Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security The Internet Businesses Communications Databases Media Network Networking Privacy Social Networks News Technology

Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums (zdnet.com) 47

An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."
This discussion has been archived. No new comments can be posted.

Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums

Comments Filter:
  • by sinij ( 911942 ) on Tuesday June 14, 2016 @08:12PM (#52319807)
    At least with proper use of salts, each password hash will have to be individually bruteforced. While single MD5 hashed password is trivial to break, 45 million are not.

    Now, if you are designing password storage in 2016, there is no excuse not to use proper key stretching function, like scrypt.
    • Things designed in 2016 won't be developed and shipped until at least 2018. So no... All their software are probably many many years old.
    • Yeah the summary seems a bit confused. It says "salted passwords with MD5 (an algorithm that nowadays is easy to crack)". If they are properly salted, they aren't easy to to crack. Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.

      UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to

      • If they are properly salted, they aren't easy to to crack.

        Compared to what?

        Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.

        So with 45 million accounts it should take a million years to get the first million passwords... is this what I am supposed to believe?

        How is enforcing complex passwords sufficient to stave off today and tomorrows computers going? Is it working? Do humans accept passwords with sufficient entropy to survive brute force attack by dedicated cracking hardware and botnets with hundreds of thousands to millions of nodes?

        UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.

        So what if the cracking isn't free? People were having quite a lot of succ

        • Yes, modern hashes, salted, work extremely well. This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years. Here's an MD5 slated hash of own of my passwords which the bas guys which very much like to crack.

          $1$bCF1UNu$pRbc6HKD.d8fyv7ABC1ML

            Have fun trying.

          • Yes, modern hashes, salted, work extremely well.

            Current state of the art if you have been following dogma is to include key stretching based on algorithms such as scrypt intentionally designed to be costly to run on massively parallel commodity hardware. You don't even bother with this which puts you at an extreme disadvantage.

            It isn't that salting or key stretching is in any way bad or not worth doing. It is the checking of the box and then falling asleep thinking you solved something when in fact you have done no such thing that is the issue at hand.

    • Giving websites a secret they have to protect, especially second-tier player like this, just seems like a losing strategy in the long haul. I'm hoping something like SQRL eventually gets some traction, which uses public key crypto + site name to create an authentication method that doesn't rely on the website to keep a secret and is only viable for that single site. How many times must we demonstrate that sites can't be trusted with usernames and passwords? Nor can users be trusted to create decent passw

      • I think the movement now is heading towards yubikeys and U2F. The only thing required to happen is to use U2F as first and only factor.

      • Giving websites a secret they have to protect, especially second-tier player like this, just seems like a losing strategy in the long haul.

        ^THIS.

        I agree 100%- keeping secrets on a website is a game that's nearly impossible to win but easy to lose. All it takes is one misstep and *boom*, you're toast.

        You can run a very, very secure site, follow best practices, be diligent about patching, etc etc etc....and some poorly-written plugin or obscure vulnerability in some minor bit of software that you didn't even know existed can end up compromising the entire thing.

  • For sites like Slashdot, fark, ars, etc al I not only use the same login, I use the same password. Why would I care? Wanna post on /. how Win10 is The Greatest and Microsoft Rulz cuz of it's asinine attempts to force you to "upgrade"? Don't care, I'll get over it. Wanna post a nekkid pic on Fark that gets me banned? Don't care, I'll make another account.

    Now, sites that I use a credit card for, or that hold money/stocks, those are a different story. Different user names, different passwords, all kep
    • I'm just as leery of password "vaults" as I am of easy passwords. I prefer to use the oft-cited xkcd method, which allows me to carry pretty decent passwords in my head.

      Other than that, I do pretty much the same as you for websites I don't care about. I'd prefer not to be hacked, but if it happens, it won't be the end of my world.

      • I'm just as leery of password "vaults" as I am of easy passwords.

        Same here...it seems like a single point of failure. Sure, you can use a long, ugly password for the password vault, but that won't matter if you get zapped by a key logger or malware that sniffs for credentials. And if I was a malware write you could bet your ass that I'd be on the lookout specifically for password keeper apps so I could target them directly.

        Password keepers seem like a good idea at first, but the consequences of having one compromised would be catastrophic. They don't just one of your log

    • by antdude ( 79039 )

      Ooh, time to find your password so I can post bad stuff in all of your careless accounts! ;)

    • For sites like Slashdot, fark, ars, etc al I not only use the same login, I use the same password. Why would I care?

      I don't care about the stolen accounts, but for a different reason. I don't care because I use LastPass to generate (and store, and automatically fill in) random, unique passwords for every web login. If they hack into my VW or Ford accounts, who cares? They would only get access to that single account.

  • by n3r0.m4dski11z ( 447312 ) on Tuesday June 14, 2016 @10:38PM (#52320215) Homepage Journal

    I looked up my email address on that leakedsource.com and they found 2 hits in one hack and 1 hit in a few other hacks. Of course they only tell you what website got hacked. Any info other than that till you subscribe ($4 a day).

    Sucks. i searched for a few strings before i got a hit so I feel that it may be legitimate. I am seriously considering paying the money. utorrent, anandtech, and this verticlescope thing. Some had plain text passwords! and sometimes i have in the past reused passwords... nasty!

    looked up some friends emails and work colleagues and found hits for almost all of them.

    Looked up my work domain and found hundreds of hits. Going to probably do it just to warn my co workers now.

    • I checked, and it seems like VBulletin has been a major source of leaks of my email address:

      VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00
      AVSForum.com has: 1 result(s) found. This data was hacked on approximately 2016-01-23 00:00:00
      Vbulletin.com has: 1 result(s) found. This data was hacked on approximately 2015-10-27 00:00:00
      W3schools.invisionzone.com has: 1 result(s) found. This data was hacked on approximately 2015-01-11 0

  • First MD5 is NOT broke for this purpose and offers no meaningful disadvantage to other hash algorithms.

    Salts and key stretching only make it n-times more expensive to brute force plaintext. While this sounds good even if n is measured in the millions and really does require attackers to expend more resources to accomplish the same result these expenditures amount to an unresolvable spec of dust compared to having a secret with sufficient entropy... a luxury that does not exist in the real world.

    There are t

"I am, therefore I am." -- Akira

Working...