I am clipping this from the talkmicro forum.  I hope that's okay to do, but I thought it was important for everyone to read.

  Today, 03:17 PM 
cphoto 
 StockXpert and Fotolia accounts hijacked

--------------------------------------------------------------------------------

I can't believe it! Someone did actually hijacked my StockXpert account, and shortly after that my Fotolia account.

I contacted both agencies immediately, Fotolia was the most reactive, they asked me to call them and then canceled the credit conversion that the guy was trying to do.

StockXpert is currently investigating, I hope they will be able to recover my money (I had over $100).

Anyway I wonder how that could have happened because my password are impossible to guess and I only check my accounts on my personal computers

Of course I changed my password everywhere else, and interestingly enough only StockXpert and FL were hijacked. (I'm with about 10 agencies)

and later...

cphoto 

No kidding! Now I won't complain anymore that it takes a couple of days to cash out!

So with FTL the guy tried to convert ALL my credits to buy images, but they locked my account just in time.

With StockXpert, the guy changed my email, password, and paypal address and tried to cash out. But the StockXpert team got my emails just on time and recovered my account.

That was very close!!

Ouch!

Thanks for the reminder.... I just changed all of mine too!

Can't the sites do more to protect our money?  Perhaps a second password for withdrawals or exchanging for credits would help.

First of all just want to thank Steve from StockXpert and Charles from Fotolia, both responded and took actions within hours.

My email account has a different password and I doubt anyone was ever able to get into it.  Even if they did so I did not see any trace of a "forgot password email" that could have lead the hacker to my microstock account password.

Anyway I think it is time to make the profile page in all microstock sites more secure and implement basic features such as:

1) if someone tries to change his email or password, send an email to the old email to confirm the change.  That would alert immediately the account owner in case of hijacking
2) ask a security question whenever a critical change on the profile is made (like use forgot password question?)
3) use https on all login page!

Steve,

Are you aware of other members' account being hacked?

Regards,
Adelaide

Be aware of the keyloggers as well. If somebody infiltrated into your system with a keylogger, changing passwords won't do any good.

That's a great suggestion. 

In my case I use Spy Sweeper engine, so I should not have any spyware or keylogger in my system.

This is terrible! But I don't understand what good it will do to change the password if there is a security leak in the sites no matter how often you change it they will eventually get it correct.I know we have too choose strong passwords but will it be enough to protect our accounts,I hope it will.
 this is indeed too bad!

security leak is not in sites, it is in your computer most likely. It is called "key logger". it's basicaly a virus, trojan... you picked it up somewhere, and now it is sending everything you type to the person who infected you.

I see,my reaction was because lately there were some reports  mentioning some security leaks  on StockXpert first I thought it was related to it and secondly as for Ft, it doesn't allow  more strong paswords by only allowing    letters and numbers to be used  in passwords,that was what I was referring to.but you are absolutely right it is us who should take care of our data in the first  place.

security leak is not in sites, it is in your computer most likely. It is called "key logger". it's basicaly a virus, trojan... you picked it up somewhere, and now it is sending everything you type to the person who infected you.

Also I was going through the forum and found an interesting thread:  It looks like there was a security hole with StockXpert, that is fixed now, but the hacker could have got the passwords at the time... http://www.microstockgroup.com/index.php?topic=2747.0

cphoto, I'm sorry this happened and thank you for sharing your unfortunate experience.   I hope you find some resolution to this and that the agencies take responsibility for your earnings.

I'm sure there are many out there who use the same password for many places.  Banks, on-line accounts, forums.  Bad people have to work somewhere, and it would be so easy for a bad staff member to steal account member passwords.    And we (microstockers) all seem to hang out at the same places - the same agencies, the same blogs, the same forums.  Oh, boy... imagine signing up to some forum with your paypal e-mail address and your password, the same one that you use on all your microstock accounts.  Yikes.  I'm too old to memorize passwords anymore, and the older I get the longer the passwords get too, with a combination of upper/lower case letters, a few numbers....  My cheat sheet is getting pretty long.

It just bothers me that there are people smart enough to pull it off and who have the desire and the time to steal 100 bucks.  I suppose it's a matter of stealing several x 100 bucks.   Boy, I sure hope they are feeding a starving child with that money and not blowing it up their nose.

In order to keep track of passwords, Keepass is a great open-source software product.

You can read about it here:

http://en.wikipedia.org/wiki/Keepass

You can find it here:

http://keepass.info/

Fortunately both Fotolia and StockXpert were both very reactive and canceled the payment request.  No money was lost.

The hacker was trying to send the money from both accounts to his MonneyBookers account (I still have his mooneybookers email address in my account).

I now use a different password on each site that I plan on changing every month.

What country are you in?  Are you (or the agency) forwarding the information to Police/RCMP/FBI - whatever?   Moneybookers must require banking info which would require id at some point, wouldn't it?