There was an XSS hole (we forgot to sanitize one of our fields properly), and as a result some accounts were compromised. I’ve closed the hole, removed the infected data, and changed all the cookies. We hash your password, so don’t worry, not even we know what your password actually is.
I’ll be taking another look through our codebase now to see if there are any other fields we might have missed.
O MY!!!!!!
What about the myspace and facebook passwords that JTV asks for to get the profile complete badge? Were they compromised while thedefaced.org’s iframe was chillin on jtv? This is huge and i hope that you can tell me they weren’t.
I <3 JTV (no homo)
We don’t keep those passwords ourselves, so don’t worry – no one can get them, even if they guess your JTV password or we get hacked.
What a shame that this happened, some accounts involved were: honestguy, tia_marie, krystyl, myself, laggie, chinny, magicrich, thecoop, ..
I talked to jtv/mikeyy today and he also reported a few security issues to jtv, they seem to be fixed now. If your account got exploited your about me will say ‘i love mikeyy’. Mikeyy says unlike the others, he doesn’t compromise any account data.
the washington post wrote a article on JTV
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/01/AR2008070102412.html