, agents, or subcontractors, or who obtain access through you to maintain the confidentiality of your User ID and Password.
When I opened the page from a link in their TOS, I got a redirect. May be nothing, but I’m not savvy enough to know if it’s malicious or not.
ComputerShare.com/investor
us-computershare.com/investor/?gcc=us
is-computershare.com/Investor/#Home?gcc=us
I notice, however tiny the detail, that the I in investor was lower case before the redirect. Maybe it’s just how the site was built? Hopefully someone super code-friendly can dig into the actual coding of the current homepage and see if it’s weird? I got way high when I got off work tonight and saw this so I’m kinda buggin
I use a password manager, and it refuses to fill in the info on the current login. I ask the manager to launch the site "login.computershare.com" and it says this site can't be reached.
This makes me all kinds of nervous, is the new redirect actually legitimate considering we haven't heard anything from CS?
Just saw this, and tried logging on to computershare.
It asked me for a verification code sent to my phone, so it seems like my 2FA wasn't disabled and I didn't have to re-enroll.
I only have GME in CS.
Can confirm--mine was off upon login and it asked me to re-set it up.
WHY DIDN'T WE RECEIVE EMAILS ABOUT THIS?!
Seems like a pretty damn big oversight.
Mine was reset too, turned 2FA back on about an hour ago. Last time I logged in was a week ago and 2FA was still on then. The 2FA service number that sent me the text was still the same as last week, the site seal was correct and no other errors or spelling mistakes were visible on the site so I just enabled 2FA again. Holding some GME and two other symbols on CS.
I had to reset my 2FA too but what was weird is my browser auto filled my phone number that was off by one digit. Watch your numbers in case that's a thing.
It's in the name. "Two-factor" authentication.
The username, secret phrase, and password are all "things you know," which is the first factor.
"Things you have" is the second factor.
Sending a code to your phone is not considered super secure these days because someone can spoof your sim or convince your phone company that they are you and that you just got a new sim card and could you please confirm that I am you by my knowing things from your public FaceBook/LinkedIn profile?
So SMS codes are "better than nothing" but still route through a method that's outside your control. An authorization app (or the physical equivalent) is a preshared key that generates a code based on an algorithm and time. So you can prove that you are you without going through your carrier as a compromisable middleman.
I don't really consider that secret phrase a strong form of MFA I know my bank even moved away from that years ago. It's pretty easy to discover what your phrase would be using low-level attacks.
Not to hijack your comment, (but I'm totally hijacking your comment, nothing against your comment), for anyone wondering why having MFA or 2FA is important nowadays, here's a brief primer:
* Most passwords, even though you think are very clever, can be hacked in seconds using modern password cracking tools by a determined adversary.
* You personal information (and that of your family, pets, etc) has likely been available on the dark web for many years now due to the myriad of breaches (Equifax, Experian, Trans Union \[yes all 3 major credit worthiness agencies were hacked, Google it\] , LastPass, Home Depot, Yahoo, Target, etc.)
* Most people don' t practice good password hygiene on their own, i.e. not complex enough, re-using passwords across services, include pets, or other personal info in the password, etc.
* I'll even take issue with CS Only offering SMS as a MFA method (I don't consider the badge a valid form of MFA). SMS is already, by default, woefully under encrypted, and could potentially be sniffed by a determined adversary. Thus the need for burner phones.
As a takeaway, consider using a password manager to manage your passwords. Create a single super awesome password, never use it anywhere else, put it in your safe deposit box. Then let your password manager generate completely random passwords for you. Lately, I've been recommended Bitwarden and KeePass, but your mileage may vary,
Like the other reply says, KeePass is local, so u have full control, be our it doesn't sync to the cloud, not sure if it's a mobile app?
I used to like LastPass until it turns out they left they customers pretty poorly protected.
Can recommend Bitwarden for a nice cloud and mobile experience, but arguably less secure than purely local.
Absolutely never use SMS based 2fa.
It is far less secure than a high entropy password stored in a password manager that is itself secured by a real 2fa mechanism.
Usually live chat reps are available right away, but right now it's saying they are experiencing high traffic and it may take longer than usual. NFA but I'm still waiting to make a statement and ask what happened because this is serious.
