sniko Posted May 5, 2016 Share Posted May 5, 2016 So, a couple days ago ZIDDLE ( [uSER=69959]CruZer[/uSER] ) released a database dump and the source for a recoded Pokemon Helios. Along with (this is an ongoing discussion as they've not replied to me) them potentially not allowing to release the source (as their own / at all) due to licensing restrictions, it has come to my attention that complete_db_helios.rar holds the usernames, emails, and hashed passwords of over 100k users. Along with a breach of trust from the users - releasing their information (site activity, private messages, user information), they've hashed the passwords with sha1(). At time of writing I've personally cracked around 19k passwords. This leads me on... Many users reuse their passwords. I've ~19k email/user;pass configurations to try on multiple platforms, including their e-mail providers. Once I've got into their e-mail account, I'm free to access any account the user has by resetting passwords and such. This is a complete breach of user trust with a content provider. I've talked to [uSER=69959]CruZer[/uSER] about this and he's since removed the complete_db_helios.rar - though that doesn't stop someone who has previously downloaded it to re-upload somewhere they've no control over. This Facebook chat with [uSER=69959]CruZer[/uSER] implies he's shifting blame on the actual site owner, even though he's the one that posted it to his site and reached an audience who now have it. Somewhat related to a previous shady move by [uSER=69959]CruZer[/uSER] - http://makewebgames.io/forum/misc/chit-chat/26302-rivalry-between-games#post26302 Quote Link to comment Share on other sites More sharing options...
Bjorn Westergaard Posted May 5, 2016 Share Posted May 5, 2016 Well this is not good, at all... :O Quote Link to comment Share on other sites More sharing options...
SRB Posted May 6, 2016 Share Posted May 6, 2016 Whoever downloaded it. Upload and send me a link :P Quote Link to comment Share on other sites More sharing options...
Dave Posted May 6, 2016 Share Posted May 6, 2016 Well that's certainly not good, let's hope peoples accounts don't get hacked. Seems like everything is getting hacked and leaked these days. Quote Link to comment Share on other sites More sharing options...
Coly010 Posted May 6, 2016 Share Posted May 6, 2016 [uSER=65371]sniko[/uSER] , if you come across anyone you recognise, you should let them know their accounts are vulnerable and report to them to change their passwords. Quote Link to comment Share on other sites More sharing options...
sniko Posted May 6, 2016 Author Share Posted May 6, 2016 [uSER=65371]sniko[/uSER] , if you come across anyone you recognise, you should let them know their accounts are vulnerable and report to them to change their passwords. Setting up an e-mail blast to all accounts with a detailed description of what's gone on and who's involved/should be dealt with. Should be sent soonish (need to figure out how to mass mail >100k accounts that doesn't cost) Quote Link to comment Share on other sites More sharing options...
Coly010 Posted May 6, 2016 Share Posted May 6, 2016 Setting up an e-mail blast to all accounts with a detailed description of what's gone on and who's involved/should be dealt with. Should be sent soonish (need to figure out how to mass mail >100k accounts that doesn't cost) For loop with php mail();? Not the best or great solution but might work? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.