Hack On 8 Adult Websites Exposes Oodles of Intimate User Data

An anonymous reader quotes a report from Ars Technica: A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it's not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn't know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn't had time to examine a copy of the database that he received on Friday night. Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites. The affected sites "offer a variety of pictures that members say show their spouses," reports Ars. "It's not clear that all of the affected spouses gave their consent to have their intimate images made available online."

Did he just say "MD5"?

[xxxJonBoyxxx]

>> user passwords protected by a four-decade-old cryptographic scheme

Did he just say "MD5"? I thought we're only at 36 years...

Re:Did he just say "MD5"?

[EvilSS]

No, you said MD5. If you RTFA you would see they were talking about an older, even more insecure algo.

Re:Did he just say "MD5"?

[hcs_$reboot]

Did he just say "MD5"? I thought we're only at 36 years...

md5 is not so good, but not that bad.

Re:Did he just say "MD5"?

[xxxJonBoyxxx]

>> If you RTFA

On SlashDot? You must be new here. Summary or it didn't happen.

Re:Did he just say "MD5"?

[pi_rules]

Did he just say "MD5"? I thought we're only at 36 years...

I believe it's 56 bit DES.

Re:Did he just say "MD5"?

[hcs_$reboot]

or 8-bits XOR

Re:Did he just say "MD5"?

[CaptainDork]

I asked my wife if she wanted me to buy our dog some Algo and she said, "No. Algo get it"

The Internet was invented by Algo.

Don't mod me d o w n ... Bruce ...

Re:Did he just say "MD5"?

[quintus_horatius]

ROT13 FTW!

Re:Did he just say "MD5"?

For those of you who didn't RTFA:

Known as Descrypt, the hash function was created in 1979 and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash. It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by 2018 standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.

“The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago,” Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahash, told Ars. “It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.”

By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords. And while the 25 iterations requires about 26 more time to crack than a password protected by the MD5 algorithm, the use of GPU-based hardware makes it easy and fast to recover the underlying plaintext, Gosney said. Manuals, such as this one, make clear Descrypt should no longer be used.

The manual that shows how horrendous this scheme is is this one: https://passlib.readthedocs.io/en/1.6.5/lib/passlib.hash.des_crypt.html

Re:Did he just say "MD5"?

[JustAnotherOldGuy]

"By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords."

No, it makes it completely impossible to use strong passwords.

Password strength is due in part to the address space, and an 8 character password has far less address space than, say, a 30 character password.

All other things being equal, an 8 character password is always going to be easier to crack than a 30 character password.

Lesson in Sub-Headline

[forkfail]

"A recovered 98MB file underscores the risks of trusting personal info to strangers."

Well, perhaps.

Or maybe it should read:

"A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

Re:Lesson in Sub-Headline

[robsku]

Both are correct.

Re:Lesson in Sub-Headline

[pgmrdlm]

What a tight ass. Jesus, don't let that prude thinking of yours chase away everyone that might even have thoughts of a sex with another person. Even if they are not married or with a significant other. God forbid that sex would cross a persons' mind.

Re:Lesson in Sub-Headline

[forkfail]

There's a distinction that is missing in your reply.

In the case I am referencing, the individual went to the virtual edition of the seedy Motel 6 of his own choice and volition.

In the scenario you paint, there is a telescreen on the individual's wall, against the individual's choice and volition.

Two VERY different things.

Re:Lesson in Sub-Headline

[PPH]

everyone that might even have thoughts of a sex with another person

I think about that several times an hour. On a slow day.

The thing is: I don't act on thoughts thoughts without prior permission from my wife. And then I don't have an urge to go snapping pictures of the deed. Never mind sharing them with all but a few trusted third parties. And then never using a platform that I have little or no control over.

In my experience with the polygamous lifestyle, people who don't protect their personal lives are worse than careless. They are actually seeking out tragedy.

Sex is fine. It's just that the default should be not to share the details with any yet to be determined third parties, without some serious justification (like being a porn star).

