Slashdot Mirror
Hack Exposes 412 Million Accounts on AdultFriendFinder Sites (zdnet.com)
"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article:
The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
YIKES!
I am so sick and tired of databases not being properly protected. One thing you can do is to monitor outbound traffic. If you suddenly see a huge stream from the DB server to somewhere it doesn't normally go, a banshee cry should come from your monitoring system.
You can also include "trap" data in the DB and have pattern matching set up (on the system, in the network, on the routers). See the pattern, alarms and cell phones should start ringing.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
1. Sign up for sites like these using your enemies' information.
2. Wait for said sites to get hacked (because they inevitably will), spewing your enemies information across the Interwebs and filling their lives with unexpected shame and scandal.
3.Profit!
Hehe looks like all it took was a c bomb in the title to get the editors to finally do the jobs.
SHA has the best rounds, believe me. bcrypt and scrypt are so slow, they are all computation and no results.
I guess, some divorce-lawyer's wet dream just came true.
339 million accounts, but 338.8 million were fake accounts with pictures of large-breasted women who were eager to have sex with me. And they all live "near" me, even though I live on the International Space Station in low-Earth orbit.
Just cruising through this digital world at 33 1/3 rpm...
Didn't this happen already, something like a year go?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Surely SHA-1 is perfectly fine as long as you salt it sensibly? The only way you can materially improve on SHA-1 is to use a hashing algorithm that is computationally expensive.
As funny as that would be, trump doesn't use computers or the internet. He doesn't even use email. He hand writes everything.
Yes, he's that old school.
In any case, he has no need for adult hooking up sites. He can pretty much walk up to any hot chick and just grab her by the pussy.
Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.
When you add up all the hacks private industry has allowed because of their incompetence one can easily count 2 billion people, many no doubt duplicates, having their personal information compromised.
But excuses will be made about how great private industry is, how it's not really the programmer's fault or the database administrator's fault or the web designer's fault. Nope, it will be someone else's fault because private industry does things so much better than government it's easy to pass blame and no one will be held accountable as a result.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Yes. While SHA-1 has seen successful collision attacks (attackers can find two messages that generate the same hash), practical preimage attacks (attacker finds a message that generates either a specified hash value or the same hash value as a specified message) are not currently known. I would guess that these passwords effectively did not use salts.
There are no known SHA-1 collisions. Essentially, it's never been fully hacked. As you mentioned any hash must be salted for password use, and salted SHA-1 would be fine for most any public web site.
However, a partial crack of SHA-1 exists. The NSA or the Chinese government might well be able to crack it.
SHA-2 is recommended for all new hashes. For example, new TLS (SSL) certificates are signed with SHA-2, not SHA-1. In 2017, major browsers may stop accepting TLS certificates signed with SHA-1.
Upgrading can be easy if you used the crypt() system call, or a higher-level function that calls crypt() underneath. That includes MySQL encrypt(), Perl crypt(), etc. If you do, just change the salt you use for the initial hashing - the password CHECKING code remains unchanged.
And yet somehow Trump's predicted, presumed philandering be fine with the Conservitards. Peachy keen in fact.
They'll brag about his conquests while they vote for his reelection.
Go figure.
There aren't even preimage attacks known for MD5.
It is really funny that you should mention that. Many people who lived through the Hitler years say that Trump strongly reminds them of Hitler.
So in a way, you really did vote for Hitler this time around.
Three. One even became my girlfriend for two years. So there are real women on there.
How long until we find Carlos Danger (Anthony Wiener) or Diane Reynolds (Chelsea Clinton) in the dumps?
That said, if you find one listed as "Evergreen" I'd advise that you run and don't turn back.
That's Hillary, if you didn't know.
(it's a joke, stupid libtard lizard people. Go riot somewhere or smash a few windows. Hopefully you'll be arrested and committed to Bellevue because there's something wrong with people who lose an election and then lose their shit)
You mean like you were planning on doing if Trump had lost?
Indeed, the real problem is that passwords are a terrible way of securing stuff. Human memory is too easy to predict and model, which is why even "good" passwords consisting of multiple words and numbers are relatively easy to crack these days, even with slated SHA-1 protecting them.
Didn't Google say they were working on something better than passwords? We need it sooner rather than later. Hard to imagine what form it will take though. Biometrics are obviously stupid, and it needs to be convenient and secure and compatible with a wide range of devices and services to work.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I was, both on the "vanilla" AdultFriendFinder.com and the more explicit Alt.com.