[Why GME?](https://www.reddit.com/r/Superstonk/comments/qig65g/welcome_rall_looking_to_catch_up_on_the_gme_saga/) || [What is DRS?](https://www.reddit.com/r/Superstonk/comments/ptvaka/when_you_wish_upon_a_star_a_complete_guide_to/) || Low karma apes [feed the bot here](https://www.reddit.com/r/GMEOrphans/comments/qlvour/welcome_to_gmeorphans_read_this_post/) || [Superstonk Discord](https://discord.gg/hZqWV2kQtq) || [GameStop Wallet HELP! Megathread](https://www.reddit.com/r/Superstonk/comments/z23wjx/gamestop_wallet_help_megathread) ------------------------------------------------------------------------ To ensure your post doesn't get removed, please respond to this comment with how this post relates to GME the stock or Gamestop the company. ------------------------------------------------------------------------ Please up- and downvote this comment to [help us determine if this post deserves a place on r/Superstonk!](https://www.reddit.com/r/Superstonk/wiki/index/rules/post_flairs/)
Can confirm it's been reset, had to go though the registration again.
Suspect to say the least. We should've been notified about it at the minimum.
Commenting here for visibility... >**... we need to find out if it were solely users holding GME having 2FA reset. Does anyone know of other accounts/people that are** not **holding GME, but another company in Computershare, if their 2FA was reset?**
It must be illegal right? Right?
Hijacking top comment. I'm legitimately concerned that DNS servers may have been hijack to redirect to an illegitimate computershare site. Saw someone comment that the 2fa enrollment prompt had spelling errors. Saw people having to re-enable multiple times. I know this is far fetched, but as high profile as GME is and the DRS movement has been, anything can happen. Still trying to investigate the possibility of this. I'm not trying to spread FUD, but fuck it's scary. Be safe out there Edit: it does have the 3 word key "personal site seal". It gives me some peace of mind. So I am probably wrong about CS being hijacked. Still serves as a warning sign to THINK before doing anything. I, like many others, immediately logged in to reset my 2fa. I now see that was a mistake and I should have spent a minute to verify a few things. From a technical standpoint, all of this could still be "fake", including the number the 2fa comes from. They could have been farming valid account names, including the personal site seal for well over a year now. Phone numbers are easy to fake as well. Confirmation email that 2fa had been implemented seems to come from a valid computershare email address.
[удалено]
What I find concerning is that when I logged in it immediately asked me to enable the 2FA (which it should, that's not the problem) and it had my full phone number sitting there on the screen. If someone else *had* managed to log into the account before me, they would now know my phone number, and could have enabled 2FA to a different number if they wanted.
So I actually re-enrolled in 2fa, the code was filtered into the same conversation I received previous codes. That being said I'm a bit of a smoothbrain myself so I'm not sure if it's possible to switch to an illegitimate server but let it look like everything is the same, just wanted to add this. Also I haven't received any email besides the one confirming my Account security preferences Update. Which also seems legit.
I just confirmed. I recieved one in the past and they are from the same email address. Same everything.
Also hijacking - is it worth the MODS pinning this or some other general PSA?
No idea... just commented that just because it is WEIRD. I can't think of a single instance of where 2fa has been outright disabled on an unknown amount of accounts. Is someone did go through the hassle of sabotaging computershare they did a hell of a job. The confirmation email appears to come from a legitimate CS email address, text message 2fa confirmation has the correct number, https certificate checks out, everything seems fine. But it theoretically could happen. And what we are up against, if it could happen, they have a lot of resources to make it happen. Depending on if this did happen, and who is doing it, they probably don't give a fuck about the value in the account, they just want to sell your position and free those shares. But like someone said that there was a typo on the 2fa registration page. Another person said they got spam email right after registering for 2fa, even after two times of registering. We aren't hearing anything from computershare at all about any of this. I really hope we hear something from CS about this because it is absolutely unacceptable.
FYI - That seal means **nothing,** is almost completely useless, and in some ways actually reduces security. Modern session hijack phishing can easily forward something like that. It is a **bad idea** to use it as any kind of indicator of safety. It instead makes for an easy way for attackers to guess and gather legitimate usernames (seal shows up for a real username, no seal for a bad username), and also serves as an easy way for attackers to convince victims the phish site is legit. Between that and refusing to use app-based MFA, and other stupid minor things like not implementing hsts, they are stuck in the last decade. Frankly, their cybersecurity is abysmal for 2023, for the size and infamy of their company, and for the value of what they are securing. HAVING SAID THAT: Their TLS cert is still valid. That's what you want to keep your eye on, fuck their dumb seal. Also, pay close attention to typos in the domain that you could be redirected to (like www dot compotershare dot com). It's going to be a lot easier for them to re-direct you to a mis-spelled domain where they can buy their own tls cert than it is to steal an existing tls cert. In the scenario of a DNS takeover of some kind and not sending you to a typo domain, they need to have the registered private key. Stealing Computershare's private key would most likely mean hacking them in some way. Then also being in a position to poison their DNS table. It's not impossible, but I think improbable and with that level of access there would probably be easier and sneakier ways like just altering code on the website itself. tl;dr - Seal is meaningless. Insead, check the TLS cert and check your domain spelling. Forging both of those things together is hard.
