Jump to content

  • Curse Sites
Help

AJ Intrusion and Database Compromise & Account Security


  • Please log in to reply
12 replies to this topic

#1 Rapture

Rapture
  • Administrators
  • Curse Premium
  • Posts: 6710

Posted 07 March 2012 - 08:08 PM

The Situation
On March 5, 2012, Curse community IPB sites were targeted by hackers and for a brief amount of time unauthorized individuals had access to the Administrative Control Panel interface. This intrusion was quickly noticed, however the intruders retrieved a large portion of user records from the IP.Board sites. The information downloaded included Usernames, E-mail addresses, IP addresses where you originally registered from, and an encrypted version of your password.

First, we'd like everyone to rest assured that Curse is very aware of this situation, and we've already begun taking steps to make sure this incident will not happen again.

The passwords in the stolen data are encrypted, and it is unlikely that the intruders would ever be able to get your actual passwords. Curse uses a number of security features to ensure your passwords are secure:

  • The passwords are encrypted using a one way hashing algorithm and were salted, so they appear as scrambled text and your plain text password is not retrievable from it.
It is very unlikely that the hacker could reverse the hashing and salt process to retrieve your plain text password, but as a security precaution to stay safe, we recommend you change your password. Make sure to use a unique and strong password, and always go with long passwords over short ones. If your password on our community sites was the same as one of your passwords elsewhere, please change that password as well.

On behalf of Curse, we would like to apologize to you for this inconvenience. We take your security extremely seriously and believe that being forthright about anything that may compromise your security is the correct course of action. Please take this time to update whatever passwords you need to update, and please post if you have any questions, comments or concerns.

Account Security

This is a good time to remind everyone about general account security habits that will help ensure your safety online.

  • Use different, complicated passwords for all your accounts. Your Email passwords, your game account passwords and your passwords on various websites should all be unique. If you have trouble remembering them, write them down on a piece of paper and put them in your wallet (without the usernames/sites). This way, if for some reason your password on one of the sites is compromised, all your other accounts are safe.
  • Try to have passwords that are long (over 16 characters) that you can remember. Read this very helpful article on how to come up with secure and memorable passwords: Create strong passwords
  • Avoid clicking links from your email, as spoofing and other tricks can make an email appear like it comes from a legitimate source. Whenever you want to log on your account, go directly to the website by typing the URL in your browser, and check that you've spelled the address correctly.
  • Keep your browser up to date! Modern browsers have a lot of security features and lack the vulnerabilities older browsers might have.
  • Use an anti-virus on your computer. If you're a Windows User, Microsoft Security Essentials is a free and easy to use anti-virus, and it's that's one of the best performing ones too.
  • Use two factor authentication whenever you can. A two factor authentication system is an additional layer of security, typically a one time password generated or texted to your phone, or generated by another device that you have to enter in addition to your main password. Some examples are the Battle.net Authenticator, Google's 2-step verification and Facebook's Login Approvals. These nifty two factor authentication tools will ensure your Battle.net, Google and Facebook accounts are much more secure.
  • Make sure you've got a recovery email address on your primary email in case something happens to it, so that you may get your email back.


#2 Mity

Mity
  • Junkies
  • Undeadclass_name
  • US-Mal'Ganis
  • Stormstrike
  • Posts: 990
  • Talents: ./././././.
  • LocationOKC

Posted 07 March 2012 - 08:10 PM

Posted Image

View PostRapture, on 07 March 2012 - 08:08 PM, said:

The Situation

Edited by Mity, 07 March 2012 - 08:28 PM.

@shitixmikesays

#3 avoid

avoid
  • Junkies
  • Undeadclass_name
  • EU-Darksorrow
  • Rampage / Saccage
  • Posts: 912
  • Talents: Combat

Posted 07 March 2012 - 08:15 PM

^ what?

#4 misios

misios
  • Junkies
  • Humanclass_name
  • EU-Outland
  • Misery
  • Posts: 1419
  • Talents: Destruction
  • LocationNorway

Posted 07 March 2012 - 08:25 PM

well that was majorly random ^

on topic: sad to hear, AJ seems to be running a bit slow lately or coming up with not enough server capacity sometimes, is this related to the hackings?
Posted Image

#5 Rapture

Rapture
  • Administrators
  • Curse Premium
  • Posts: 6710

Posted 07 March 2012 - 08:35 PM

View Postmisios, on 07 March 2012 - 08:25 PM, said:


on topic: sad to hear, AJ seems to be running a bit slow lately or coming up with not enough server capacity sometimes, is this related to the hackings?

No, this has been related to some issues we've been experiencing with our caching servers that are in the process of being upgraded.

