Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com)

← Back to Stories (view on slashdot.org)

Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com)

Posted by msmash on Friday July 22, 2016 @02:40AM from the security-woes dept.

Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.

30 comments

Min score:

Reason:

Sort:

Why protect the hacker's anonymity? by Anonymous Coward · 2016-07-22 02:44 · Score: 1

He's a criminal and deserves to be outed. If you steal people's personal information, you deserve the retribution that comes from doing so.
1. Re:Why protect the hacker's anonymity? by Anonymous Coward · 2016-07-22 03:13 · Score: 0
  
  He didn't really "steal" the accounts. The originals are still there, he just made a digital copy.
2. Re:Why protect the hacker's anonymity? by Anonymous Coward · 2016-07-22 07:31 · Score: 0
  
  So he's not a hacker but a lousy pirate guilty of copyright infringement, right?
3. Re:Why protect the hacker's anonymity? by Anonymous Coward · 2016-07-22 10:23 · Score: 0
  
  Were the accounts copyrighted? Regardless, people think it's okay to copy music, games, or videos but they get outraged when their profiles are copied.
Cracker by Anonymous Coward · 2016-07-22 02:54 · Score: 0

It was a cracker.
Hypocrisy at its best by smooth+wombat · 2016-07-22 03:05 · Score: 0

IP addresses (which can often determine the user's location),

So now an IP address can be used to determine a person's location yet people on here whine about how an IP address can't be traced to someone accused of child pornography or stealing music/movies.

Would be nice if you people would make up your minds.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re: Hypocrisy at its best by Anonymous Coward · 2016-07-22 03:11 · Score: 1
  
  A location is not the same as identifying a single person legally as the perpetrator of a crime / action - if we temporarily ignore people who live on their own, who would therefore be the individual most likely to be accessing the Internet within that location).
2. Re:Hypocrisy at its best by PopeRatzo · 2016-07-22 03:19 · Score: 1
  
  child pornography or stealing music/movies
  Those are interesting things for you to group together.
  Why not, "child pornography or going 7 mph over the speed limit"? Or, "child pornography or carrying an ice cream cone in your back pocket"?
  You might want to figure out the whole moral equivalency thing. You're doing it wrong.
  
  --
  You are welcome on my lawn.
3. Re:Hypocrisy at its best by mrbester · 2016-07-22 03:23 · Score: 2
  
  iplocation.net gives me four locations for my IP. None of them are correct and the nearest one is 3 miles away from me.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
4. Re:Hypocrisy at its best by ADRA · 2016-07-22 03:24 · Score: 1
  
  "People on here" didn't write the article.
  IP addresses released have many uses.
  Some blocks are almost certainly traceable bevcause they're allocated based on ISP pools for geographic areas. Often, the traceroute of the IP's upstream internet gateway will at least give a city for the individual(s), though even that's a best guess. They are entirely locatable for the ISP/upstream provider assuming you can legally compel them to provide it.
  What I assume you mean is that twe say that an individual's IP isn't strictly the legal bar to arrest someone. Because a single IP address can service many people, any of those individuals could've perpertrated the crime. The crime occurs FROM my IP address, but I could have been hacked, exploited, etc.. There's a reason why you don't hear of hackers uploading child porn then calling the police. The bar's too low to presecute without further evidence. Now if they were sex offenders, that's a different story.
  And that isn't even getting into the area of illegal tresspass and 'open door' liability that I don't believe have really been solidified in the courts. If a hacker or some random person commits a crime through my insecure or no secuity internet access, am I somehow complicit in the act if I was in fact unknowing it was occurring (TOR for instance)? Where should the bar be set between neglegance and intent?
  
  --
  Bye!
5. Re:Hypocrisy at its best by blueshift_1 · 2016-07-22 03:26 · Score: 2
  
  I would say the IP address along with the other information provided (Since usernames, emails, and passwords can contain very important information like DOB, Nickname, and name) helps you narrow down to a specific person. Just an IP cannot really tell you a user, but an IP with other information can.
6. Re:Hypocrisy at its best by cbiltcliffe · 2016-07-22 03:33 · Score: 1
  
  Person's location: Starbuck's on 7th Street.
  Person's name: John Smith.
  See how "Starbuck's on 7th Street" and "John Smith" are the exact same text?
  Oh, wait.....
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
7. Re:Hypocrisy at its best by imatter · 2016-07-22 03:33 · Score: 1
  
  I know a lot of people that allow the browser to remember their passwords so that when i walk up to the system and go to a webpage I become them?
8. Re:Hypocrisy at its best by blueshift_1 · 2016-07-22 03:41 · Score: 1
  
  Of course not, but I'm saying if your login account is Jon.Doe1975@gmail.com with an IP in Generic Small Town, Kentucky. There's a good chance the account owner is most likely the 40 something year old guy named John Doe that lives in that town. That doesn't mean the person using it was that person, but generally that is the case. Not something that holds up in court, but is useful for social engineering.
9. Re:Hypocrisy at its best by Anonymous Coward · 2016-07-22 03:42 · Score: 0
  
  Person's location: Starbuck's on 7th Street.
  Person's name: John Smith.
  But Starbucks has started banning IPs associated with hacking and child pornography.
  I suspect due to your knowledge of the subject, you are a pervert.
10. Re:Hypocrisy at its best by Anonymous Coward · 2016-07-22 03:49 · Score: 0
  
  It's almost as if the site is made up of a myriad of people with their own often differing opinions and weren't a collective consciousness. How odd.
11. Re:Hypocrisy at its best by AmiMoJo · 2016-07-22 03:58 · Score: 1
  
  Those are interesting things for you to group together.
  
