Jump to content

HaveIBeenPwned gets TruckersMP Forum Database


DanBennett

Recommended Posts

To be fair, I don't think the web devs were expecting this breach at all, because unless a member of staff gave away their log in details or the perpetrator managed to somehow hack into IPB, then they more than likely couldn't get into the admin section (forum.truckersmp.com/admin) where they could just dump the database and do as they will with it (In this case, sell it)

 

I'd assume that the web devs only found out about this because they get notified that someone's accessed the database? Or the perpetrator messaged saying that they got the database?

Link to comment
Share on other sites

2 hours ago, Sysgen said:

What are pastes mentioned on this website?

 

"Pwned on 3 breached sites and found no pastes"

Paste is a refer to pastebin, a common way to publish information (there are twitter bots who monitor pastebin and similar sites for potential leaks)

 

47 minutes ago, heyhococo said:

To be fair, I don't think the web devs were expecting this breach at all, because unless a member of staff gave away their log in details or the perpetrator managed to somehow hack into IPB, then they more than likely couldn't get into the admin section (forum.truckersmp.com/admin) where they could just dump the database and do as they will with it (In this case, sell it)

 

I'd assume that the web devs only found out about this because they get notified that someone's accessed the database? Or the perpetrator messaged saying that they got the database?

Password-reuse was the cause of the breach, which is why you will see security researchers and me preaching the mantra of never to re-use passwords.

 

We where notified about the breach early by the perp himself (stupid as he was), pretty lucky.

Link to comment
Share on other sites

@Tuxy Fluffyclaws Yes, it sounds like something stupid a person like that would do. And it's fair to say that it was quite lucky also. Anyways, it's over now (hopefully), so all we can do now is change our passwords and be assured that something like this won't happen again.

 

(I changed mine by pulling into the EP layby and changed it in the middle of playing in game ;))

Link to comment
Share on other sites

I felt a bit bad after posting this as I feel I was a bit harsh. Though at the same time I think it's been good to have this topic and for the web team to discuss and learn from. But also for members to learn from. 

 

At the end of the day (I say as I post this at the end of my day) it was an unfortunate thing to have happened. Though it could've been worse.

 

The devs did the right thing on closing the forum and alerting people on the sites homepage and redirecting the forum URL for bookmark users.

 

The fact that they openly stated that this happens - not only to the members - but also publicly today and submitting to HaveIBeenPwned goes to show that they are competent in what they do and their number one priority are its users and the community - not the name or "brand".

In the tech world, that's a rare thing to happen - especially on "leaks" such as this. And hopefully many places and companies do the same.

 

For the openness and efforts made - they did a tremendous job and should be applauded. 

 

Everyone behind the scenes are volunteers. Doing this as a hobby. As a thing they love and enjoy. Whether it's the coders, the server team or the server and forum admins. And that shouldn't be forgotten.

 

So good job. Some lessons learnt. But here's hoping this isn't something that happens again. 

 

And when I mean it could've been worse - look at the 123Reg VPS mess. A techies worse nightmare!!

 

:-) love!

Link to comment
Share on other sites

Can I just say (to save the web devs time), it wasn't a leak or attack, it was simply someone who got access to a staff members account details, and dumped the database using IPBs built in utilities. If it were a direct attack on the database or servers, we probably wouldn't be here as quick as we were.

The only way the database would've been leaked is by them sharing/selling the database to people (as their intentions were), so people would know everyone's passwords, emails, usernames, etc. In other words, spreading it around, which is why they shut the forum at the time.

 

Also, it should be noted that the passwords are hashed (standard) and salted, meaning that an extra layer of encryption was added to the passwords, so it would've taken a while until they got to the final password.

 

The only lesson learnt is to not have the same password for everything. This wasn't the devs, web devs, or anyone's fault, other than the original perpetrator, who took advantage of the fact that they somehow got the staff's details.

Link to comment
Share on other sites

Um I've had same passwords, even had security breaches with same passwords... Beyond that site nothing's happened... Lucky? Perhaps, or maybe better security server side...

 

Also I'm fairly confident this is how they gained access at the very least into a admins account. I bet no-one knew or checked the error log...