Re:Lesson in Sub-Headline

[CaptainDork]

Given the porosity of the Internet, it's more like fucking in public.

Re:Lesson in Sub-Headline

[nukenerd]

If you have done nothing wrong, you have nothing to hide.

A common meme, but a fallacy because what is legal or even simply right does not always align with what you want others to know. For example I would not expect there is any wrong-doing to be found in your medical records, but I don't imagine you would want to post them here, although I'm prepared for you to prove me wrong.

Re:Lesson in Sub-Headline

[JustAnotherOldGuy]

Or maybe it should read:

"A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

There's a lot of truth in that.

I find it easy not to fuck up my marriage with affairs simply by not having affairs. It's so easy not to have an affair, and yet apparently it's beyond the ability of so many people.

New Standard Unit: 1 Oddle = 100 Megabytes

[turp182]

Since it was only 98 megabytes the pluralization is the correct way to reference the unit.

It's about standards

[jbmartin6]

Use a standard measurement so everyone can understand FFS. OK, fine, how many Library of Congresses are there in an oodle?

Re:It's about standards

[CaptainDork]

Yeah. They need to use units of car analogy.

Re:It's about standards

[Pascoea]

Their drum brakes failed.

Okay everyone, focus on what matters

[shaitand]

Who has the content?

Who uses real names?

[nospam007]

Only my bank login is traceable to me, for the rest I use aliases. Even my ISP thinks I'm my cat.

Re:Who uses real names?

[CaptainDork]

This.

I have a goddam list enumerating all the sites I'm registered at, along with the means to get in.

I also include all the lies adjacent, so I can remember all the artful dodger shit.

Re: Who uses real names?

[TimMD909]

I bet you feel embarrassed when you forget to pay that bill, and Sergeant Snuggles name is brought under fire for your mistake. What about the electric bill, where Sparkle Mittens would end up taking the heat?

Re:Who uses real names?

[antdude]

I am just an ant!

Re: Who uses real names?

[Areyoukiddingme]

Asked cat. Cat said ...

If you have an acocunt for one of those sites...

[Oswald+McWeany]

If you have an acocunt for one of those sites... why on earth would you use your real e-mail address?

Why do you need a user name?
This is what burner e-mail addresses were created for anyway.

Re:If you have an acocunt for one of those sites..

[Gilgaron]

Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...

Let's hope that no boobs were exposed

[grungeman]

Because that would be outrageous.

Re:Another massive goverment failure

[nukenerd]

WTF has this got to do with "big government"? Do you try to raise this bee-in-your-bonnet in every thread?

Real Names !?

[nukenerd]

What idiot would give their real name and their normal e-mail address on a web-site like that?

Re:That's terrible

[nukenerd]

I hope my secret love for Brazilian trannies will remain secret!

Well you've just revealed it here anyway. But don't worry, you are among friends.

Use Different Passwords

[DatbeDank]

Started doing this years ago.

Personal email and banking passwords are a phrase.

Forum, Adobe, special software sign on passwords are something simple and always different. I've had to change this password often over the past 10 years. My banking and personal email ones no so much.

Re:Another massive goverment failure

[CaptainDork]

/. is a great venue to learn and mature.

The Internet doesn't work the way you think it does.

Megabytes?

[jythie]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Re:Megabytes?

[JustAnotherOldGuy]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

Re:Megabytes?

[mjwx]

Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

I get the joke... But an 89 mb csv file holds quite a bit of data.

If this guy is a half decent "hacker", even a half decent script kiddie, he wont be using Word (which I agree has become a bloated piece of crap, I mean an even more bloated, bigger piece of crap).

Re:If you have an acocunt for one of those sites..

[DeBaas]

Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...

wait until he finds out his wife has been faking it for years too!

at this point

[mapkinase]

it's just Darwin's law

Re:Another massive goverment failure

[kwbauer]

wtf?

Re:Another massive goverment failure

[JustAnotherOldGuy]

I'd like some of whatever you're taking, but in a smaller dose.