Jump to content
DanBennett

HaveIBeenPwned gets TruckersMP Forum Database

Recommended Posts

All

 

TruckersMP has sent the data of the forum database leak to https://haveibeenpwned.com

 

Search your email and username. If you're on there - change all passwords.

 

This was the database leak back in February.

 

+1 Kudos to the Admins for willingly sending it to them. 

-1 Kudos to me finding this out by third party and not this site itself. [*]

 

[*] By this I mean, finding out it's been put on HIBP. The announcement in Feb was publicly released. Apologies for the confusion. This teaches me not to post at 5am with no sleep!

 

Edited by DanBennett
Adding correction

Share this post


Link to post
Share on other sites

not that i care too much,

email already gets plenty of 'those' emails

 

(you know the ones about those certain pills)

 

now that ive checked it its not too bad

 

obviously they think my email is useless

my spam email hasnt even been leaked alrighty then

 

Edited by Takumi Fujiwara

Share this post


Link to post
Share on other sites
3 minutes ago, Takumi Fujiwara said:

not that i care too much,

 

 

Your password was also leaked. If you use it anywhere else with the same email, or its the password for your email too then there's a risk. 

 

No one knows the extent of the leak. Whether it's known this database was taken or TruckersMP are just being precautious. 

 

But it take it seriously. As time goes on you can end up with more personal stuff available from your email and password. 

Share this post


Link to post
Share on other sites

It was only the forum that got compromised and there was information around at the time of the leak including a post to the homepage that's since been hidden.

 

Correction: The post isn't hidden, it only got hidden because there was more news that came out since then. Full information: http://truckersmp.com/en_US/blog/8

Share this post


Link to post
Share on other sites

My email address has been compromised, but I changed my password while I was in game when an IGA said we should all change our passwords in an admin announcement.

 

I can't help but think that a web dev or higher member of staff should've posted this though... :wacko:

Edited by heyhococo
Removed text

Share this post


Link to post
Share on other sites

It was submitted because we know it's in someone's hands and we don't know what their intentions are, submitting it to HIBP was a seccond avenue for us to notify those affected of the breach that may not visit the website or check the news here on the forums that often.

 

I see that it can be disconcerting for you to get an email from HIBP, but unfortunatley until yesterday our infrastructure simply wasn't set up to handle sending out 80k+ emails(I'm not sure I'd want to try push that many in one go now either to be honest)

Share this post


Link to post
Share on other sites

I remember the incident. I was playing when a IGA alerted the players on ETS2'S EU#1. I pulled up to the shoulder, saved my game and changed my password and some other security details immediately.

Share this post


Link to post
Share on other sites
2 hours ago, Tuxy Fluffyclaws said:

It was submitted because we know it's in someone's hands and we don't know what their intentions are, submitting it to HIBP was a seccond avenue for us to notify those affected of the breach that may not visit the website or check the news here on the forums that often.

 

I see that it can be disconcerting for you to get an email from HIBP, but unfortunatley until yesterday our infrastructure simply wasn't set up to handle sending out 80k+ emails(I'm not sure I'd want to try push that many in one go now either to be honest)

-.-' got 3 servers here m8...

Just point a sub domain called ms#.truckersmp.com so the domains got temp url. Create a simple mailing form get 3 admins to do batches of 100-500 every hour per server...

 

But nope, now my emails on another site... Awesome...

 

Last part was a joke but seriously tho I don't give a duck about my email, it has text verification just like my steam account. All accounts use different passwords or if the same I either don't care or it's PayPal covered.

Share this post


Link to post
Share on other sites
6 minutes ago, Darth Wazawai said:

Just point a sub domain called ms#.truckersmp.com so the domains got temp url. Create a simple mailing form get 3 admins to do batches of 100-500 every hour per server...

It's not that easy, last time we mass emailed we had a delivery rate of 78%, on ~4k emails, that's quite a lot under sub-par, and that was doing it properly (DKIM+SPF).

We're talking 84K emails here, not that easy to do.

 

6 minutes ago, Darth Wazawai said:

But nope, now my emails on another site... Awesome...

HIBP don't list the email address anywhere, you have to explicitly look it up.

