Slashdot Mirror
Hack Exposes 412 Million Accounts on AdultFriendFinder Sites (zdnet.com)
"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article:
The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
Tell me the typo in the title is intentional.
I am so sick and tired of databases not being properly protected. One thing you can do is to monitor outbound traffic. If you suddenly see a huge stream from the DB server to somewhere it doesn't normally go, a banshee cry should come from your monitoring system.
You can also include "trap" data in the DB and have pattern matching set up (on the system, in the network, on the routers). See the pattern, alarms and cell phones should start ringing.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
i smell scandals happening. i can already hear neighbors yelling and slammed doors.
1. Sign up for sites like these using your enemies' information.
2. Wait for said sites to get hacked (because they inevitably will), spewing your enemies information across the Interwebs and filling their lives with unexpected shame and scandal.
3.Profit!
With internet security being a Trump priority SHA-1 will be considered adequate, possibly even mandatory, especially for people owning iPhones.
For Trump's account?
I guess, some divorce-lawyer's wet dream just came true.
339 million accounts, but 338.8 million were fake accounts with pictures of large-breasted women who were eager to have sex with me. And they all live "near" me, even though I live on the International Space Station in low-Earth orbit.
Just cruising through this digital world at 33 1/3 rpm...
There's that many people signing up for this.
Didn't this happen already, something like a year go?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Surely SHA-1 is perfectly fine as long as you salt it sensibly? The only way you can materially improve on SHA-1 is to use a hashing algorithm that is computationally expensive.
Please take the time to be informed about the real perpetrators of the 9/11 attacks. Before you say that the attacks were over 15 years ago and don't matter, consider that they continue to define foreign policy and domestic surveillance to this day. What if everything you think you know about 9/11 is built upon lies? Surely that would be reason enough to reconsider continued support of domestic counterterrorism and foreign policy. You've been told that 9/11 was carried out by Muslim extremists, but the truth is that it was perpetrated by Jews who were operating under the command of Mossad.
In the days prior to 9/11, FBI agents in New York detained Mossad agents who were conducting surveillance of the World Trade Center towers. Agents at the New York City field office were instructed to release the Mossad agents they had detained, which occurred a few days prior to the attacks. Although the reasons for releasing the Mossad operatives remain classified, it is generally believed that Israel threatened to create an international incident if the operatives were not freed.
This was accompanied by unusual options trading of airline stocks in Jewish-led financial firms on Wall Street in the days leading up to 9/11, standing to profit from a sharp decline in the stock prices of United Airlines and American Airlines. No such options were purchased for the other airlines at the time. How could this possibly be explained without prior knowledge by Jews of the 9/11 attacks a few days later.
Although a few thousand Jews were employed at the World Trade Center, no Jews were killed in the 9/11 attacks. Instead, all of the Jewish employees used leave time or otherwise failed to show up for work on 9/11. Although far fewer Jews worked at the Pentagon, the same occurred there, with no Jews present at the site on 9/11. This cannot be explained through chance, but only advance knowledge shared with the Jewish workers at both places. Indeed, the same thing occurred at the United States Capitol, widely speculated as the destination of the fourth plane that crashed in Pennsylvania. Warnings about the attacks were announced in advance at synagogues in New York City and Washington, alerting Jews not to show up for work on 9/11, a fact corroborated by multiple rabbis.
Several of the purported 9/11 attackers are still alive, a fact that is widely confirmed by multiple sources. Therefore, the supposed Muslim attackers cannot be responsible for 9/11. However, east coast flight schools reported training several Israeli citizens prior to the attacks and instructors indicated that the pilots were uninterested in learning how to land. The money to pay for flying lessons was traced back through banks to Israeli-owned firms operating in the United States. Although the true origins of the laundered money cannot be confirmed, it certainly implies that Jews, quite possibly working for the Israeli government, funded the 9/11 attacks.
Voice recordings of the 9/11 attackers from the cell phone calls made by passengers on the four planes clearly indicate that the attackers had Israeli accents. Furthermore, they can be heard praying to Yahweh, not to Allah, again implicating Jews in the attacks. This is confirmed by the cockpit voice recorder recovered from the crashed plane in Pennsylvania.
FBI agents investigating the 9/11 attacks wrote reports implicating Mossad agents, reports that were subsequently modified with the original versions suppressed. This has been confirmed by retired FBI agents who worked at both the Washington headquarters and the New York field office.
