2.5 Million Xbox and PlayStation Gamers' Details Have Been Leaked From Piracy Forums (thenextweb.com)

← Back to Stories (view on slashdot.org)

2.5 Million Xbox and PlayStation Gamers' Details Have Been Leaked From Piracy Forums (thenextweb.com)

Posted by BeauHD on Wednesday February 1, 2017 @12:05PM from the stop-what-you're-doing-and-change-your-password dept.

Xbox360ISO.com and PSPISO.com have been hacked by an unknown attacker in late 2015 and the details of the 2.5 million users affected have been leaked online. The leaked information contains email addresses, IP addresses, usernames and passwords. The Next Web reports: It seems that the operator of these sites did nothing to protect the latter, as all passwords were "protected" using the MD5 hashing system, which is trivially easy to overcome. For reference, that's the same hashing system used by LinkedIn. As the names of these sites imply, they were used to share pirated copies of games for Microsoft and Sony's gaming platforms. They also both have a thriving community where people discussed a variety of tech-related topics, including gaming news and software development. If you think you might have had an account on these sites at one point, and want to check if you were affected, you can visit Troy Hunt's Have I Been Pwned. If you have, it's worth emphasizing that anyone who gained access to that site, and anyone who has since downloaded the data dump, will be able to discern your password. If you've used it on another website or platform, you should change it.

36 comments

Min score:

Reason:

Sort:

Creds leaked... by WolfgangVL · 2017-02-01 12:10 · Score: 2

From this totally wholesome-on-the-up-and-up site. Color me surprised. This is why we use throw away email addys for this sort of thing kids.

--
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
deserve to get leaked by Anonymous Coward · 2017-02-01 12:19 · Score: -1

Feckin-A gamrboi faggots deserve to get leaked ... like a wet shoe under an old dog.
How interesting! by Ol+Olsoc · 2017-02-01 12:20 · Score: 1

I clicked on some white space below the story, as I was working in another program on my other screen.
It took me to the "Have I been Pwned?" site
NONONONONONONONONONONONONO!!!!! Do not fucking do this Slashdot! This is not funny! This is not appropriate. You want to take me to another website after clicking on white space? What the sleazy clickbit malware satan in hell are you doing?P NO! Bad Slashdot! Evil Slashdot. Stop it. This will not do. We are not amused.
Other than that, I have no strong feelings on the ,matter

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:How interesting! by Wootery · 2017-02-01 23:24 · Score: 1
  
  Agree, but I'd start closer to home: if, like me, you're dumb enough to browse Slashdot with no ad-blocker, the 'Sponsored Links' shown on the homepage are as scummy as clickbait gets.
2. Re:How interesting! by Ol+Olsoc · 2017-02-02 04:34 · Score: 1
  
  Agree, but I'd start closer to home: if, like me, you're dumb enough to browse Slashdot with no ad-blocker, the 'Sponsored Links' shown on the homepage are as scummy as clickbait gets.
  This is weird, as I'm blocking ads, and scripts. They musta found a way around it that needs fixed.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 12:32 · Score: -1

I'm old. Started with pong/magnavox games as a teen. Today's entitled generation get all pissy when their precious online games don't work right/cost too much / are over-hyped. Who gives a damn? There are more important things to do in life than post your latest high score/achievement. You know what's an achievement? Helping another human being in real life. If you're sitting in your room bitching about an eleven year old ripping on what they did to your mom last night in order to distract you, you're an asshole of modern life. Your game details got leaked? Too fucking bad, grow up, get a job, pay your way in life, and "achieve" real things. Throw out your game system. Give it to a kid under the age of 12. If you are older than a teen and still complaining about Sony/MS/Nintendo etc..., you are stunting your growth as a man, if you ever get there. Idiots the lot of you, grow the fuck up already and do goddamned hard things, the men of history who have died before you doing man things hold you in complete disdain, and rightfully so. Gamer idiots really are children who refuse to grow up.
1. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 12:46 · Score: 0
  
  I'm not a gamer. Don't play them, but get the fuck off my lawn!
  Sheesh.
2. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 12:50 · Score: -1
  
