Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Exposes Pirate Bay User Data

Posted by Soulskill on from the now-looking-for-a-torrent-tracker dept.

tsu doh nimh writes "A group of hackers from Argentina recently broke into the database for thepiratebay.org, the Internet's largest torrent search engine, exposing user names, Internet addresses, and (MD5) hashed password data on more than 4 million users, according to Brian Krebs. He interviewed the leader of the group, Ch Russo, who said they briefly considered what the information would be worth to the RIAA and MPAA before going public with the breach. From the story: 'Probably these groups would be very interested in this information, but we are not [trying] to sell it,' Russo said. 'Instead we wanted to tell people that their information may not be so well protected.'"

29 of 156 comments (clear)

  1. Re:Leak It by Andorin · · Score: 2, Insightful

    Nice troll, but there's a difference between publicly available information (copyrighted works) and private information (peoples' personal info, login credentials, etc).

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  2. Re:Leak It by spazdor · · Score: 4, Informative

    Because it conflates privacy issues with intellectual property issues. There is nothing hypocritical in trying to contain private data but not copyrighted works.

    --
    DRM: Terminator crops for your mind!
  3. A couple of notes by Andorin · · Score: 5, Informative

    Part of Krebs's story is that he joined TPB's IRC channel in order to bring the issue to the mods' attention. He says he was taunted by mods who didn't believe he was a journalist or that he actually had anything, and then was kicked/banned after he posted the md5 sums for some administrative passwords. In this manner he makes the channel mods look like immature jerks, but I talked to the mod that actually kicked him not long after the story broke. Evidently the guy was typing like an idiot (multiple messages per sentence) and acting in a rather unprofessional manner. Too, the kick was not because of the hashes, which he posted over half an hour before the kick. I just want people to know the other side of the story.

    Oh, and for the record, this leak isn't as big a deal as some might think. IP addresses can be gathered from the swarms themselves, email addresses used by TPB users should hopefully be throwaway addresses, and torrent hashes are inconsequential. Login details might be a problem for Trusted/VIP/staff accounts, but any serious users are not that concerned about this and would have changed their passwords/emails by now.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
    1. Re:A couple of notes by gknoy · · Score: 2, Informative

      What makes this valuable (as opposed to trawling the torrent connections themselves) is the centralized nature: It's already collected. This makes data analysis on it much easier, since prospective users wouldn't need to gather the information themselves.

    2. Re:A couple of notes by Andorin · · Score: 2, Insightful

      Because it's professional to kick someone who is telling you about a security breach in your product because you don't like the way that they type.

      Are you saying that they should have taken him at his word, right off the bat, that he's a serious journalist? If someone walked up to you on the street in a fancy business suit but started speaking Pig Latin, would you take them seriously?

      Then why do they ask for them? And why are they storing them?

      Account verification and password changing. Duh.

      --
      That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
    3. Re:A couple of notes by erroneus · · Score: 2, Insightful

      LOTS and LOTS are not. People don't do what's best for themselves... they do what's easiest and feels best.

    4. Re:A couple of notes by jd · · Score: 2, Interesting

      One solution is to have people enter their e-mail address when they want to change their password. If the MD5 or SHA1 has of the entered address matches the hash of the e-mail address on file, then send out the e-mail. If it does not, then that's not the right person. Then you don't need the actual address on file at all.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:A couple of notes by Stan+Vassilev · · Score: 3, Insightful

      In this manner he makes the channel mods look like immature jerks, but I talked to the mod that actually kicked him not long after the story broke. Evidently the guy was typing like an idiot (multiple messages per sentence) and acting in a rather unprofessional manner.

      The mods banned the guy who has all their user data because he hit Enter too much. Not sure how that supports your premise?

  4. what fool provides personal info to pirate bay? by Anonymous Coward · · Score: 3, Insightful

    C'mon guys...don't register your info with pirate bay. That's just stupid. It was only a matter of time. Just be glad it came from a hacker group and not the courts. Use these services anonymously until the legal crap is sorted out.

    1. Re:what fool provides personal info to pirate bay? by Andorin · · Score: 2, Informative

      The only personal info in question are IP addresses and email addresses. Not that high on the Identifiability scale.