Share this post


Link to post
Share on other sites

How exactly where you sending out emails(not the protocol)? I've never seen nor heard of such a deplorable fail rate, unless you tried to send too many within a hour (usually 1-5k will flag you) and got flagged by the provider... Also you have to look at the emails that failed, if all one provider you're likely blacklisted (hotmail loves doing this <_<), in which case you have to contact the email provider or your server provider to get that fixed.

 

Whether or not HIBP lists it or not isn't the point... You guys sent all the emails into another db which has 300+ million other accounts. If their site is secure than it'll be ok but what if it isn't? The forum leak could of been done by that stupid noob who ddos the pace a while back that @mwl4 found and perm banned... If so than they likely wouldn't have a clue where to sell that information, let alone knowing what to do with it... Plus as I stated in another post next to the salt md5 encryption is one way and with billions of passwords no one's going to bother with passwords. They (if not that noob) just wanted emails, even with English words and numbers only you're looking at hundreds of millions of different passwords to cross reference...

Share this post


Link to post
Share on other sites

^

I think you need to calm down a bit, matey.

Sending mass emails out is a right pain in the arse and the failure rate can range from 0.1% to 99%. It's fully dependent on the system used, the content of the emails and how they are sent out - as well as the recipient and their system, server and email host. I can speak about this first hand (IT Tech & Support background, I've had to deal with this many times).

 

However, I do agree that it should've been more open that this was being posted to HIBP. The initial notice of the leak was great. Whole forum taken down and it was front page on the website. They also posted on Twitter. However, this was back in February. This is now April and it's come back again by being posted to HIBP which can send notifications out to everyone affected, too. Many people on here are youngsters or not technically minded and would've been worried by this email. So notification by TMP should've occurred that they were submitting to HIBP.

 

As I stated initially, Kudos to TMP for submitting to HaveIBeenPwned. HIBP are a great service to help keep users safe on the web and anyone who finds that they have been "pwned" needs to take action.

 

(Please read this blog post of the founder of HIBP who also show praise for this and the fact that it rarely happens by bigger websites)

Quote

Perhaps I've just become a little cynical after seeing literally hundreds of "we take security seriously" statements from organisations which clearly didn't and to see a response like this where they're not trying to spin the story to their own advantage or misconstrue facts is heartening. If only those with nation state budgets or billion dollar revenues could act so responsibly.

 
 

 

Regarding the forum leak - information on how this happened was released in the initial blog post.

The breach happened by obtaining the passwords of a team member's account and then dump the database using IPB's built-in utilities, hence only forum accounts where compromised. Passwords where stored in a cryptographically manner and were salted

It happened because a team members account was accessed and used to create a database dump (a copy into a text file format). This is unfortunate but also impossible to avoid. I'm sure the team member who holds the account feels bad enough that it was their account that was used.

 

The passwords were salted (this means encrypted against a special key which helps make them incredibly difficult to decrypt). So whereas passwords may be safe - It's not a guarantee as they cannot promise that the salt (special key) was not also taken - hence the reason this is a higher risk.

 

As much as I gave a -1 Kudos to TMP in the way the hand over to HIBP was handled - they have my full support as a fellow IT Tech person who are simply running a forum and service for free and as a hobby. Shit happens. It's regretful. It could've been worse - but it's not. Change your passwords if you are affected and keep on trucking!

Edited by FirestarteR93
Removed quote from the post above

Share this post


Link to post
Share on other sites
1 hour ago, Darth Wazawai said:

How exactly where you sending out emails(not the protocol)? I've never seen nor heard of such a deplorable fail rate, unless you tried to send too many within a hour (usually 1-5k will flag you) and got flagged by the provider... Also you have to look at the emails that failed, if all one provider you're likely blacklisted (hotmail loves doing this <_<), in which case you have to contact the email provider or your server provider to get that fixed.

 

We used a reputable provider for mass emailing, trust me, I did my homework before attempting.

 

1 hour ago, Darth Wazawai said:

Whether or not HIBP lists it or not isn't the point... You guys sent all the emails into another db which has 300+ million other accounts. If their site is secure than it'll be ok but what if it isn't? The forum leak could of been done by that stupid noob who ddos the pace a while back that @mwl4 found and perm banned... If so than they likely wouldn't have a clue where to sell that information, let alone knowing what to do with it... Plus as I stated in another post next to the salt md5 encryption is one way and with billions of passwords no one's going to bother with passwords. They (if not that noob) just wanted emails, even with English words and numbers only you're looking at hundreds of millions of different passwords to cross reference...