  Aww, the children have downvoted me to negative one within 3 minutes. How will I ever go on with my life? Can't handle some true talk. Your ping rate isn't perfect?? Can't keep up with 9 year olds? Did I interrupt your little fantasy life with some real talk? Lose a game that simulates real war because your credentials got leaked from the "cloud"? You are tools of the mega-corporations, nothing more. Too dumb to face life head on, keep hiding behind your precious online games, keep bitching about unimportant things. God I weep for the future of the human race. I'm leaving this site for good, have fun paying for your needed latest phones/game systems that you don't ever actually own. What an asshole of a generation we've created.
3. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 13:00 · Score: -1
  
  Fuck your goml line. The human race is allowing themselves to become tools of the powers that be, and paying to be monitored 24/7. Keep giving up your freedom. The human race has survived for 10's of thousands of years without today's 'problems' of gamers bitching about this and that. Keep sucking down those overpriced energy drinks and complain to your buds of how DRM has destroyed your lives. I'd say more, but there are imaginary pokemen to chase down, keep busy doing that instead of building up your moral manhood.
4. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 13:23 · Score: 0
  
  Umm, I'm not a gamer for couple of reasons dolt!
  1. My info is my own. I "share" bits and pieces when absolutely necessary.
  2. Games bore me.
  You're not too bright, are you?
  Social networking? Nah, not my thing and I find facebook et al. to be far too intrusive.
  If you'd bother to read and UNDERSTAND what I'd written, you'd see we're close to being on the same page. Only diiference is, I choose not
  to be a raving dickhead about it.
5. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 13:29 · Score: 0
  
  At first I though it was a joke - but maybe you're a _real_ straight-man - but you definitely hit the nail on the head.
  CAP === 'falsify'
6. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 13:54 · Score: 0
  
  I apologize to you, it was wrong, you weren't my target audience. No offense intended to you personnally.
7. Re:No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 14:09 · Score: -1
  
  I said what I meant and meant what I said. I'd been a long time /. contributor until this site got really lame and I posted how I was going to go check out this other site called "reddit". That was over a year or so ago, and I've been "shadow-banned" from logging in here ever since. I was "sternishefan" here, it's not worth creating a new handle here. The new editors have improved this site, but jeez, some shit just grinds my gears. Had to post how stupid the whole internet/gaming situation has gotten. It seems to me that the people in control would rather the new generation worry about cellphones and useless internet problems than actually bettering the human race. We humans are on the cusp of becoming a great force to improve conditions for all people of this world, or we are heading back to the dark ages where a few control the masses. I'm just a witness to history, and I do not like where some ignorant fools in power are trying to lead this latest generation. So much potential that may be brought to an end due to some assholes currently in power. Time will tell how it goes...
8. Re: No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 15:33 · Score: 0
  
  You are mixing unrelated issues and acting superior about it.
9. Re: No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 16:28 · Score: -1
  
  Damn right I am, and that's the way it is. The last year in my real life I've had to deal with a violent pschopath that for the last 3 years acted like a normal guy, it turns out he has actually killed people for fun and profit in his life, he tried to kill the neighbor across the street in order to keep on with his plan of stealing an innocent woman's medical settlement money. He's attempted to kill me a couple of times by drugging my food. She wised up and got a restraining order keeping him away, and he currently is facing 2nd degree felony charges, possible 7+ years in prison. I've had one hell of a 2016. I come here for tech news and I get 'news' about online fantasy gamers living in an unreal alternate reality, and yes, I lost it. Before they could bitch about their little ass problems I jumped in to nip their bitching in the bud before any unimportant comments occurred. If you're of legal age and crying about video gaming, wait until real life hits you. Rant over.
10. Re: No sympathy for modern gamers... by Anonymous Coward · 2017-02-01 22:51 · Score: 1
  
  Gotta love unsubstantiated and unverifiable claims on the internet. "My life is *serious*, man! I have a murderer trying to murder me!"
  If someone has "tried to kill [you] a couple of times" why did a "real man" like you have to wait for a woman to take out the restraining order? Wouldn't a "real man" deal with that himself?
  Sorry, reads like fantasy/bullshit.
11. Re: No sympathy for modern gamers... by Anonymous Coward · 2017-02-02 05:04 · Score: 0
  
  Source? No way something like this happens with out at least local news getting involved
Not a surprise by gweihir · 2017-02-01 12:34 · Score: 3, Interesting

The number of times I have had to explain to customers how to do password storage right is staggering. Most still believe a single hash is enough (well, to be fair, for a high-entropy password it is). Some have at least heard of salting the hash. But as soon as you come to iteration, most are clueless, and if you put in things like a large-memory-property (to prevent brute-forcing by FPGAs and graphics-cards), you have lost them completely. Many people just stop learning when there is no direct need to and these are the same people that in many cases write security-critical software.
On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Not a surprise by geekmux · 2017-02-01 22:48 · Score: 1
  
  The number of times I have had to explain to customers how to do password storage right is staggering. Most still believe a single hash is enough (well, to be fair, for a high-entropy password it is). Some have at least heard of salting the hash...
  Ah yes, salting. A concept I read about over two decades ago in my O'Reilly SysAdmin book. I agree with you, sure is frustrating when those writing software these days act like good security is some newfangled concept we're still waiting for cold fusion to provide.
  