 

 

 

This issues been known for months before the event. If IPB never notified (it's licensed which means they have a email to warm of issues like this) than it's their fault if they did and the team did nothing it's their fault.

 

Also in order for them to gain access the admin had to of had a easy password.

 

Also here's something interesting to read :lol:

https://forums.digitalpoint.com/threads/md5-is-reversible.1284030/

 

I finally got the email about a hour and a half ago... The time taken from original post here till now even at 1,000 a hour they'd be half way... If they are going alphabetically they're only at fgh maybe most emails are before that but I've got my doubts on that...

 

If you really want to see how vulnerable said password is (here) Google your email and username, and try logging into sites claiming you have a account with them with this forums password if you get in and your password is something simple like "Password12" than you better change it but if your password is something like "Eggrollisawesome75" you should be fine for about 10,000,000 years.

 

My old username is a huge pain to lookup :lol: go ahead try... You'll just get nice crispy pastries :lol:

 

What you need to take away from this it's not to use different passwords for every site (you'll never remember all of them), it's to use stronger passwords and not to trust sites that are "unknown" to the world.

 

Basically:

one password for here and other sites that don't require payment or holds personal information (even donating here no personal info is given unless you put it on this site).

One password for sites like gmail steam etc, enable max security options. sites that require mobile verification are possibly the most secure, even with a password they won't ever get that key sent to your phone. If they really wanted your info they'd steal your phone, this is why you should password your phone and home computers, encrypt home directories (computer)

Payment sites like PayPal, eBay should have their own password and not shared.

Sites like bundle sites (never input credit card info on these sites for their server to store) that require payment authorization threw sites like PayPal should be ok to use the same password as long as no automated payments can be made (server side payments are a exception like humble monthly).

 

My current setup:

 

5 passwords w/variants (more like 15 passwords)

3: 2 words 4 numbers

1: 2 words 2 Numbers

1: 2 words (sites I don't give a duck about)

 

Plus imo all sites should do: if no cookie/php session id/etc, or unknown ip (w/o previous stuff) verify user via email/text... Most people use 3 computers 1 tablet and 1 smartphone... Plus random verification (why humble bundle u so annoying)

Signature removed by a wondering ghost

SUS0M9O.gif

Link to comment
Share on other sites

39 minutes ago, Darth Wazawai said:

Um I've had same passwords, even had security breaches with same passwords... Beyond that site nothing's happened... Lucky? Perhaps, or maybe better security server side...

 

Also I'm fairly confident this is how they gained access at the very least into a admins account. I bet no-one knew or checked the error log...

 

That exploit was blocked as soon as we learned about it (2-3 hours after it became public knowledge). Additionally, we outlined the method, it was an attack on the human factor, a member of the team had re-used passwords, and someone abused that.

It was covered in the initial blog post.

 

Please stop making stupid assumptions and spread FUD.

39 minutes ago, Darth Wazawai said:

I finally got the email about a hour and a half ago... The time taken from original post here till now even at 1,000 a hour they'd be half way... If they are going alphabetically they're only at fgh maybe most emails are before that but I've got my doubts on that...

It is regrettable that we didn't email all affected users earlier, but prior to this weekend we simply did not posses the capability, as I said earlier in this very topic. I understand your anger, but at the same time, you are being very dislikeable about it, we are not earning a dime and having the capability to send large amounts of emails is not cheap

39 minutes ago, Darth Wazawai said:

What you need to take away from this it's not to use different passwords for every site (you'll never remember all of them), it's to use stronger passwords and not to trust sites that are "unknown" to the world.

 

Basically:

one password for here and other sites that don't require payment or holds personal information (even donating here no personal info is given unless you put it on this site).

One password for sites like gmail steam etc, enable max security options. sites that require mobile verification are possibly the most secure, even with a password they won't ever get that key sent to your phone. If they really wanted your info they'd steal your phone, this is why you should password your phone and home computers, encrypt home directories (computer)

Payment sites like PayPal, eBay should have their own password and not shared.