  The GP didn't group them, the world did. The two most common cases of IP addresses being falsely equated with an individual identity are overzealous law enforcement going after suspected paedophiles and overzealous lawyers going after alleged copyright infringement.
  It's interesting that both groups use the same lie to get what they want.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re:Hypocrisy at its best by Maritz · 2016-07-22 03:59 · Score: 1
  
  Would be nice if you people would make up your minds.
  Who are you addressing? Everyone on Slashdot? D'you think it makes sense to do that?
  You realise location in this sense is probably geographical? Probably not right down to the exact address?
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
13. Re:Hypocrisy at its best by cbiltcliffe · 2016-07-22 12:39 · Score: 1
  
  Person's location: Starbuck's on 7th Street.
  Person's name: John Smith.
  But Starbucks has started banning IPs associated with hacking and child pornography.
  I suspect due to your knowledge of the subject, you are a pervert.
  Errr....what? Did you even read what I posted?
  How does Starbucks ban 192.168.3.192, when it's on their internal network? I mean all 35 people in the coffee shop are going to share a single public IP address. If it's been "associated with hacking and child pornography," as you put it, then Starbucks is going to start banning themselves. That makes no sense.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
it seems obvious to them now by tomhath · 2016-07-22 03:22 · Score: 1

They should have locked the server in a bathroom closet. That way if they get hacked there are no consequences.
1. Re:it seems obvious to them now by Tourney3p0 · 2016-07-22 04:06 · Score: 1
  
  Yeah, but the taxpayers would have to pay billions of dollars to fund the resulting 3-year witch hunt.
All this collecting and hacking by no-body · 2016-07-22 03:31 · Score: 1

seems to have become a sporting event - yes, I can do it I am the king.
What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?
Seems weird, guess there are nicer things to do than sticking your mind for hours and days into something like this.
1. Re:All this collecting and hacking by Frosty+Piss · 2016-07-22 03:38 · Score: 2
  
  What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?
  Very often people reuse the same passwords and user names over a swath of accounts. Not always, but often enough that knowing a gaming account that should be "throw away" or at least not the same as your Amazon or Banking account... can get a fraudster in the door and clean you out.
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:All this collecting and hacking by AmiMoJo · 2016-07-22 04:01 · Score: 1
  
  This seems to be a hard problem to solve. On the one hand we want our favourite user names, on the other as much anonymity as possible. We want to avoid compromising one site to allow compromising other sites, but we also want to stop trolls and spammers creating new accounts too easily. We want people to remember their login details so they can use the site, but also use unique and hard to crack passwords.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
teh haxx0r did it by Anonymous Coward · 2016-07-22 03:40 · Score: 0

Or, the "we don't know shit but like to scare you regardless" style of non-reporting.
Re:App of Apps! by Anonymous Coward · 2016-07-22 03:57 · Score: 0

Well someone's got fuck all to do.
hashing and salting by backslashdot · 2016-07-22 05:49 · Score: 1

Hashing and salting makes your breakfast taste better ... but for you shouldn't use the same salt for every password.
You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library). That makes it much harder to crack all the passwords in the database because the attacker can't make a thing called a rainbow table easily .. which is basically a list of possible passwords hashed with the salt. Oh yeah when they enter the password check that the user doesn't use any of the top 100 passwords and patterns (ie, company name or username derivative a password etc.). First, after 3 bad tries (make sure you're saving the count on the server by updating the DB with the number of consecutive failed attempts -- dont track it with a cookie or session) on a username display a reCAPTCHA challenge. Second, if they do the reCAPTCHA but can't get the right password after 3 more tries .. then lock the account at least temporarily. The reason for displaying a reCAPTCHA before locking accounts is to make it harder for someone to write a script that locks out all your users. People should be using password managers nowadays anyway (they are built into the browsers right).
SHA-1 probably... by DrYak · 2016-07-24 00:22 · Score: 1

You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library).
Yup, a slow and hard to brute force hash would have been good (other example: PBKDF2, Scrypt and the latest competition winner Argon2)
Saddly people are still using SHA-1 as a password hash (a hash function designed purposedly to be fast and simple, which has the advantage of being able to be useful even on small hardware like smart cards - but is easy to brute force on dedicated hardware (GPU, FPGA) as proven by bitcoin's proof-of-work system, and it there a bad solution for *password* hashing)
Public key based authentication is even better, but I have it seen rarely used outside of the professional word.
Two-factor is another alternative, and at least that one is seeing come consumer usage...

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]