  On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.
  Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.
2. Re:Not a surprise by gweihir · 2017-02-01 23:44 · Score: 1
  
  On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.
  Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.
  Well, my customers come from industries that should care, but yes, that is decidedly one of the roots of the problem.
  Doing password storage badly needs to be classified by default as gross negligence and result in severe personal consequences for those that have done it, just the same as gross malpractice. It is regrettable that this may mean formal engineering qualification requirements or the like for people implementing password-handling software, but apparently the industry is completely unable to regulate itself and enforce minimal quality standards. And as long as people do not need formal qualifications, these formal qualifications cannot be stripped from them if they screw up.
  As for users, using a bad password should just mean that they lose all expectation on privacy. Unfortunately, password quality enforcement schemes do not work and requirements to change them regularly make things worse.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Not a surprise by FrankHaynes · 2017-02-02 02:24 · Score: 2
  
  Given the prevalence of humans using 123456 as a "password"
  That's amazing! I've got the same combination on my luggage!
  
  --
  slashdot: A failed experiment.
4. Re:Not a surprise by tlhIngan · 2017-02-02 04:45 · Score: 1
  
  Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.
  It depends.
  If it's a user on a forums, "123456" or "password" may be perfectly legitimate to use. I use them on sketchy websites I don't care if the account gets pwned - they get a junk email address and a junk password - big whoop. You want to post as me? Go right ahead since I signed up to log in once and forgot all about it.
  If it's the admins, then it's a bigger problem.
  I always laughed because one forum I visited decided to impose complexity rules and time based password changes. I simply asked them "if these rules were in place, would the forums still have been compromised?" The answer is almost always yes because it wasn't an admin account (and you can always require complexity on admin accounts) that was used, but a fundamental flaw in the software.
  The only thing complexity does is make the password harder to crack and maybe take over sites if it was a compromised admin account (though since credentials are normally stolen through phishing, it doesn't matter).
  Fundamentally, password complexity and not using stupid passwords are silly policies for sites people don't care about. A bank requiring it makes sense. On a random websites on the Internet, not so much.
  That said, password storage systems shouldn't be so hard to implement - I don't know why all these frameworks just don't have a simple "password storage" type class to securely store passwords into a backing store.
Clickbait title by wept · 2017-02-01 12:41 · Score: 3, Insightful

Worst.
1. Re:Clickbait title by Toth · 2017-02-01 14:03 · Score: 2
  
  Yeah it is clickbaity but it's accurate.
  Yes the hack was over a year ago but the "news" is that it was made widely available about three days ago.
2. Re:Clickbait title by Anonymous Coward · 2017-02-01 19:17 · Score: 0
  
  The author of the article is a clueless noob who is slinging around computer terms he doesn't even understand. MD5 is NOT trivially easy to overcome if it's used correctly.
  He sounds like an armchair script-kiddie to me.
Wrong Headline by Osgeld · 2017-02-01 12:47 · Score: 3, Insightful

2.5 million game pirates had their information leaked from a sketchy ass website over a year ago and now are acting offended someone may steal from them
Headline is completely misleading. I'm done. by thesandbender · 2017-02-01 12:50 · Score: 2

I started to type up a rant about how this headline was completely misleading... but instead I'll just same "I'm done".