Sites like bundle sites (never input credit card info on these sites for their server to store) that require payment authorization threw sites like PayPal should be ok to use the same password as long as no automated payments can be made (server side payments are a exception like humble monthly).

 

My current setup:

 

5 passwords w/variants (more like 15 passwords)

3: 2 words 4 numbers

1: 2 words 2 Numbers

1: 2 words (sites I don't give a duck about)

 

Use a password storage application like LastPass, Keepass, or KeepassX, your puny human mind isn't good enough at security to spot weak passwords. If you want highest possible security without using LastPass or alike, use diceware.

39 minutes ago, Darth Wazawai said:

Plus imo all sites should do: if no cookie/php session id/etc, or unknown ip (w/o previous stuff) verify user via email/text... Most people use 3 computers 1 tablet and 1 smartphone... Plus random verification (why humble bundle u so annoying)

Probably the only sensible thing you've said here... It's a balancing act and should be balanced against what kind of data you protect, in our case the most sensitive is your password hash, vs. humble being a POS(Payment service, not the dirty words), where they are governed by the PCI/DSS standard

Link to comment
Share on other sites

 @Trucking Gekco ^ Steam was not compromised, as TruckersMP and Steam are not affiliated with each other in any way.

 

However you're advised to change your password there if you don't have steam guard enabled, as an attacker only needs the password to get in (Without steam guard). However the passwords are hashed* and salted* as standard, so it would take a while for them to get into it.

 

*Hashed: Converted from plain text to hexadecimal. Salted: An extra string that makes it harder to access the hashed password.

All IP Board passwords are hashed and salted as a standard security measure.

To those wondering how the passwords are stored, keep reading.

 

 

 

 

 

 

The passwords on IPB are, by default, hashed and salted (As explained above). This is an encrypted key which can be decrypted to the plain text password, though it's not easy. An idea of how they're stored in the database is below (This test account is on my test forum, and will be deleted.):

 

Password_hash_and_salt.png

In order: Member number, Display Name, E-Mail, Password Hash, and Password Salt.

 

This can only be accessed from the IPB admin panel, so only authorised users can access it (Community Managers and above). In this breach, a user managed to retrieve a staff members details and managed to export the database and dump it to their own local hard drive, with the intentions of selling it.

When the intruder retrieved the database, this is the only password they could see, it is just an encryption. The intruder and purchasers would have to use a decryption utility to get the plain text password that you enter on the log in page. It should be noted that because TruckersMP shares the IPB password with TruckersMP.com, the encryption could potentially be different. This is just a demonstration of the bare basic encryption method used by IPB.

Link to comment
Share on other sites

^ um md5 ain't that easily decrypted... You just can simply paste even w/o salt into a decrypt script and get passwords magically...
When you log in into the site it doesn't convert the db password to your input, it converts your input into a md5 hash and compares it.

Now here's a example and why if your passwords strong enough you don't need to really worry...
Password is Password
dc647eb65e6711e155375218212b3964
Password is password
5f4dcc3b5aa765d61d8327deb882cf99
Password is TuxyFluffyclaws
36c6af0d40c4b39b56f8811d3091c051
Password is tuXyfluffyClaws
fc1682d8df281aa427c8248bb7dc4dc6

 

Now if the person was a serious hacker (which i doubt) and was going to sell the list in hopes of grabbing some worthy things (like Paypal), they would have something like this:

 

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

 

This site gives rough estimates on how many possibilities there are for passwords and how long: It's dated a little but still valuable.

http://www.lockdown.co.uk/?pg=combi&s=articles

 

9 hours ago, Trucking Gekco said:

I believe that in no way steam was comprmiised since steam uses a special code to show truckersmp info they need to know but just to make sure, was steam comprimised in this hack? Also, I changed my password when the community got informed the first time was that good enough or should I chnage it again. 

If you changed it after the leak you are safe unless there's another hidden bug that no one knows about yet... In which case all we can do is wait...

