Slashdot Mirror
Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com)
Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
He's a criminal and deserves to be outed. If you steal people's personal information, you deserve the retribution that comes from doing so.
A location is not the same as identifying a single person legally as the perpetrator of a crime / action - if we temporarily ignore people who live on their own, who would therefore be the individual most likely to be accessing the Internet within that location).
Those are interesting things for you to group together.
Why not, "child pornography or going 7 mph over the speed limit"? Or, "child pornography or carrying an ice cream cone in your back pocket"?
You might want to figure out the whole moral equivalency thing. You're doing it wrong.
You are welcome on my lawn.
They should have locked the server in a bathroom closet. That way if they get hacked there are no consequences.
iplocation.net gives me four locations for my IP. None of them are correct and the nearest one is 3 miles away from me.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
"People on here" didn't write the article.
IP addresses released have many uses.
Some blocks are almost certainly traceable bevcause they're allocated based on ISP pools for geographic areas. Often, the traceroute of the IP's upstream internet gateway will at least give a city for the individual(s), though even that's a best guess. They are entirely locatable for the ISP/upstream provider assuming you can legally compel them to provide it.
What I assume you mean is that twe say that an individual's IP isn't strictly the legal bar to arrest someone. Because a single IP address can service many people, any of those individuals could've perpertrated the crime. The crime occurs FROM my IP address, but I could have been hacked, exploited, etc.. There's a reason why you don't hear of hackers uploading child porn then calling the police. The bar's too low to presecute without further evidence. Now if they were sex offenders, that's a different story.
And that isn't even getting into the area of illegal tresspass and 'open door' liability that I don't believe have really been solidified in the courts. If a hacker or some random person commits a crime through my insecure or no secuity internet access, am I somehow complicit in the act if I was in fact unknowing it was occurring (TOR for instance)? Where should the bar be set between neglegance and intent?
Bye!
I would say the IP address along with the other information provided (Since usernames, emails, and passwords can contain very important information like DOB, Nickname, and name) helps you narrow down to a specific person. Just an IP cannot really tell you a user, but an IP with other information can.
seems to have become a sporting event - yes, I can do it I am the king.
What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?
Seems weird, guess there are nicer things to do than sticking your mind for hours and days into something like this.
Person's location: Starbuck's on 7th Street.
Person's name: John Smith.
See how "Starbuck's on 7th Street" and "John Smith" are the exact same text?
Oh, wait.....
"City hall" in German is "Rathaus" Kinda explains a few things......
I know a lot of people that allow the browser to remember their passwords so that when i walk up to the system and go to a webpage I become them?
Of course not, but I'm saying if your login account is Jon.Doe1975@gmail.com with an IP in Generic Small Town, Kentucky. There's a good chance the account owner is most likely the 40 something year old guy named John Doe that lives in that town. That doesn't mean the person using it was that person, but generally that is the case. Not something that holds up in court, but is useful for social engineering.
Those are interesting things for you to group together.
The GP didn't group them, the world did. The two most common cases of IP addresses being falsely equated with an individual identity are overzealous law enforcement going after suspected paedophiles and overzealous lawyers going after alleged copyright infringement.
It's interesting that both groups use the same lie to get what they want.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Would be nice if you people would make up your minds.
Who are you addressing? Everyone on Slashdot? D'you think it makes sense to do that?
You realise location in this sense is probably geographical? Probably not right down to the exact address?
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Hashing and salting makes your breakfast taste better ... but for you shouldn't use the same salt for every password.
You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library). That makes it much harder to crack all the passwords in the database because the attacker can't make a thing called a rainbow table easily .. which is basically a list of possible passwords hashed with the salt. Oh yeah when they enter the password check that the user doesn't use any of the top 100 passwords and patterns (ie, company name or username derivative a password etc.). First, after 3 bad tries (make sure you're saving the count on the server by updating the DB with the number of consecutive failed attempts -- dont track it with a cookie or session) on a username display a reCAPTCHA challenge. Second, if they do the reCAPTCHA but can't get the right password after 3 more tries .. then lock the account at least temporarily. The reason for displaying a reCAPTCHA before locking accounts is to make it harder for someone to write a script that locks out all your users. People should be using password managers nowadays anyway (they are built into the browsers right).
Person's location: Starbuck's on 7th Street.
Person's name: John Smith.
But Starbucks has started banning IPs associated with hacking and child pornography.
I suspect due to your knowledge of the subject, you are a pervert.
Errr....what? Did you even read what I posted?
How does Starbucks ban 192.168.3.192, when it's on their internal network? I mean all 35 people in the coffee shop are going to share a single public IP address. If it's been "associated with hacking and child pornography," as you put it, then Starbucks is going to start banning themselves. That makes no sense.
"City hall" in German is "Rathaus" Kinda explains a few things......
You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library).
Yup, a slow and hard to brute force hash would have been good (other example: PBKDF2, Scrypt and the latest competition winner Argon2)
Saddly people are still using SHA-1 as a password hash (a hash function designed purposedly to be fast and simple, which has the advantage of being able to be useful even on small hardware like smart cards - but is easy to brute force on dedicated hardware (GPU, FPGA) as proven by bitcoin's proof-of-work system, and it there a bad solution for *password* hashing)
Public key based authentication is even better, but I have it seen rarely used outside of the professional word.
Two-factor is another alternative, and at least that one is seeing come consumer usage...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]