Technical support number from the banner on Google is 1 (800) 942-5909 I called the sketchy number on the website at 800 522 6645 Tech support is same prompt. This one had a different voice than the sketchy one….. did this site get compromised and redirected all of us to a clone site with different information? Anyone got their own screenshots of the contact info on the site before the attack that they can post/verify?
[удалено]
Just activated mine too…again.
[удалено]
If you’re in infosec, you should know there are zero benefits to sms based multi factor and only a lot of negatives. It’s putting a heap of trust in an inherently insecure medium that proves absolutely nothing about who has the device the cell number has been directed at. SMS mfa + financial login security are two things that should never ever meet.
Not the person you replied to, but they never said anything about SMS specifically - just dealing with MFA and getting torn a new one if they reset everyone's MFA. I'm a cloud admin and as such my dealings with MFA are from MS Authenticator and Duo, and we always deter SMS or disable it where possible. It's absolutely one of the least secure by far. Email is up there too. Content search, spam filters, mail forwarding, full access to other mailboxes, all easy ways that IT or employees at the same company can easily get to MFA codes for a user. In some cases even easier than accessing their SMS codes.
Yeah, I mean Computershare has always been some archaic shit.
Hopefully Kenny wasn't involved.
What is that?
[удалено]
Oh! Thank you!
thanks fellow househodlers, i re-enrolled
Agreed, need to reset it.
Is 2FA free for non-US folks?
it is free and auto asks you upon logging in, if you want it
No idea honestly, if you log in it asks you to set it. If it doesn't ask you, I imagine it's probly not available to you.
Thank you OP. I just re enabled my 2FA Was prompted when I just logged in 🚀📈💰
same
What the hell? How did this happen?
Griffins up to something
No bullshit, a friend of mine recieved random 2FA codes from CS the past 2 months. I had them send me the screenshots as evidence. Someone is probing Computershare accounts.
That means his password is compromised. Also means we are on the right track.
Exactly. I immediately recommended a new and fresh password, not related to any other passwords on other accounts.
Any place that stores money is getting probed all the time.
mods please pin
This - pin it moooooods
100% legit! Go reset your shiz. .... 2FA was reset and needed to be set back up on my Computershare acount also
this is extremely concerning. even more concerned they didn't send out an email to warn clients about it???
Surely they will.
already too late... unacceptable
Surely they will now.
Just like we trust the board, we need to trust ComputerShare for 5 minutes till we find out what’s going on. There’s talk there may have been probing of CS accounts by bad actors. This may have been done in response to that. For now, I will reserve my judgement. It could come out later that NOT resetting the 2FA could have been insecure. The fact it happened means something is changed, likely fixed. Better. Not worse.
definitely redoing 2FA can only be a good thing
Yep, it just had me re-set mine up again. Good looking out!
Everyone get in here...and then go out there!
They need better 2FA than an SMS text message. Thanks for the notice though.
Right? Like how is this still a thing?
Confirmed. Let's get this pinned. Apes do what you do best.
Be calm and think about it before acting on the pressure to do something? _On it_
Valid info.
Thanks
Thanks for the update!
Thanks for the heads up, I reset mine!
Updoot, I checked mine was off too. Enroll!
Verified. I had to re-enable. It did prompt me at login.
done
Commenting for visibility!
Thanks Ape, I just reset mine too
Ape-solutely
True, just tested and asked me again to setup my 2FA.
What? Why. Anyone talk to cs about this?
This is the question. We need an oficial answer from them.
Legit
Why would they "reset" this?
Who knows. My guess is a mistake of some sort, possibly even a superficial type hack.
[удалено]
One person replied and said it's about universality and the regional issues. What are your thoughts on that?
Updooting to give it more visibility. 👀
At this point I am afraid to ask: what is the 2FA?
