Change your pirate passwords: vertical scope got hacked - Pirate4x4.Com : 4x4 and Off-Road Forum
 
Pirate4x4.Com : 4x4 and Off-Road Forum  

Go Back   Pirate4x4.Com : 4x4 and Off-Road Forum > Miscellaneous > General Chit-Chat
Notices

Reply
 
Share LinkBack Thread Tools Display Modes
Old 06-15-2016, 07:20 AM   #1 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Change your pirate passwords: vertical scope got hacked

https://news.slashdot.org/story/16/0...-sports-forums

A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr.

The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."




tl:dr MD5 hashes are like trying to break into your kids room when your kid says there is a password. you just turn the knob and the door opens to junior eating contraband cookies.



edit:

45 million records puts this breach at the 6th largest of all time.



edit 2: Got ahold of someone at VS regarding it. He responding in seconds about it and seemed genuinely surprised we weren't informed.
__________________
I'm a Chris Retard.

Last edited by deke; 06-16-2016 at 07:55 AM.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:22 AM   #2 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Must be at least 10 characters
Must contain lower-case characters
Must contain upper-case characters
Must contain numbers
Must contain symbols



hhahaahahaha all that work and its still stored in MD5. jesus christ.
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:22 AM   #3 (permalink)
Registered User
 
Rerock's Avatar
 
Join Date: Mar 2004
Member # 28604
Location: Twins Territory
Posts: 8,212
Good thing I use the SAME password for absolutely EVERYTHING!
Rerock is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:24 AM   #4 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
limiting password length to 50 characters? that's just dumb. I want a novel password.
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:28 AM   #5 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
why no forced password changes yet @Admin? O right, because you don't know if your system is clean yet from capturing.

people have paid TENS OF DOLLARS to be here. I think they deserve to be secure, and if thats not possible; then at least informed.
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:30 AM   #6 (permalink)
Registered User
 
Join Date: Feb 2003
Member # 16993
Location: Parkersburg, WV
Posts: 3,054
What can the hackers do with this info? Get on here and post rude, nasty comments that are racist and derogatory toward women telling people they should commit suicide?
__________________
'12 JKUR O|||||O
'83 Jeep Scrambler -Sold :(
GarScramb is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:31 AM   #7 (permalink)
Registered User
 
Join Date: Nov 2007
Member # 102813
Location: PNW, land of liquid sunshine
Posts: 8,933
I'm sure I'll forget that one right quick.
__________________
[COLOR="Magenta"]Help bring back Swartz Canyon, Join
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
[/COLOR]

[COLOR="Lime"]The good guys...[/COLOR]

[COLOR="Red"]Marlin Crawler, Hellfire Fabworks, Dave'z Offroad, gearinstalls.com (Zuk), Diamond Axle, RADesigns, Advanced Adapters, Jantz Engineering, G-Fab motorsports, Got Propane, JHF [/COLOR]
Mr Stubs is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:32 AM   #8 (permalink)
Zeus of the Sluice
 
dntsdad's Avatar
 
Join Date: Dec 2008
Member # 125937
Location: Central, Ca.
Posts: 4,557
Well, I guess the password of 1234 that I have had here for years is over.

Thanks Obama

P.S. 10 fucking characters, upper and lower, numbers and symbols???!!!!!
My banks don't even require that level of forgetfulness.
__________________
Long days and pleasant nights
dntsdad is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:33 AM   #9 (permalink)
Registered User
 
Join Date: Mar 2006
Member # 69819
Location: NW Ga
Posts: 2,094
Quote:
Originally Posted by deke View Post
why no forced password changes yet @Admin? O right, because you don't know if your system is clean yet from capturing.

people have paid TENS OF DOLLARS to be here. I think they deserve to be secure, and if thats not possible; then at least informed.




Thanks for the heads up.
__________________
I survived the great password crash of 2016 :homer:



[QUOTE=IEATRKS84;26658266]A lap dance is so much better when the stripper is crying[/QUOTE]
dr hook is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:33 AM   #10 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by GarScramb View Post
What can the hackers do with this info? Get on here and post rude, nasty comments that are racist and derogatory toward women telling people they should commit suicide?
i'd say that at least 75% of the passwords used on pirate are probably used for the email address connected to the pbb account.

password re-use is the single biggest problem in security. they make automation tools to take a dump like this and your email address and try it in all the major online places.

and they could read your PMs here. which for some members might be worse than if they got into their bank accounts....
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:33 AM   #11 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 30,003
Quote:
Originally Posted by GarScramb View Post
What can the hackers do with this info? Get on here and post rude, nasty comments that are racist and derogatory toward women telling people they should commit suicide?
well since most people are morons that use the same email/username/password for everything, they'll start trying to use them on other sites. like your bank or credit card portal.

for the love of your IT guy, at least make sure that you use unique passwords for email/financial accounts.

I admit that I use the same password for forums, because it's not a big deal if someone gets on pirate and claims I'm gay with my user account.

but everything that's important has a unique password.
__________________
Electricity is really just organized lightning.
87manche is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:36 AM   #12 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by dntsdad View Post
Well, I guess the password of 1234 that I have had here for years is over.

Thanks Obama

P.S. 10 fucking characters, upper and lower, numbers and symbols???!!!!!
My banks don't even require that level of forgetfulness.
false sense of security since that password is being stored in MD5. I would suggest using a passphrase.

ex:

dntsdadisnumber1atpoundingdntsmumsA$$holeonpirate4 x4.com

or similar.
__________________
I'm a Chris Retard.

