Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums

An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."

Salts

[sinij]

At least with proper use of salts, each password hash will have to be individually bruteforced. While single MD5 hashed password is trivial to break, 45 million are not.

Now, if you are designing password storage in 2016, there is no excuse not to use proper key stretching function, like scrypt.

Re:Salts

[Dutch+Gun]

Giving websites a secret they have to protect, especially second-tier player like this, just seems like a losing strategy in the long haul. I'm hoping something like SQRL eventually gets some traction, which uses public key crypto + site name to create an authentication method that doesn't rely on the website to keep a secret and is only viable for that single site. How many times must we demonstrate that sites can't be trusted with usernames and passwords? Nor can users be trusted to create decent passwords in the first place - which is understandable, because the advice of "don't reuse the same password", and "make your password long and complex" is absolutely untenable without a way to manage those passwords automatically.

Re: Republicans...

[The+Grim+Reefer]

This is why it is so critical we maintain textual information about what life was like before Republicans.

Not that I'm' a Republican (or a Democrat)... But the Republican party was founded in 1854 (by anti-slavery Whigs) with the primary goal of abolishing slavery. So prior to the Republicans, the US had slavery. Abraham Lincoln was the first Republican president.

In 1878 A.A. Sargent, a Republican, introduced the 19th amendment, it was voted down by the Democrat controlled congress. It wasn't until 1919 that the Republicans controlled both the house and senate that they passed it, still under the opposition of the democrat party. Including the president at the time, which the suffragettes referred to as "Kaiser Wilson."

Before Jeanette Rankin, a Republican, in 1916 no woman had been elected to the house of representatives.

During his time as as the military governor of Germany after WWII, Dwight Eisenhower realized the value of the German highway system. When he became president, he signed the Federal-Aid Highway Act into law in 1956.

Eisenhower signed the Civil Rights act of 1960 into law after a five day filibusterer by several democrats in the senate.

Many credit Ronald Regan with the collapse of the Soviet Union. Depending on your point of view, this may not be a good thing.

In 2001 Colin Powell became the first black secretary of state. Followed by Condoleezza Rice in 2005 who became the first black women to hold that position.

Yep, the world was a much rosier place before the existence of the Republicans.

Salts matter. Salted MD5 1 year for 10 character

[raymorris]

Yeah the summary seems a bit confused. It says "salted passwords with MD5 (an algorithm that nowadays is easy to crack)". If they are properly salted, they aren't easy to to crack. Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.

UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.

On a related note, here's how to get SHA256 salted hashes on a Linux system:
crypt(PASSWORD, '$5$' . SALT . '$')

In MySQL it's called ENCRYPT():
ENCRYPT(?, CONCAT('$5$', ?, '$'))
execute(password, randomsalt)

Enclosing the salt in $5$...$ causes crypt() to use sha256.

Ugly. any free lookup tool?

[n3r0.m4dski11z]

I looked up my email address on that leakedsource.com and they found 2 hits in one hack and 1 hit in a few other hacks. Of course they only tell you what website got hacked. Any info other than that till you subscribe ($4 a day).

Sucks. i searched for a few strings before i got a hit so I feel that it may be legitimate. I am seriously considering paying the money. utorrent, anandtech, and this verticlescope thing. Some had plain text passwords! and sometimes i have in the past reused passwords... nasty!

looked up some friends emails and work colleagues and found hits for almost all of them.

Looked up my work domain and found hundreds of hits. Going to probably do it just to warn my co workers now.

Re:Ugly. any free lookup tool?

[JustAnotherOldGuy]

I checked, and it seems like VBulletin has been a major source of leaks of my email address:

VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00
AVSForum.com has: 1 result(s) found. This data was hacked on approximately 2016-01-23 00:00:00
Vbulletin.com has: 1 result(s) found. This data was hacked on approximately 2015-10-27 00:00:00
W3schools.invisionzone.com has: 1 result(s) found. This data was hacked on approximately 2015-01-11 00:00:00

Fortunately I make up different passwords any time I use that email, but still...thanks VBulletin! Thanks for being so easy to hack, I really, really appreciate it.

Re:Ugly. any free lookup tool?

[JustAnotherOldGuy]

The only problem with this is, if you give leakedsource your email address to check, that means that they now have your verified email address to keep. Forever.

No, there's no verification required that I saw or was asked for. All it means is that they have an email address, not necessarily even a real one.

For example, I started making up email addresses...and after inputting "sexygurl@yahoo.com", leakedsource came back with this:

MySpace.com has: 200 result(s) found. This data was hacked on approximately 2013-06-11 00:00:00

But I'm not the owner of that email and didn't even know if it was a real email address or not.

Re:I care because.....

[JustAnotherOldGuy]

I'm just as leery of password "vaults" as I am of easy passwords.

Same here...it seems like a single point of failure. Sure, you can use a long, ugly password for the password vault, but that won't matter if you get zapped by a key logger or malware that sniffs for credentials. And if I was a malware write you could bet your ass that I'd be on the lookout specifically for password keeper apps so I could target them directly.

Password keepers seem like a good idea at first, but the consequences of having one compromised would be catastrophic. They don't just one of your logins, they get them all.