There can no longer be any doubt that Jewish operatives were responsible for the 9/11 attacks. Those attacks were a false flag operation, funded and orchestrated by the Israeli government. Israel subsequently pressured the United States to cover up the Israeli involvement in 9/11. The attacks were both retaliation for attempts of the United States to improve relations with Arab nations in the Middle East while subsequently turning the United States aga
Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.
When you add up all the hacks private industry has allowed because of their incompetence one can easily count 2 billion people, many no doubt duplicates, having their personal information compromised.
But excuses will be made about how great private industry is, how it's not really the programmer's fault or the database administrator's fault or the web designer's fault. Nope, it will be someone else's fault because private industry does things so much better than government it's easy to pass blame and no one will be held accountable as a result.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Yes. While SHA-1 has seen successful collision attacks (attackers can find two messages that generate the same hash), practical preimage attacks (attacker finds a message that generates either a specified hash value or the same hash value as a specified message) are not currently known. I would guess that these passwords effectively did not use salts.
There are no known SHA-1 collisions. Essentially, it's never been fully hacked. As you mentioned any hash must be salted for password use, and salted SHA-1 would be fine for most any public web site.
However, a partial crack of SHA-1 exists. The NSA or the Chinese government might well be able to crack it.
SHA-2 is recommended for all new hashes. For example, new TLS (SSL) certificates are signed with SHA-2, not SHA-1. In 2017, major browsers may stop accepting TLS certificates signed with SHA-1.
Upgrading can be easy if you used the crypt() system call, or a higher-level function that calls crypt() underneath. That includes MySQL encrypt(), Perl crypt(), etc. If you do, just change the salt you use for the initial hashing - the password CHECKING code remains unchanged.
Like seriously, how many of these accounts are real and not just fake accounts made by the site to fool people into thinking there's a lot of people out there.
There aren't even preimage attacks known for MD5.
After Bill's multiple rapes, harassment, abuse and even some consensual sex, with various women's lib/rights organizations arguing it's all ok for whatever fucked up reason, I was convinced that sex is a private matter and whatever Trump may or may not have done is a-ok!
The anti-American Left has been trying to "educate" me for decades. I have seen the light!
Trump'20!
Three. One even became my girlfriend for two years. So there are real women on there.
Some time between 7 and 13 years ago, I can't remember the details. All I found was an unending parade of spammers and scammers. What a complete waste of time and energy.
I do remember googling "free email services" to find a place to set up a throwaway account that was completely unconnected to me. Now I see another confirmation that was the right thing to do.
Swedish is pretty localized to Sweden and there is 1 266 684 accounts registered with main language Swedish in the database.
That would indicate that over 10% of Sweden's population is registered there! (13.2%) of Swedens 9,6 million inhabitants.
Seems legit :D
Indeed, the real problem is that passwords are a terrible way of securing stuff. Human memory is too easy to predict and model, which is why even "good" passwords consisting of multiple words and numbers are relatively easy to crack these days, even with slated SHA-1 protecting them.
Didn't Google say they were working on something better than passwords? We need it sooner rather than later. Hard to imagine what form it will take though. Biometrics are obviously stupid, and it needs to be convenient and secure and compatible with a wide range of devices and services to work.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The only way you can materially improve on SHA-1 is to use a hashing algorithm that is computationally expensive.
And, so, we improve on it by making it more computationally expensive. What's wrong with that?
You'd think one could trust these amoral website companies to keep everything secure from "the man" --- but noooo!
I'm running out of passwords. Password1, Password2, Password123456, now i'll just hold down the 99999999 key.
Need to search that data for the name "Melania"
Hey everyone , I don't really know much about this hacking things but I can direct you to a professional hacking company who helped me to track and hack my boyfriend's iPhone and his Facebook respectively... For any social network or iPhones and other phones hacking , you can just contact them at mastershield55@gmail.com... Their charges are minimal and negotiable.... You can thank me later
Get BLANK ATM Programmed Card and cash money directly in any ATM Machine around you. There is no risk of being caught, because the card has been programmed in such a way that it's not traceable, it also has a technique that makes it impossible for the CCTV not to detect you, and you can only withdraw a total amount of $7,500.00 USD in a day. Now email us today at our E-mail address at: garymckhackermachine@gmail.com and get your card today.. garymckhackermachine@gmail.com