IPB's old password hashing scheme which was used in our case (because we used IPS 3 at the time of the breach) is known to be weak, which is why IPS4 updated it to use BCRYPT. In this case we are certain the person knew the value of the data and we know he tried(and perhaps did) capitalize on it. In any breach you should always assume the data is distributed and abused, hence why we took the approach we did, including self-submitting information to HIBP, anything less would be reckless in my professional opinion(I work in info-sec ;)).

 

47 minutes ago, DanBennett said:

However, I do agree that it should've been more open that this was being posted to HIBP. The initial notice of the leak was great. Whole forum taken down and it was front page on the website. They also posted on Twitter. However, this was back in February. This is now April and it's come back again by being posted to HIBP which can send notifications out to everyone affected, too. Many people on here are youngsters or not technically minded and would've been worried by this email. So notification by TMP should've occurred that they were submitting to HIBP.

We are work with HIBP on making this clear very soon to help clarify which exact breach it is regarding and provide additional information.

 

On a side note, non-technical users are unlikely to have signed up to get notifications from HIBP.

Share this post


Link to post
Share on other sites

@Tuxy Fluffyclaws I hope you're not referring to Amazon's mailing service :lol::lol::lol::lol: (multi smiles bug Woohoo)

 

But yea, as long as it's one way hashed I don't care about my passwords, and if other users passwords contain 2 words w/ or w/o spaces and a min of one capsized letter and 2 numbers (or more) the person be dead before they get it lol

 

@DanBennett

I've only ever sent basic text emails for automated mailing, because of outdated/lightweight email providers... But if the provider closed their server to automated systems (like Amazon's) you're going to get large numbers... That's why it's always better to do it in-house even if it takes forever... Also they could of forced a password reset function released a new version of the game and warn users via setup or download page... More easier options could of been taken that weren't. That's all I'm saying... The use of 3rd party should not of been needed for only 80k users... If it was the main site then yes but not for here.

Edited by Darth Wazawai

Share this post


Link to post
Share on other sites

Just a question: what does PWNED mean?

I verified my e-mail and the site says that I'm pwned. I changed (only now, after 1 month from the alert) my password. Is this enough?

 

Edited by Alex [ITA]
Add something
  • Upvote 1

Share this post


Link to post
Share on other sites

Oh man, my email was affected and I am just now seeing this in April.  I just changed my password but how do I know my email and password waa not used elsewhere? 

 

That email mentioned must have been sent to my spawn which I never check or get notified.  Oh man I think I feel sick because the email and password is what I use on everything except my bank stuff. 

Share this post


Link to post
Share on other sites

I use my e-mail just for BeamNG forum, LGG forum (and VTC), TruckersMP.com, nVidia Forum and ProMods... Nothing very important! I don't really know what's the problem.

Edited by Alex [ITA]
Deleted something

Share this post


Link to post
Share on other sites
40 minutes ago, Alex [ITA] said:

Just a question: what does PWNED mean?

I verified my e-mail and the site says that I'm pwned. I changed (only now, after 1 month from the alert) my password. Is this enough?

 

 

It means your email/username and password (encrypted or plain text) have been leaked. So yeah, just change your passwords for everything that was the same, if any.

 

19 minutes ago, littlefoot_22 said:

Oh man, my email was affected and I am just now seeing this in April.  I just changed my password but how do I know my email and password waa not used elsewhere? 

 

That email mentioned must have been sent to my spawn which I never check or get notified.  Oh man I think I feel sick because the email and password is what I use on everything except my bank stuff. 

2

This was part of my point with the initial post. Use the HIBP website and enter your username, then your email and see what comes up. 

 

9 minutes ago, Alex [ITA] said:

I use my e-mail just for BeamNG forum, LGG forum (and VTC), TruckersMP.com, nVidia Forum and ProMods... Nothing very important! I don't really know what's the problem.

 

..........The password part is the problem.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×