Hack On 8 Adult Websites Exposes Oodles of Intimate User Data

An anonymous reader quotes a report from Ars Technica: A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it's not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn't know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn't had time to examine a copy of the database that he received on Friday night. Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites. The affected sites "offer a variety of pictures that members say show their spouses," reports Ars. "It's not clear that all of the affected spouses gave their consent to have their intimate images made available online."

Did he just say "MD5"?

[xxxJonBoyxxx]

>> user passwords protected by a four-decade-old cryptographic scheme

Did he just say "MD5"? I thought we're only at 36 years...

Re:Did he just say "MD5"?

[EvilSS]

No, you said MD5. If you RTFA you would see they were talking about an older, even more insecure algo.

Re:Did he just say "MD5"?

[hcs_$reboot]

Did he just say "MD5"? I thought we're only at 36 years...

md5 is not so good, but not that bad.

Re:Did he just say "MD5"?

[xxxJonBoyxxx]

>> If you RTFA

On SlashDot? You must be new here. Summary or it didn't happen.

Re:Did he just say "MD5"?

[pi_rules]

Did he just say "MD5"? I thought we're only at 36 years...

I believe it's 56 bit DES.

Re:Did he just say "MD5"?

[hcs_$reboot]

or 8-bits XOR

Re:Did he just say "MD5"?

yeah, but then he couldn't get a first post. But xxxJonBoyxxx is a karma whore, so not too surprised.

Re:Did he just say "MD5"?

[CaptainDork]

I asked my wife if she wanted me to buy our dog some Algo and she said, "No. Algo get it"

The Internet was invented by Algo.

Don't mod me d o w n ... Bruce ...

Re:Did he just say "MD5"?

[quintus_horatius]

ROT13 FTW!

Re:Did he just say "MD5"?

For those of you who didn't RTFA:

Known as Descrypt, the hash function was created in 1979 and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash. It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by 2018 standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.

“The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago,” Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahash, told Ars. “It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.”

By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords. And while the 25 iterations requires about 26 more time to crack than a password protected by the MD5 algorithm, the use of GPU-based hardware makes it easy and fast to recover the underlying plaintext, Gosney said. Manuals, such as this one, make clear Descrypt should no longer be used.

The manual that shows how horrendous this scheme is is this one: https://passlib.readthedocs.io/en/1.6.5/lib/passlib.hash.des_crypt.html

Re:Did he just say "MD5"?

[JustAnotherOldGuy]

"By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords."

No, it makes it completely impossible to use strong passwords.

Password strength is due in part to the address space, and an 8 character password has far less address space than, say, a 30 character password.

All other things being equal, an 8 character password is always going to be easier to crack than a 30 character password.

Lesson in Sub-Headline

[forkfail]

"A recovered 98MB file underscores the risks of trusting personal info to strangers."

Well, perhaps.

Or maybe it should read:

"A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

Re:Lesson in Sub-Headline

Sounds dangerously close to Eric Schmidt's comment that "if you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place"

Re:Lesson in Sub-Headline

[robsku]

Both are correct.

Re:Lesson in Sub-Headline

[pgmrdlm]

What a tight ass. Jesus, don't let that prude thinking of yours chase away everyone that might even have thoughts of a sex with another person. Even if they are not married or with a significant other. God forbid that sex would cross a persons' mind.

Re:Lesson in Sub-Headline

If you have done nothing wrong, you have nothing to hide.

Be a good citizen and the Ingsoc has no leverage over you. It is your fault if you are not perfect.

Re:Lesson in Sub-Headline

[forkfail]

There's a distinction that is missing in your reply.

In the case I am referencing, the individual went to the virtual edition of the seedy Motel 6 of his own choice and volition.

In the scenario you paint, there is a telescreen on the individual's wall, against the individual's choice and volition.

Two VERY different things.

Re:Lesson in Sub-Headline

[PPH]

everyone that might even have thoughts of a sex with another person

I think about that several times an hour. On a slow day.

The thing is: I don't act on thoughts thoughts without prior permission from my wife. And then I don't have an urge to go snapping pictures of the deed. Never mind sharing them with all but a few trusted third parties. And then never using a platform that I have little or no control over.

In my experience with the polygamous lifestyle, people who don't protect their personal lives are worse than careless. They are actually seeking out tragedy.

Sex is fine. It's just that the default should be not to share the details with any yet to be determined third parties, without some serious justification (like being a porn star).

Re:Lesson in Sub-Headline

[CaptainDork]

Given the porosity of the Internet, it's more like fucking in public.

Re:Lesson in Sub-Headline

[nukenerd]

If you have done nothing wrong, you have nothing to hide.

A common meme, but a fallacy because what is legal or even simply right does not always align with what you want others to know. For example I would not expect there is any wrong-doing to be found in your medical records, but I don't imagine you would want to post them here, although I'm prepared for you to prove me wrong.

Re:Lesson in Sub-Headline

thoughts of a sex with another person.

Literally rape! May Google expose you!!

Re:Lesson in Sub-Headline

[JustAnotherOldGuy]

Or maybe it should read:

"A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

There's a lot of truth in that.

I find it easy not to fuck up my marriage with affairs simply by not having affairs. It's so easy not to have an affair, and yet apparently it's beyond the ability of so many people.

Sigh.

And you were using DES. *facepalm*

This might get interesting...

(Grabs popcorn)

it wuz haxx0rr3d!!1!

No useful content, skipping article.

New Standard Unit: 1 Oddle = 100 Megabytes

[turp182]

Since it was only 98 megabytes the pluralization is the correct way to reference the unit.