/screw you guys, I'm going home.
1. Re: Headline is completely misleading. I'm done. by Anonymous Coward · 2017-02-01 13:52 · Score: 0
  
  Agreed. I didn't think Slashdot could get worse than it was during the Dice years, but here we are.
MD5 isn't really "trivially easy to overcome" by peppepz · 2017-02-01 19:15 · Score: 1

The problem lies in not using a salt, not in using MD5.
1. Re:MD5 isn't really "trivially easy to overcome" by geekmux · 2017-02-01 23:22 · Score: 2
  
  The problem lies in not using a salt, not in using MD5.
  If a three-digit combination lock protecting a safe needs a bodyguard standing next to it to ensure no one steals anything, then using a shitty lock is in fact the problem, especially since few choose to spice up their recipe when cooking up a security model.
2. Re: MD5 isn't really "trivially easy to overcome" by Anonymous Coward · 2017-02-02 00:50 · Score: 0
  
  MD5's weakness lies in it's popularity and therefore susceptibility to rainbow table lookup. There's not a hashing algorithm around you should use without a salt and feel good about in the long term.
  Your analogy is dumb.
3. Re: MD5 isn't really "trivially easy to overcome" by geekmux · 2017-02-02 02:04 · Score: 2
  
  MD5's weakness lies in it's popularity and therefore susceptibility to rainbow table lookup. There's not a hashing algorithm around you should use without a salt and feel good about in the long term.
  Your analogy is dumb.
  Much like a 3-digit combination that is unknown to the attacker, MD5's ultimate weakness lies in the speed at which it can be cracked, which today's hardware has proven, irrelevant of the popularity or combinations known by rainbow tables.
  And if programmers are going to remain as ignorant as they always have and refuse to add a little salt to their coding diet, then stronger algorithms (stronger locks) are a rather necessary minimum, because convincing them to use a decades-old security bolster sure as shit ain't working.
  You are correct in that a hash alone does not provide a comfortable security buffer, but that hardly dismisses my analogy.
4. Re: MD5 isn't really "trivially easy to overcome" by Anonymous Coward · 2017-02-02 06:36 · Score: 0
  
  MD5's weakness lies in it's popularity and therefore susceptibility to rainbow table lookup. There's not a hashing algorithm around you should use without a salt and feel good about in the long term.
  Your analogy is dumb.
  Much like a 3-digit combination that is unknown to the attacker, MD5's ultimate weakness lies in the speed at which it can be cracked, which today's hardware has proven, irrelevant of the popularity or combinations known by rainbow tables.
  And if programmers are going to remain as ignorant as they always have and refuse to add a little salt to their coding diet, then stronger algorithms (stronger locks) are a rather necessary minimum, because convincing them to use a decades-old security bolster sure as shit ain't working.
  You are correct in that a hash alone does not provide a comfortable security buffer, but that hardly dismisses my analogy.
  Do you not know what a rainbow table is? MD5 can't be cracked quickly... The problem with MD5 is that people have been working for decades to crack it and they shared the cracked passwords to the point that it is trivial to take the encypted password "fb8273hbr#@T@(#FJW" and map it to "secret!"
5. Re: MD5 isn't really "trivially easy to overcome" by geekmux · 2017-02-06 01:04 · Score: 1
  
  MD5's weakness lies in it's popularity and therefore susceptibility to rainbow table lookup. There's not a hashing algorithm around you should use without a salt and feel good about in the long term.
  Your analogy is dumb.
  Much like a 3-digit combination that is unknown to the attacker, MD5's ultimate weakness lies in the speed at which it can be cracked, which today's hardware has proven, irrelevant of the popularity or combinations known by rainbow tables.
  And if programmers are going to remain as ignorant as they always have and refuse to add a little salt to their coding diet, then stronger algorithms (stronger locks) are a rather necessary minimum, because convincing them to use a decades-old security bolster sure as shit ain't working.
  You are correct in that a hash alone does not provide a comfortable security buffer, but that hardly dismisses my analogy.
  Do you not know what a rainbow table is? MD5 can't be cracked quickly... The problem with MD5 is that people have been working for decades to crack it and they shared the cracked passwords to the point that it is trivial to take the encypted password "fb8273hbr#@T@(#FJW" and map it to "secret!"
  And when a password happens to not exist yet in a rainbow table (thus removing your "popularity" factor), MD5's standing weakness is the fact that modern computing technology allows billions of computations per second against that particular algorithm, which was my entire point. The very existence of rainbow tables tend to prove how weak certain algorithms are, especially against modern hardware.
Outrageous by DrXym · 2017-02-01 23:27 · Score: 1

If you can't trust a piracy forum to protect your online details then who can you trust?
And in upcomfing news....... by Anonymous Coward · 2017-02-03 08:12 · Score: 0

Microsoft, Sony, and other companies sue over 1 million people for piracy. Here's a thought for the conspiracy theorists: Perhaps Microsoft, Sony, and other companies hired the hacker(s).