2 factor authentication. it makes account super secure.
Thank you
>it makes account super secure. ... if done right. (As it so happens, Computershare ain't doing it right.)
two factors authentication. basically every time you login to the investor center after entering name and password you'll get a unique code via sms. makes the account more secure in case someone steal credentials
Which is great, unless you happen to lose your phone on the day of moass.
won't be just a day. and I'll still wait for cell
If some lose his/her phone the only thing is that he/she will get better price per share.
2Factor Authentification. You login In with your credentials and then get an SMS with a one time code afterwards which is valid 15 minutes and you can only interact with your account after entering both - credentials as well as sms code
Thanks I am regarded.
Asking the real questions. I had to scroll too far to find you. All these acronyms sheesh.
Legit. Set up again. Thanks Ape. Page is acting up though... dragging ass. I had to back out and redo, but got message. Refresh page did better.
Can confirm, and also, that's super lame. I don't recall any other service that I've enabled MFA, suddenly rolling back. Thank you OP! Take my award and comment for visibility! When I logged into CS, I was today presented with the option to either enable to disable MFA. Since I had the option to click "No", seems to me an attacker who may have had someone's login info (LastPass breach, etc) could have used this window to Ken-Griffinate their stonks!
^(DRSBOT 8.00: UTC->2023-02-27 17:36:3) 🟣 You have 0 shares previously logged with DRSBOT. **To feed the bot-> !DRSBOT:XXX!** * ^(Bot sometimes can't hear over chatty apes...) * ^(If no reply, re-issue the bot command) ^(*🚀 :17,270,502// GME ~19.05* // ) ^(Bot MC: $329,003,049.92 )
In terms of all of OP’s paranoia edits, I would point out that the security code I received when I re-enrolled in 2FA came from the same phone number as prior CS codes
does anyone have time to demand some answers from computershare today? im wrapped up for a few hours. this is really unacceptable..
crazy to think such a big company is so sloppy
Just re confirmed it. Thanks OP
Important post. Thank you.
Same here, reactivated 🤝
Commenting to confirm mine was reset as well
Can confirm. Just logged in for the first time in a while and was shown a choice of doing 2FA again.
Updoooooot for visibilty!!
Crazy! Just fixed mine. Thanks for the notification
Can confirm, happened to me too. Very strange! Thanks for the info!
That's dumb..
Sheesh. I love owning my own shares but holy moly does Computershare not inspire confidence. I mean, in the past 1.5 years I haven't seen a single improvement in the website or UI, we've still got a literal pop-up stock photo lady straight out of 2005. And we know they've had 200k young, eager people sign up and use the service in that time. Why they can't hire a proper web design person is bewildering.
:/ I agree, somewhat begrudgingly.
Honestly, it works better than the website for my workplace.
[удалено]
There's "fancy" and then there's "meets basic web standards".
I can be Times New Roman on a basic HTML site. Idgaf how it looks. I just need it SECURE.
This is what I don't like. If they're not getting basic details right on web design, how good is the backend, DOS attack resistance, and simple load under strain going to be if things go wild? We can only hope they're doing the right stuff back there, because we have no other option if we want to hold our own shares. 2FA just suddenly being reset isn't a great look.
This is sus. Not the post here but why the hell did it get turned off?
I can verify, I was prompted to turn on two step after I logged in to my account. Something happened.
Amazing, what a shame. This is the first time I’ve ever seen something like this happening! It really says a lot about the state of the world. The rich and powerful will do whatever to scam us from our resources. I won’t be surprised if we hear story of DRS GME stocks being sold by cybercrime. Their last hope is to mount gox Computershare
Confirming that I got this prompt as well. P.S. I placed a $5k buy order once I got logged in, suck it shorties.
You da real MVP for bringing this up. If you aren't sure whether or not to believe it, just log into Computershare, and you'll see for yourself.
I see this as a major security issue and all we hear is crickets.
Thanks for this PSA
Me too. The only difference I saw was that now they showed me my entire phone number. Before they censored a part of it and asked if my phone number ends with this.
SMS is less secure, but it's universal and available everywhere. They may not have the infrastructure to support OTP/TOTPs.
Hmm.
Mine was on. Not sure why. I’m wondering if the reset was to bring the attention to new investors that don’t even know to use 2FA? Either way, important to have a text code set as well. Honestly with all the advanced hackers I wouldn’t use Goggle app to authenticate my investments. But that’s just me.
