loftrat Posted July 31, 2009 Share Posted July 31, 2009 All the passwords are available on the Interwebs for everybody to see now.....it was only a matter of time - mine's on there as well, I guess I must have been having finger trouble when I logged in though because there's about 4 different versions of it :D Quote Link to comment Share on other sites More sharing options...
cykio Posted August 2, 2009 Share Posted August 2, 2009 my password was "hak5" *shrugs* :P defo not tied to anything else, was thinking this place is the one place i dont want to use a password i use else where Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted August 2, 2009 Share Posted August 2, 2009 Well, tbh, i originally digressed from this thread, but now that it's exposed to all... as per the .txt file out there... >> hexskrew - blacksink27* hexskrew - blacksink27 hexskrew - blacksink278 But as of now, password has been demoted, a super INSECURE password is used here, and higher level passwords are used elsewhere as per my heirarchial password design per purpose and importance.. btw, I do have the file but moreoverly I am interested in what else is in there. Not for script kiddie purposes, or anything else. I like to say that I am an active member of this community and by all means even if I do not agree (and sometimes fight with) some of you folks, I do respect you all and have NO purpose to use this file in any malicious ways... But it does have something to say about the people that did this... What was the real purpose? I mean they say they did it because they don't think mubix, darren, and matt know what they are doing, but this place is not about learning semenars. They don't act like they are supahz 1337, and they never throw their weight around. Seems to me that zfo did this just to act like they have big balls... I say it's bullshit and they just wanna pull stupid shit. Why the hell else would they do that? I mean yeah, if they just defaced the server and then spit out what they did to do it and what could be done to fix it would be one thing, but they just took the whole thing down... What did they think this was the Gipson?! Quote Link to comment Share on other sites More sharing options...
cabster21 Posted August 3, 2009 Share Posted August 3, 2009 Mine on here was a name... I don't use it for anything else. I always use crappy passwords for forums, as I tend to visit them from more than one location - often public. I know there are a few good solutions out there, I'm just very lazy. I don't even know what my demonoid account password is, it's the one that was sent to me. I keep meaning to change it. Quote Link to comment Share on other sites More sharing options...
foo Posted August 3, 2009 Share Posted August 3, 2009 Mine on here was a name... I don't use it for anything else. I always use crappy passwords for forums, as I tend to visit them from more than one location - often public. I know there are a few good solutions out there, I'm just very lazy. I don't even know what my demonoid account password is, it's the one that was sent to me. I keep meaning to change it. yup. same here about using crappy pw's for forums etc.. hell, usually when i need a random pw for places like these i just look around me & whatever i see first, i enter that :P didn't care to change it until i saw that list users/pw's publicized all over the web Quote Link to comment Share on other sites More sharing options...
rpimonitrbtch Posted August 3, 2009 Share Posted August 3, 2009 I had changed it before I saw it posted, but didn't think it was really necessary. I just found the list last night, and I am particularly glad I had changed it from oWp3kmNGL214VsVUCKQY. (It was unique) Quote Link to comment Share on other sites More sharing options...
wh1t3 and n3rdy Posted August 4, 2009 Share Posted August 4, 2009 my new pwd is wowyouhackedmyforumaccountpasswordyouaresocooliwouldcrawl100milesoverbrokenglass torollinyourshit Quote Link to comment Share on other sites More sharing options...
Mat Posted August 4, 2009 Share Posted August 4, 2009 I still dont understand how the plantext passwords were acquired if they were stored salted and hashed. Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 4, 2009 Share Posted August 4, 2009 Its not hard, especially if you know what the salt is and/or have this: http://www.insidepro.com/eng/egb.shtml. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted August 4, 2009 Share Posted August 4, 2009 Its not hard, especially if you know what the salt is and/or have this: http://www.insidepro.com/eng/egb.shtml. Considering the login runs over http and not https they just seem to have run a simple sniffer on ther server and pulled out a long list. (That is why there are a number of passwords in the list for the same users, usually the first one contains a typo.) Now if it the logins ran over https it would have made things a bit more difficult for them, they would have had to log a lot more information and then use the SSL private key from the server to decrypt the sniffed traffic. They would have had access to the private key by the looks of it. Wouldl they have gone that effort (Or would they have known how to do that) is an interesting question as the other sites that they broke into either required them to crack hashes or had the passwords stored in plain text. Quote Link to comment Share on other sites More sharing options...
foo Posted August 4, 2009 Share Posted August 4, 2009 Considering the login runs over http and not https ... yeah, it'd be nice if https was used. if i remember right, i thought i read somewhere that darren was prob going to implement that... *shrug* Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 4, 2009 Share Posted August 4, 2009 I don't think for a second that they were in the server for any length of time and were sniffing the traffic. I think they just figured out the userDB salt and cracked as many passwords as they could. If you look at the list they seem to have 3000 passwords, I don't think these forums have that many active users, and even a large amount of logged in lurkers couldn't account for those numbers. Quote Link to comment Share on other sites More sharing options...
Seshan Posted August 4, 2009 Share Posted August 4, 2009 I don't think for a second that they were in the server for any length of time and were sniffing the traffic. I think they just figured out the userDB salt and cracked as many passwords as they could. If you look at the list they seem to have 3000 passwords, I don't think these forums have that many active users, and even a large amount of logged in lurkers couldn't account for those numbers. That means the forums save old passwords. Some people have multiple passwords, or like mine my older password I use to use. Witch is kinda stupid. Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 4, 2009 Share Posted August 4, 2009 I honestly don't know enough about IPB personally to clarify either way I'm afraid. And I don't honestly know a huge deal more than is public knowledge about the specifics of the attack. Matt is the only one who can answer those questions. Quote Link to comment Share on other sites More sharing options...
beakmyn Posted August 4, 2009 Share Posted August 4, 2009 I still dont understand how the plantext passwords were acquired if they were stored salted and hashed. According to the file: Passwords reversed through local OpenSSL side channel attacks Quote Link to comment Share on other sites More sharing options...
SWFu Posted August 4, 2009 Share Posted August 4, 2009 I still think i must of been sniffed as it looks like they caught a couple of typos for me logging in. This is probably why people are reporting old passwords due to user error. Quote Link to comment Share on other sites More sharing options...
Deags Posted July 16, 2011 Share Posted July 16, 2011 (edited) ignore Edited July 16, 2011 by Deags Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.