#6 Hotted

Hotted
  • Junkies
  • Night Elfclass_name
  • US-Kargath
  • Vindication
  • Posts: 1636
  • Talents: Restoration 1/0/2/1/2/2
  • RBG: 2295
  • LocationVenezuela

Posted 07 March 2012 - 08:36 PM

shit, now when i thought i was save...gonna get ddosd some more
Spoiler


Posted Image
Stream: http://www.twitch.tv/hotted89
YouTube: http://www.youtube.com/hotted89
Facebook: http://www.facebook.com/hotted89
Twitter: http://www.twitter.com/hotted89

#7 Calpurnia

Calpurnia
  • Moderators
  • Curse Premium
  • Blood Elfclass_name
  • US-Blackrock
  • Bloodlust
  • Posts: 458
  • Talents: Shadow
  • LocationIrvine, CA

Posted 07 March 2012 - 10:21 PM

Ah, sorry to hear.

Just curious, was this accomplished via social engineering or through other means?

#8 Rapture

Rapture
  • Administrators
  • Curse Premium
  • Posts: 6710

Posted 07 March 2012 - 10:26 PM

View PostCalpurnia, on 07 March 2012 - 10:21 PM, said:

Ah, sorry to hear.

Just curious, was this accomplished via social engineering or through other means?

It was caused by an extremely insecure password of someone with access to one of our IPB sites adminCPs.

#9 Kujaqt

Kujaqt
  • Premium Junkies
  • Curse Premium
  • Orcclass_name
  • EU-Frostwhisper
  • Rampage / Saccage
  • Posts: 624
  • Talents: Beast Mastery 1/0/2/0/2/0
  • RBG: 384

Posted 07 March 2012 - 11:49 PM

View PostRapture, on 07 March 2012 - 10:26 PM, said:

It was caused by an extremely insecure password of someone with access to one of our IPB sites adminCPs.

It was "password" wasn't it?

Keliann said:

our paladin's a huge asian flake, PM if you're somewhat close to DC and can make it, will be running TSG and possibly another comp

Originally Posted by clouds
I don't think you can win-trade at MLG

#10 Vikesboyz

Vikesboyz
  • Junkies
  • Blood Elfclass_name
  • US-Mug'thol
  • Vengeance
  • Posts: 40
  • Talents: Retribution

Posted 08 March 2012 - 02:30 AM

If someone is knowledgeable enough to use SQL injections, they're most likely knowledgeable enough to decrypt hashes. md5(md5($salt).md5($pass)) is nowhere nearly as safe as you make it sound, its one of the fastest. Make sure your e-mail password is different from your password on here. Getting access to your arena junkies account is one thing, but to have full access to an e-mail is a completely different matter.

#11 kannetixx

kannetixx
  • Junkies
  • Humanclass_name
  • US-Kel'Thuzad
  • Nightfall
  • Posts: 2946
  • Talents: Fire
  • RBG: 768
  • LocationFlorida yee

Posted 08 March 2012 - 04:03 AM

View PostKujaqt, on 07 March 2012 - 11:49 PM, said:

It was "password" wasn't it?

Password1 according to Yahoo is the most obvious .. this was it surely.
US-Kel'Thuzad - Kannetix


http://www.anook.com/kannetix

www.twitch.tv/kannetix - Gladiator Mage Stream follow me and see when i go live!

#12 Rapture

Rapture
  • Administrators
  • Curse Premium
  • Posts: 6710

Posted 08 March 2012 - 04:09 AM

View PostVikesboyz, on 08 March 2012 - 02:30 AM, said:

If someone is knowledgeable enough to use SQL injections, they're most likely knowledgeable enough to decrypt hashes. md5(md5($salt).md5($pass)) is nowhere nearly as safe as you make it sound, its one of the fastest. Make sure your e-mail password is different from your password on here. Getting access to your arena junkies account is one thing, but to have full access to an e-mail is a completely different matter.

I agree that people cannot be safe enough which is why we recommend having different passwords on all sites.

#13 Vikesboyz

Vikesboyz
  • Junkies
  • Blood Elfclass_name
  • US-Mug'thol
  • Vengeance
  • Posts: 40
  • Talents: Retribution

Posted 08 March 2012 - 04:42 AM

Ah sorry, I should have paid more attention to how access to the CP was gained. I'm know expert, I'm sure you know 20x as much as I do, I've got a small interest in the subject, and even less experience. I'm not sure what you mean by source code. I guess I thought that with access to the CP, you were able to make a backup of the forum, in which the  encrypted passwords / emails / reputation, all the juicy shit were contained, which can easily be formatted into tables with excel, and from there copy / pasted into any cracker to run your simple, hybrid, rainbow, whatever kind of attack. In terms of the type of algorithm, I was under the impression that the algorithm was dictated by the type of forum, this being IPB, which is known to use md5(md5($salt).md5($pass)).

I'm not trying to teach cracking 101, give anyone any ideas, or to try an squeeze extra tidbits out of you, especially when I don't even know if the perps intentions were ACTUALLY to get access to the database, or just to simply give himself mod privileges. At least you came out in the open and admitted it, most leads either wouldn't know about it, or sweep it under the rug.

#14 Fetah

Fetah

Posted 08 March 2012 - 08:20 AM

Seeing as it's SHA-1 encryption it's not entirely safe. If he decided to download every users sha1 encrypted password and username he/she CAN decrypt them, so if I were you I'd still recommend people to change their passwords to refresh/update the SHA-1 key.

But I'm sure you already know this.

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

<