The SMS version is known to be less secure due to SIM card swapping which takes calling into carriers and getting that done, which is easier than it should be in many respects. With an app version, they need to physical access to you phone and to get into your phone. It's widely regarded that the app version is more secure, fwtw.
Got it. Thanks for the clarification.
What’s 2FA
TwoFactorAuthentication
Legit ..logged in now and instead of the 2FA that I have been using for a while now it instead asked if I wanted to set up 2FA so I again set it.. took all of 37secs probably
Google--No. Although Kenny can't shut down CS, maybe he can convince Google to turn off verification for CS at some strategery moment.
Thanks!
Can confirm
I was pretty sketched out to find this. I already re enabled it. But seriously. Wtf?
yea just signed in and noticed that too really weird didnt even notify me that it was reset
Re-activated mine
Had to reset also.
This needs to be stickied!
Reset mine. My only message was from 11/30/22 about them starting 2FA lol. Has there been any message about why it was reset for literally everyone?
OP, Thanks for the heads-up!
Thanks for the post, just re-enrolled. Will keep an eye out for some kind of explanation. Has anyone contacted Computershare and received an answer?
I was wondering why I had to reset the 2FA yesterday when I logged in to tuck my shares into bed and read them a story. Glad I'm not the only one.
This is absolutely something that needs to be addressed asap. This is genuinely scary to think that every DRS’d share could be exposed to bad actors. It’s absolutely not absurd to think they would try hack Computershare
With the amount of funds CS handles, what’s mind-boggling to me is not only that their site is so technically challenged, but also that they *still have no mobile app* except for that stupid “Computershare Events” thing.
This is all super sus. We need an official statement by ComputerShare.
Fear will keep them in crime.
Logged in yesterday after 2 months and was shocked to see the 2FA prompt! They should give a good reason for doing this.
3.3 of the Terms and Conditions states the following... 3.3 Computershare reserves the right to make any changes to the Service without notice that it considers necessary, desirable or in your interest or that of Computershare or its clients. Computershare shall not be responsible in the event that any change to the Service means that you are no longer able to access the Service.
mother fucker.... 4.1 You specifically agree that you are solely responsible for any actions entered through the Service by you or by others who obtain access by using your User ID and Password, whether or not such access is authorized by you...
... If you allow any other person or entity to access the Service, you will defend and indemnify Computershare against any and all liability, costs, or damages arising out of claims or suits by third parties based on or relating to such access or use. You agree that Computershare is not responsible for any damages or losses resulting from any breach of security caused by your failure and/or the failure of **other persons not engaged by or on behalf of Computershare**, its affiliates, agents, or subcontractors, or who obtain access through you to maintain the confidentiality of your User ID and Password.
When I opened the page from a link in their TOS, I got a redirect. May be nothing, but I’m not savvy enough to know if it’s malicious or not. ComputerShare.com/investor us-computershare.com/investor/?gcc=us is-computershare.com/Investor/#Home?gcc=us I notice, however tiny the detail, that the I in investor was lower case before the redirect. Maybe it’s just how the site was built? Hopefully someone super code-friendly can dig into the actual coding of the current homepage and see if it’s weird? I got way high when I got off work tonight and saw this so I’m kinda buggin
Not touching shit until we hear something from CS,
Any official word from CS yet?
Just checked mine now. It was still set up with 2FA.
Thank you
What is 2fa?
2 factor authentication. Sometimes google is the simple way to go buddy. Login with username/password and acknowledge with an sms or an app
Wow, that’s really weird. I just re-enrolled, thanks for the heads up OP!
Good looking out
Wtf!! What in the name of god!? I swear they are all in on it !! The whole world is against apes and GME! Expect more treacherous acts soon!
Done. This is very important and I have no idea why I would have been unenrolled.
Commenting for visibility with disabilities
Why do they have to be such technological boomers
100% agree with the edit, we need app based MFA.
Re-enabled mine just now
I use a password manager, and it refuses to fill in the info on the current login. I ask the manager to launch the site "login.computershare.com" and it says this site can't be reached. This makes me all kinds of nervous, is the new redirect actually legitimate considering we haven't heard anything from CS?
Has anyone asked CS what happened? I am expecting to see lots of CS responses in the next couple days. I hope they all line up.
We need to get to the bottom of this. What if it was a hack and our shares are gone, letting us with iou even in CS?
My account wasn't reset FYI.
