Someone seems to leak mail adresses of my users

  • Resolved sabine99uber

    (@sabine99uber)


    1 year, 7 months ago

    Hello, today someone mailed me, he wants to blackmail me for leaking mail-adresses of my users.

    First I thought it is a bluff, I asked him about 3 specific mail adresses of my users.

    He was able to give them to me!!

    I am using the latest version of Ultimate Member, the mail-adress is a private field in the member page and should not be visible to other users than admins! I am the only admin and there is definitely noone beside me logging in as an admin.

    How can that be?

    I know there has been a way to search for mail adresses via the member directory search, but I disabled the search months ago for that reason and it should not be possible. Of course the problem could lie somewhere else, but it is extremely concerning for me and I would assume it is something with UM.

    Edit: I now checked my server logs and maybe the user just scraped the adresses months ago by guessing via the members directory search. Maybe he randomly got these adresses and is bluffing somewhat. But there should be a way to exclude fields from the search…

    • This topic was modified 1 year, 7 months ago by sabine99uber.
    • This topic was modified 1 year, 7 months ago by sabine99uber.
Viewing 4 replies - 1 through 4 (of 4 total)

  • @sabine99uber

    UM had a security incident with all UM versions prior 2.6.7 where users could register and get rights as an Admin. Read this guide and take the recommended actions.

    Security Incident Update and Recommended Actions

    Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    Hi @sabine99uber

    We will add this hook um_member_directory_core_search_fields since 2.6.10 to avoid searching by email:

    function my_um_member_directory_core_search_fields( $core_search_fields ) {
$core_search_fields = array_flip( $core_search_fields );
unset( $core_search_fields['user_email'] );
$core_search_fields = array_flip( $core_search_fields );
return $core_search_fields;
}
add_filter( 'um_member_directory_core_search_fields', 'my_um_member_directory_core_search_fields' );

    So you will be able to add the code snippet above to your child-theme/theme functions.php to avoid searching by email on your website in Ultimate Member > Member Directories.

    Also please check that you don’t have the selected User Email Address rows in the options “Choose field(s) to display in tagline” or “Choose field(s) to display in extra user information section”:
    https://imgur.com/UVqcUqa

    Please let me know if you have other questions,
    Best Regards!

    Plugin Support andrewshu

    (@andrewshu)

    Hi @sabine99uber

    This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

    Please feel free to re-open this thread if any other questions come up and we’d be happy to help. ??

    Regards

    I had the same problem and added the following code to my functions.php

    function my_um_member_directory_core_search_fields( $core_search_fields ) {
$core_search_fields = array_flip( $core_search_fields );
unset( $core_search_fields['user_email'] );
$core_search_fields = array_flip( $core_search_fields );
return $core_search_fields;
}
add_filter( 'um_member_directory_core_search_fields', 'my_um_member_directory_core_search_fields' );

    But it has no effect, the mail-addresses are still searched for. Should this still work?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Someone seems to leak mail adresses of my users’ is closed to new replies.