It was very fake-ridden, but the fakes were easy to spot, even in the old times without Google image search. Sometimes it got weird when a silver or gold (i.e. paying) account popped up that contained picture material well-known from your favorite porn picture aggregator, so I assume some of these were indeed set up by the Friendfinder Network themselves as I can't imagine that people would set up paid-for fakes.
All in all, we met a total of six real couples (all but one being US couples stationed in Germany where we reside, too) over a period of like 3 years, which -- given that back then there wasn't "the" German portal for such activities like today it is with Joyclub -- isn't really that much plus indeed a real single bisexual woman. As mostly in these cases there was of course a catch with the latter -- bisexual good-looking women usually aren't single for long -- but that's another story. If you really wanted to meet someone there you certainly had the opportunity to do so.
However, already back then the security standards were low. For instance, full profile access officially was limited to non-paying users and guests, but with a simple script you could easily dig up all details (particularly the pictures), so I quickly hacked together a small script that would leech the desired data and reassemble the page into a view similar to a paying (or temporarily elevated) user's view. Also, all relevant account data was encoded in a hex string that, even worse, was forwarded per GET. I never went the lengths to decipher that, but I'm almost sure that you would've been temporarily able to lift yourself to paying member level through that.
For all practical reasons, you could earn a temporary increase to silver standard as well by idling in the chat all day (which also explains the low overall activity there despite being populated with users). That was good for IIRC 10 profile accesses, but with the aforementioned script it was well enough to not waste them for fake profiles.
Barbera, aren't you a Canadian transgender?
I am a Trump protester. I want him to clearly reject his "deplorable" base.
I'd also love for him to say he knows his campaign was too divisive and has made it impossible for all American's to accept his leadership; so he is committed to a single term, which will ensure he can clean up Washington without being beholden to anyone.
Cheap storage VM.
You'd think one could trust these amoral website companies to keep everything secure from "the man" --- but noooo!
I'm running out of passwords. Password1, Password2, Password123456, now i'll just hold down the 99999999 key.
Need to search that data for the name "Melania"
Not me. Negative campaigns have always caused me to vote "weirdly." Like last election, when I voted Green.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Barbera, aren't you a Canadian transgender?
Last time I looked, since my birth cert didn't always say female, so I guess so :-)
Clearly the whole transgender hate thing can be fixed by the individual states issuing properly corrected birth certificates. There is NO way that federal legislation can do that, nor offer the same protections. All those stupid bathroom bills disappear when you have a new (not amended) birth certificate with your new sex.
We've had laws in this province protecting us from discrimination based on sex, which has been interpreted to include birth sex, for decades. Other provinces have been slower catching up, but it's getting there.
Same thing with birth certificates. Some provinces destroy your old birth certificate, any marriage or divorce records, and your kids birth certificates and issue new ones with the new name and sex; these are recognized by all levels of government as the only ones with legal standing. Makes my marriage 40 years ago the world's first government-recognized same sex marriage, since I only got to finish all the paperwork after the newest laws kicked in (long story) . Gotta love retroactivity.
How is a school going to bar a trans girl using the same bathroom as other girls if she's legally a girl, and the old records, even if produced, have no legal standing? Simple answer - they can't. So while I agree with Obama that Title IX "should" apply to such cases, there's no way to get the states to accept it without the cooperation of the two houses. Trying to impose it by executive writ wouldn't be a lasting protection anyway, so nothing of value was lost. Just that EVERY F*ING TRANS IN THE US IS FREAKING OUT FOR NO REASON.
Bunch of bloody drama queens, reposting every rumour and speculation. No wonder 35% are dysfunctional according to their own doctors. It's the same with both sides on pretty much all the issues, because nobody knows yet how it's going to unfurl.
As one example, non-NATO-member allies Japan and South Korea have been reassured that the US has their back, while at the same time saying that they really do need to kick in more for their defense. That's a far cry from the isolationism rhetoric of the election. It's something both parties would have liked to be able to do.
Not going to like a lot of things he does, but it's worth the risk to see if he can get some sort of rapprochement with Putin so that there's less risk of everyone glowing in the dark or turning into radioactive zombies. Same as Nixon, being so anti-communist, was the only politician who could have credibly gotten better relations with them and made it stick.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.