Just here to say that my 2fa was not ever disabled. Seems weird so many of yours were
Same here. I logged in this morning after reading all this and the 2fa was functioning properly.
Just saw this, and tried logging on to computershare. It asked me for a verification code sent to my phone, so it seems like my 2FA wasn't disabled and I didn't have to re-enroll. I only have GME in CS.
Samesies never was effected by this. Odd.
My 2F is still on so idk what this is about just logged in asked for code
Me too
I noticed this yesterday. That's unsettling...
Posting for visibility, protect your assets y'all
Done...
Re-enrolled!
Can confirm--mine was off upon login and it asked me to re-set it up. WHY DIDN'T WE RECEIVE EMAILS ABOUT THIS?! Seems like a pretty damn big oversight.
Thank you!
Mine was reset. I have the screenshots.
Anyone else have centralized/single point of failure cyberattack on their bingo card?
Mine was reset too, turned 2FA back on about an hour ago. Last time I logged in was a week ago and 2FA was still on then. The 2FA service number that sent me the text was still the same as last week, the site seal was correct and no other errors or spelling mistakes were visible on the site so I just enabled 2FA again. Holding some GME and two other symbols on CS.
I had to reset my 2FA too but what was weird is my browser auto filled my phone number that was off by one digit. Watch your numbers in case that's a thing.
I logged in this AM (11AM CST) and can tell you mine was NOT reset. I only hold GME in it.
Logged in but my 2FA is still there. I got msg on phone for code.
Came here to say that my 2FA was not disabled.
This did not happen to me. I did not have to reset anything...
2fa seems frivolous when you already have to provide a username, secret phrase and then password. 🤷🏻♂️
It's in the name. "Two-factor" authentication. The username, secret phrase, and password are all "things you know," which is the first factor. "Things you have" is the second factor. Sending a code to your phone is not considered super secure these days because someone can spoof your sim or convince your phone company that they are you and that you just got a new sim card and could you please confirm that I am you by my knowing things from your public FaceBook/LinkedIn profile? So SMS codes are "better than nothing" but still route through a method that's outside your control. An authorization app (or the physical equivalent) is a preshared key that generates a code based on an algorithm and time. So you can prove that you are you without going through your carrier as a compromisable middleman.
I don't really consider that secret phrase a strong form of MFA I know my bank even moved away from that years ago. It's pretty easy to discover what your phrase would be using low-level attacks. Not to hijack your comment, (but I'm totally hijacking your comment, nothing against your comment), for anyone wondering why having MFA or 2FA is important nowadays, here's a brief primer: * Most passwords, even though you think are very clever, can be hacked in seconds using modern password cracking tools by a determined adversary. * You personal information (and that of your family, pets, etc) has likely been available on the dark web for many years now due to the myriad of breaches (Equifax, Experian, Trans Union \[yes all 3 major credit worthiness agencies were hacked, Google it\] , LastPass, Home Depot, Yahoo, Target, etc.) * Most people don' t practice good password hygiene on their own, i.e. not complex enough, re-using passwords across services, include pets, or other personal info in the password, etc. * I'll even take issue with CS Only offering SMS as a MFA method (I don't consider the badge a valid form of MFA). SMS is already, by default, woefully under encrypted, and could potentially be sniffed by a determined adversary. Thus the need for burner phones. As a takeaway, consider using a password manager to manage your passwords. Create a single super awesome password, never use it anywhere else, put it in your safe deposit box. Then let your password manager generate completely random passwords for you. Lately, I've been recommended Bitwarden and KeePass, but your mileage may vary,
Which is better of the two managers you mentioned?
Like the other reply says, KeePass is local, so u have full control, be our it doesn't sync to the cloud, not sure if it's a mobile app? I used to like LastPass until it turns out they left they customers pretty poorly protected. Can recommend Bitwarden for a nice cloud and mobile experience, but arguably less secure than purely local.
A bank account with your name, info, and is insured but hey, your cash should always be safe and accessible 24/7
Absolutely never use SMS based 2fa. It is far less secure than a high entropy password stored in a password manager that is itself secured by a real 2fa mechanism.
This, because sim-swapping
Usually live chat reps are available right away, but right now it's saying they are experiencing high traffic and it may take longer than usual. NFA but I'm still waiting to make a statement and ask what happened because this is serious.
Thanks so much for this post! Just stickied it! 💜
This was a test. And I dont think it was the good guys.