      --
      That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  5. Your daily dose of irony by Caerdwyn · · Score: 3, Insightful

    So here's a question. Who else has gotten into PirateBay's servers and NOT told them about it?

    I'd think that an organization like PirateBay would be the very last people on Earth whom you'd want to give any sort of personally-identifiable information. I guess we can put this one into the "Darwin Filter" category.

    side question: how many accounts are from president@whitehouse,gov, 1600 Pennsylvania Avenue NW, Washington DC 20050 USA?

    --
    Everybody gets what the majority deserves.
  6. Re:Enemies List by Andorin · · Score: 3, Informative

    Evidently enough to DoS the hacker.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  7. worth to the RIAA and MPAA? by nurb432 · · Score: 4, Insightful

    Nothing at all.

    1 - If they accept stolen information anything they do with it will be tossed out of court and taint any pending or future litigation.
    2 - Having an account isn't grounds for anything.. I doubt even logs of what you searched for would be.

    --
    ---- Booth was a patriot ----
    1. Re:worth to the RIAA and MPAA? by arbiter1 · · Score: 2, Insightful

      that is what i was thinking, info stolen is pretty useless i think under law. anyone they go after off those lists could claim it was altered to frame them

    2. Re:worth to the RIAA and MPAA? by thrawn_aj · · Score: 2, Insightful

      Crucifying pirates isn't their only function. Their other function is shutting down/sabotaging these networks. Can you imagine the junk/booby traps (mmmm boobies) they could scatter throughout these networks in a few hours USING these stolen credentials? The nuisance value itself is enormous. Don't think that big organizations, simply because they are big, limit themselves to legal means of achieving their ends.

  8. Re:And this... by Andorin · · Score: 4, Informative

    One, TPB isn't a tracker, it's an indexer. Two, you don't have to register for it; you can download torrents without an account. You only need an account for uploading, posting comments, and viewing/downloading porn torrents.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  9. Re:And this... by idontgno · · Score: 5, Insightful

    You only need an account for uploading, posting comments, and viewing/downloading porn torrents.

    Well, there's your problem!

    Or, more specifically, there's why the hack yielded 4 million users when a great deal of the torrents are available without registration.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  10. Re:Leak It by bonch · · Score: 2, Interesting

    Since when does The Pirate Bay have a policy of only distributing "publicly available information?" Pprivate information has been distributed via Pirate Bay before, such as the leaked Half-Life 2 source code or Paris Hilton's hacked cell phone pictures. Why should this information be any different?

  11. Re:Leak It by Andorin · · Score: 3, Interesting

    If a torrent for the users' info appeared on the site and the admins ignored a community demand to take it down, you bet that community would ditch the site and TPB would die. It's in TPB's best interest to keep user information secret; I do not understand why this is hard to grasp.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  12. And no salt! by Anonymous Coward · · Score: 2, Informative

    Thepiratebay didn't salt their hashes. This site deserves to die.

  13. Re:Leak It by SquarePixel · · Score: 2, Insightful

    If a torrent for the users' info appeared on the site and the admins ignored a community demand to take it down, you bet that community would ditch the site and TPB would die. It's in TPB's best interest to keep user information secret; I do not understand why this is hard to grasp.

    Which again would make their actions hypocrisy, especially when they in turn laugh and try to ridicule people who ask them to remove such info from the site.

  14. Re:Leak It by Andorin · · Score: 2, Insightful

    Why shouldn't the information be put up as a torrent and distributed via Pirate Bay and WikiLeaks? Is it not hypocrisy otherwise?

    In that case you'll excuse me while I break into your computer/smartphone/$device and all your online accounts, harvest as much personal information as I can, and release it on TPB and Wikileaks.

    After all, there's no difference between publicly released copyrighted works and private information, right? And it'd be hypocrisy to complain about the distribution of this information, right?

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  15. Re:Leak It by Andorin · · Score: 3, Insightful

    Which again would make their actions hypocrisy, especially when they in turn laugh and try to ridicule people who ask them to remove such info from the site.

