13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

The Daily Dot reports that yesterday a "group claiming affiliation with the loose hacker collective Anonymous released a document containing approximately 13,000 username-and-password combinations along with credit card numbers and expiration dates." Most of the sites listed are distinctly NSFW, among other places, but the list includes some of the largest retailers, too, notably Amazon and Wal-Mart.

Download link?

The worst part about them being somewhat vague about which sites are compromised (amazon.com? .uk? .eu? .mars? .SetiAlphaV?) is i need to download the list now to check if my username, password and especially credit card number is on there and doing so potentially makes me a criminal. I'm not going to cancel my credit card on the off chance.

When this kind of things go down a news source should show ONLY the usernames so at least people have a hint that they need to cancel their credit cards.

yep. I provide security to some ofthe listed sites

[raymorris]

Most of the listed sites have far more than 13,000 registered users, so access to the member database of just ONE of the sites would have yielded a much larger dump.

Also, some of the sites store only a properly salted, modern hash of the password, so there's almost no way to get passwords from the sites' servers.

It's pretty clear the hack is in the client side. We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.

Source - I designed the authentication and authorization systems for some of those sites.

Is the word "and" copyrighted?

[wonkey_monkey]

13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

Replacing the word "and" with commas pointless, annoying.

List removed

[RyoShin]

The list that was posted has apparently been removed (if you can get to the site, which seems to be under heavy traffic with people looking for it). Furthermore:

While it's difficult at this point to definitively know how the hackers acquired the material, Chris Davis, a cybersecurity researcher and fellow at the University of Toronto's Munk School of Global Affairs, hypothesized that one likely possibility, based on the information contained in the leak, is that the hackers made use of a botnet. "The list of credentials [in the published list] fits that bill pretty well," he explained.

Malware explains the odd collection of websites, relatively small number of accounts, and supposedly-plaintext passwords. So anyone affected who changes their password will just have that new password picked up unless they've exorcised their computer.

Fake, clickbait scam

Took me less then 5 minutes to figure out this is a click bait scam using collections of older password leaks and money for clicks URL referers. And the 'news' are eating it raw, generating fear and helping it spread. Which is exactly how this scam was designed to work.

The leaks are old according to DataBreaches.Net

DataBreaches.Net is carrying an article saying that the leaks are nothing new.

http://www.databreaches.net/verifying-leaks-uncovers-fake-leaks/

"Posted by @Cyber_War_News to Pastebin today:

Today has been interesting, to say the least.

Skipping all the bullshit lets get right to the main stinky shit.
Anonymous twitter user @AnonymousGlobo announced earlier today this:
https://twitter.com/AnonymousGlobo/status/547426305151860736
https://twitter.com/AnonymousGlobo/status/548537460691857408

Now after working with data leaks for years now it became clearly obvious to me that this was fake. why?
because real leaks do not get combined, real leaks often have a common format, the targets attacked have accounts leaked daily from phishing and other simple methods."
[more snipped]

Re: This is MY suggestion on how to start to fix t

[TapeCutter]

Just don't spend more money than you have...

Easier said than done if you're always broke before the next payday. And no, that scenario doesn't automatically mean you're a lazy or that you squander your money. Quite the opposite, it generally means you work 60-80hr weeks in retail or some other minimum wage (or less) industry. When the shit-box car that takes you to work dies a CC is normally the only way it can be revived/replaced.

The vast majority of the "working poor" know it's a financial trap when they get the card, but sometimes in life deliberately walking into a trap is the best option you have, thankfully I haven't been in that position for over 20yrs now.

Re: yep. I provide security to some ofthe listed s

[thogard]

If you are going to do your own round counts, there are better ways to make it so you can't use hardware to attack your system. One trivial way with hashes is to xor the 1st byte with 0xaa on the 12th round. That alone means anyone building hardware or a GPU approach needs to take that odd step into account and that should about double the work needed by a GPU using today's techniques for optimisation. Another thing that works is to use a different table. For example MD5 uses an internal table that is something like 256*sine((0..255)/256.0). A simple swap of two bytes somewhere in the table means it is incompatible with off the shelf solutions and should be the same strength. There is a risk that doing this will cryptographically weaken the hash. For example if you use the XOR trick too early or too often in the rounds, you end up forcing bits to a known state and that makes it much weaker much like messing with S-boxes in DES does and for the same reasons. Moving around values in large tables tends to be safe as does some conditional byte manipulation in later rounds assuming you are doing more than the standard count. A great way to find out what doesn't work is write a md5 like function with 32 bits and just a few rounds. That can show lots of tweaks are very bad ideas.