Last edited by deke; 06-15-2016 at 07:36 AM.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:37 AM   #13 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by 87manche View Post
well since most people are morons that use the same email/username/password for everything, they'll start trying to use them on other sites. like your bank or credit card portal.

for the love of your IT guy, at least make sure that you use unique passwords for email/financial accounts.

I admit that I use the same password for forums, because it's not a big deal if someone gets on pirate and claims I'm gay with my user account.

but everything that's important has a unique password.
at the very very least:

don't use the same password for the email address linked to websites you link it to.

ex:

facebook password 123456
email used for facebook isn't 123456


shout out to free password managers. ultrasecue and they create the passwords for you.

www.lastpass.com
https://www.dashlane.com
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:39 AM   #14 (permalink)
Fistful of Boomstick
 
usmcdoc14's Avatar
 
Join Date: Aug 2002
Member # 13344
Location: Utility Muffin Research Kitchen
Posts: 45,474
Send a message via AIM to usmcdoc14 Send a message via Yahoo to usmcdoc14
I have "levels" of passwords and forums get the lowest of then. I don't care.
__________________
Doc-14 Tactical Products:
When it absolutely, positively needs to be made from random crap found in the back of my garage.

usmcdoc14 is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:39 AM   #15 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 30,003
and shame on VS for storing all the usernames for all the domains on interconnected machines/same database.

not like they could have made this shit any easier.
__________________
Electricity is really just organized lightning.
87manche is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:46 AM   #16 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 30,003
Quote:
Originally Posted by deke View Post
at the very very least:

don't use the same password for the email address linked to websites you link it to.

ex:

facebook password 123456
email used for facebook isn't 123456


shout out to free password managers. ultrasecue and they create the passwords for you.

www.lastpass.com
https://www.dashlane.com
and 2 factor authentication. With everyone having a smartphone these days you're dumb if you don't have it turned on and require a a unique code every time you log in to important accounts.
__________________
Electricity is really just organized lightning.
87manche is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:46 AM   #17 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by 87manche View Post
and shame on VS for storing all the usernames for all the domains on interconnected machines/same database.

not like they could have made this shit any easier.
rumor is their database password is/was password

__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:47 AM   #18 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 30,003
Quote:
Originally Posted by deke View Post
rumor is their database password is/was password

fucking awesome.

you think "sa" is still the SQL password too?

holy shit what a bunch of fucking morons if that's true.
__________________
Electricity is really just organized lightning.
87manche is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:49 AM   #19 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
you can see where your emails are showing up in hacks here:

https://www.leakedsource.com/

its a legit site; no funny biz to my knowledge.
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:49 AM   #20 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by 87manche View Post
fucking awesome.

you think "sa" is still the SQL password too?

holy shit what a bunch of fucking morons if that's true.
god damnit how did you know their DB admin name and password? YOU HACKER YOU
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:50 AM   #21 (permalink)
Zeus of the Sluice
 
dntsdad's Avatar
 
Join Date: Dec 2008
Member # 125937
Location: Central, Ca.
Posts: 4,557
Quote:
Originally Posted by deke View Post
false sense of security since that password is being stored in MD5. I would suggest using a passphrase.

ex:

dntsdadisnumber1atpoundingdntsmumsA$$holeonpirate4 x4.com

or similar.
This is getting scary.

How'd you guess my new password so fast
__________________
Long days and pleasant nights
dntsdad is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:51 AM   #22 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 30,003
Quote:
Originally Posted by deke View Post
god damnit how did you know their DB admin name and password? YOU HACKER YOU
l33t sk1lls
__________________
Electricity is really just organized lightning.
87manche is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:53 AM   #23 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
Quote:
Originally Posted by dntsdad View Post
This is getting scary.

How'd you guess my new password so fast
in all seriousness:

if you're hand creating passwords always put the site name in the same spot in your password:

myspace.com
pw: myspace.compassword

pbb
pw: pirate4x4.compassword

this increases the length and makes it super easy to reuse the same password without making it exactly the same on each site. its an ok stop gap to a full on password management solution.
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:56 AM   #24 (permalink)
Registered User
 
Join Date: May 2004
Member # 31362
Location: Michigan
Posts: 7,621
Send a message via AIM to deke
https://www.leakedsource.com/blog/verticalscope

hacked in feb. sure running a secure shop over there...
__________________
I'm a Chris Retard.
deke is offline   Reply With Quote Quick reply to this message
Old 06-15-2016, 07:57 AM   #25 (permalink)
Registered User
 
Join Date: May 2013
Member # 301761
Posts: 714
Quote:
Originally Posted by GarScramb:37182049
What can the hackers do with this info? Get on here and post rude, nasty comments that are racist and derogatory toward women telling people they should commit suicide?
Post nudes of gay men from your profile without linking it 35%
WreckedXJ is offline   Reply With Quote Quick reply to this message
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Pirate4x4.Com : 4x4 and Off-Road Forum forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.

** A VERIFICATION EMAIL IS SENT TO THIS ADDRESS TO COMPLETE REGISTRATION!! **

Email Address:
Insurance
Please select your insurance company (Optional)

Log-in


Thread Tools
Display Modes

Posting Rules
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 10:19 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 ©2011, Crawlability, Inc.
User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.