 

As for steam, only reason for you to change any other sites password is if it is the same password as the one used before the hacking... No need to change passwords that are not used on TruckersMP (example Password1234 is TruckersMP password, but ThisIsALongPost is steams password, only Password1234 should be changed as no one would of gotten ThisIsALongPost in any form)

 

@Tuxy Fluffyclaws

1: when I initially posted that video a while back you never stated it was fixed, if you did i must of missed it, even if it was did Staff change their passwords? No not likely, the second a vulnerability like that is found it's esp good for at least the team to change their passwords, even if you looked at the logs and saw no activity.

 

2: what you just said isn't what the blog post says:

Quote

The breach happened by obtaining the passwords of a team member's account

Even if the password was obtained via another site the question is how. Also if the other "hacked" site used md5 salt than that means that team member uses wreak passwords and shouldn't be permitted access to such functions of either site or forum.

 

3: I'm spreading FUD? Me?! I'm not the one who's sending out a mass email 2+ months after the incident Mind Ducking those who are already confused about the initial issue. Now who's causing all the FUD? Sure ain't me now is it? Look at some of these posts above, people are now wanting to change passwords that might not be effected. I'm causing FUD? Sure while you are at it why dont you blame me for the stupid exploit i posted (yet i have never touched a line of IPB code) and the higher up using a supposed second hand password.

 

4: if you started emailing out at 60/hr you'd be likely done with all the emails by now... You're saying you guys haven't got the resources to send out 60 emails per hour w/o being blacklisted? I call b.s. Further more as I stated in a different post more could of been done before resorting to 3rd party services...

Also you complain about money YET You guys pay $50 a year (maybe more) or $175 (or more) for this POS (the not so nice thing) thats more buggy than Bugs Bunny... It literally screws up on me alone once a day average. shale we ask @MrCreeper who knows some but not a lot about forum software?

 

5: I don't use those programs, nor am i that stupid to have to by force, they are just as bad as storing your password in a rar file or a piece of paper in your pocket. Furthermore you just insulted everyone here for being too stupid to know a strong password from a weak Password. I said 2 words 4 letters as my strongest password currently correct? Did I mention character length spaces caps or order of how the passwords set up? So how can you go running your mouth assuming I (or my brain) can't make my own secure passwords and remember them? My passwords might not be awesome secure (like my server ones) but as long as people in charge of my security aka you guys or those who hold my passwords legally on their servers for my use, don't duck up, they are secure enough. I don't need a mighty 25 character long password with numbers letters of both upper, lower and special characters.... You do, I don't. The team does (esp the higher up ones, like you), but i dont, but neither do you guys apparently.

 

6: Probably the only sensible thing you've said in your entire post agreeing with me on that one part. Everything else was 100% down right insulting me and everyone else.

 

Insults aren't nice now are they?

Signature removed by a wondering ghost

SUS0M9O.gif

Link to comment
Share on other sites

1. When we have any reason to believe there's a sliver of chance that passwords are exposed, by us or 3rd party, we require staff to change passwords, this has happened 3 times so far.

2. I don't remember exactly which hack the compromised account was in, or what kind of hashing they used, it was an old hack and the person in question has been berated by yours truly. This incident is the reason we've tightened down all access to the site and servers and are still in the process of limiting access even further (beyond what you'd reasonably expect for a community mod).

3. Sending out email was the last checkbox and as much as I hate having to clear up misunderstandings, it's part of being responsible about an attack like this. Urging people to change their passwords is never FUD, it's a simple thing that people can do to lessen the likelyhood of their passwords being known, standards like PCI/DSS require passwords to be changed every 3 months for this very reason.

4. Sending out large amounts of emails means you need a way to queue them and rate limit it while also continuing to send out all the other emails that should be sent out as well, considering last time we did it, and used a service provider who specializes in mass emailing, and we landed at an abysmal 78% delivery (yesterday's email was a 98%), you can easily see that even if you think you know what you're doing, it's still very difficult to get right.

5. It's was not meant as an insult, it was meant as a statement of fact that the human brain is horrible at producing a secure string, so yes, I can with fairly high certainty say that your 2x4 password is likely very weak, current recommendations are 12 characters, mix case, numbers and symbols or 5 5-8 character words with diceware.

 

Link to comment
Share on other sites

  • Guest locked this topic
  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.