It's about standards

[jbmartin6]

Use a standard measurement so everyone can understand FFS. OK, fine, how many Library of Congresses are there in an oodle?

Re:It's about standards

According to my super secret insider sources and proprietary maths, this oodle-sized breach was approximately 9.3 × 10-6 Libraries of Congress.

Re:It's about standards

[CaptainDork]

Yeah. They need to use units of car analogy.

Re:It's about standards

[Pascoea]

Their drum brakes failed.

Re:Another massive goverment failure

Many people are talking about how SJW's are really responsible. They destroyewd the linux kernel with there fascist "codes of conduct" which destroyed the meritiocratic process they had used before and this made linux less secure and now all these amazing web sites are to be hacked.

Okay everyone, focus on what matters

[shaitand]

Who has the content?

Who uses real names?

[nospam007]

Only my bank login is traceable to me, for the rest I use aliases. Even my ISP thinks I'm my cat.

Re:Who uses real names?

[CaptainDork]

This.

I have a goddam list enumerating all the sites I'm registered at, along with the means to get in.

I also include all the lies adjacent, so I can remember all the artful dodger shit.

Re: Who uses real names?

[TimMD909]

I bet you feel embarrassed when you forget to pay that bill, and Sergeant Snuggles name is brought under fire for your mistake. What about the electric bill, where Sparkle Mittens would end up taking the heat?

Re:Who uses real names?

[antdude]

I am just an ant!

Re: Who uses real names?

[Areyoukiddingme]

Asked cat. Cat said ...

If you have an acocunt for one of those sites...

[Oswald+McWeany]

If you have an acocunt for one of those sites... why on earth would you use your real e-mail address?

Why do you need a user name?
This is what burner e-mail addresses were created for anyway.

Re:If you have an acocunt for one of those sites..

[Gilgaron]

Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...

Let's hope that no boobs were exposed

[grungeman]

Because that would be outrageous.

Re:Let's hope that no boobs were exposed

Pics or it didn't happen!

Re:Another massive goverment failure

[nukenerd]

WTF has this got to do with "big government"? Do you try to raise this bee-in-your-bonnet in every thread?

Real Names !?

[nukenerd]

What idiot would give their real name and their normal e-mail address on a web-site like that?

Re:Real Names !?

"What idiot would give their real name and their normal e-mail address on a web-site like that?"

(Serious response.)
Unless you're in a certain relationship or a repressive country, why not?
Do sex-related things scare you?
Also, please don't call me an idiot.

Re:That's terrible

[nukenerd]

I hope my secret love for Brazilian trannies will remain secret!

Well you've just revealed it here anyway. But don't worry, you are among friends.

Use Different Passwords

[DatbeDank]

Started doing this years ago.

Personal email and banking passwords are a phrase.

Forum, Adobe, special software sign on passwords are something simple and always different. I've had to change this password often over the past 10 years. My banking and personal email ones no so much.

Re:Another massive goverment failure

[CaptainDork]

/. is a great venue to learn and mature.

The Internet doesn't work the way you think it does.

Re: That's terrible

Isn't the Beetle still in production down there? I could go for an exploded view GIF of a stripped down 5 speed stickshift.

Re:Another massive goverment failure

big goverment regulation and taxes were put in SPECIFICALY to stop hacks and yet here it is all again with another hack of personal data as directly is the fault of that same goverment incompetence. and then libtards like you say we need to raise taxes and put in MORE of the regulation to "fix" it again.

Megabytes?

[jythie]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Re:Megabytes?

89 megabytes, with pictures... The website had 89 users.

Re:Megabytes?

[JustAnotherOldGuy]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

Re:Megabytes?

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

That was just for one site: EightMarriagesAndContinuallySwinging.com

Re:Megabytes?

[mjwx]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

I get the joke... But an 89 mb csv file holds quite a bit of data.

If this guy is a half decent "hacker", even a half decent script kiddie, he wont be using Word (which I agree has become a bloated piece of crap, I mean an even more bloated, bigger piece of crap).

Re:Megabytes?

Except password dumps compress extremely well.

Re:If you have an acocunt for one of those sites..

If the wife is the one whose images are posted online, then yes.

Re:If you have an acocunt for one of those sites..

[DeBaas]

Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...

wait until he finds out his wife has been faking it for years too!

Re:If you have an acocunt for one of those sites..

I'm guessing it's so you can be contacted by like minded people.

Re:If you have an acocunt for one of those sites..

Because it "enables better customer experience" :)

Re:If you have an acocunt for one of those sites..

It can be difficult to use "burner" email addresses these days. Either the email site itself will require significant identifying information or if not then those email addresses will not be accepted by websites and such.

It's mostly the "fault" of spammers and scammers that are so numerous that website owners don't know what else to do. Is there a way to anonymously identify a specific real individual? (seems like a paradox)

Frankly the Slashdot model seems to be the best ever invented. Anonymous is allowed, any email is allowed, anything is allowed. However, there is trust built to specific individuals within the population that get limited moderation points.

at this point

[mapkinase]

it's just Darwin's law

Re:Another massive goverment failure

[kwbauer]

wtf?

Tell Me More

Please tell me more about how to expose one's oodles on an adult website.

It's... for... academic, yes... reasons!

Normally I'd Be Worried

That someone could use that information to blackmail their wives. But it sounds to me like they might be into that sort of thing. Or wait that's black male....my bad.

Mailinator.com

This is a textbook case of the purpose of mailinator.com

Re:Another massive goverment failure

[JustAnotherOldGuy]

I'd like some of whatever you're taking, but in a smaller dose.