    [citation needed]. Show me one event in which The Pirate Bay refused to remove a torrent for the personal, private information of an individual or a large group of individuals.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  16. Re:And this... by Anonymous Coward · · Score: 5, Informative

    You only need an account for uploading, posting comments, and viewing/downloading porn torrents.

    You don't even need that.

    Complicated way:
    All you need to view/download porn torrents is to look at uploaded torrents of some user who has uploaded torrents in the porn section.
    Pretty easy to find such a user.
    If you look at uploaded torrents, you'll see "Type" on the left, which will be "Porn > Foo".
    If you click on it, you can browse that Porn section.

    Easier way:
    just browse to
    thepiratebay.org/browse/50*
    with *={1,2,3,4,5,6}
    1=Movies
    2=Movies DVDR
    3=Pictures
    4=Games
    5=HighRes-Movies
    6=Movie clips

    TPB doesn't check whether you're logged in to validate if you want to allow porn material.
    So you really only need an account if you want to upload something or post comments no one cares about.

  17. Re:And this... by Andorin · · Score: 2, Funny

    Thank you, Mr. AC! Mod this one informative. I've been unable to browse teh pronz for the past couple of days as I can't log in, but you've given me new reason to live again.

    --
    That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
  18. Re:Leak It by Lincolnshire+Poacher · · Score: 2, Interesting

    > THOSE are data sets that need to be freed

    Arrrgh...

    Perhaps it should be expressed instead as "information tends towards the public domain".

    The meaning of IWTBF is the antonym of what you stated; instead of having to "be freed" by some liberator, information *will free itself* if constraints to its movement *are not applied*.

    The activity is on the part of the anthropomorphic information itself.

    That is: passwords, secrets and proprietary information will gradually drift towards becoming public knowledge unless an entity spends time, money and resources in stemming that movement. For information to become free, no-one has to do anything. It will gradually happen as an aspect of daily human interaction.

  19. Re:And this... by Anonymous Coward · · Score: 2, Informative

    You only need an account for [..] viewing/downloading porn torrents.

    Actually, that's not true.
    If you go to http://thepiratebay.org/browse and look at the main category urls, you'll notice they go from /browse/100 to 200, 300, 400, 600..

    Hey, where did 500 go? Let's just edit that url and voila, porn.

    http://thepiratebay.org/browse/500

    And it's the same for top100:
    http://thepiratebay.org/top/500

  20. What's it worth to the RIAA? by Simonetta · · Score: 2, Insightful

    Well, the RIAA might find out that millions of people are downloading artistic material that they claim to 'own'. And they would know who.

        Would they launch millions of lawsuits against these people? Would they go to the ISP providers and demand that that these millions of people be denied service? And would they offer to compensate the ISPs for the millions of dollars in lost revenue?

        Would they put a microchip like an RFID into the brains of each of these millions of people so that if these people ever again tryed to experience an artistic work by an 'artist' that they have downloaded then they would get a splitting headache for a day? You downloaded a Lady Gaga song once long ago to check out what the buzz on her was about and now whenever you see her picture in the mall the RFID chip in your head starts to blast migraines. So you don't ever go to shopping malls anymore and do retail shopping over the web instead? How many millions of people are going to be subjected to this before the mall owners get pissed?

        Never forget: the RIAA is based on extortion. They don't care how many millions of people are downloading their product. They select a few people at random and focus their extensive brutal legal teams on these people, making their lives hell until they get paid off. The RIAA copyright 'violations' are just an excuse for extortion. If it wasn't copyright, then it would be something else.

        We do have laws against this kind of thing. It's called RICO. It worked against the mafia and it will work against the RIAA.

        If you ran a record company, and someone came to you with a list of the songs that people are willing to risk extortion to download and the names of those people, then you would have the perfect marketing tool. You know exactly who wants what in terms of artistic product. All that you don't know is the price that they are willing and able to pay. If they are downloading instead of buying, then the starting price point is too high. It's a negotiation beginning point; not a fucking Interpol crime. These downloaders are your customers, they are your best customers. Cultivate them; don't unleash the dogs of war against them.

  21. Re:And this... by Anonymous Coward · · Score: 3, Funny

    Pirate Bay has porn torrents?!

    Now I need to make an account!