2p2 Hacked.

http://forumserver.twoplustwo.com/



Site just got hacked, advise to change passwords and stuff.

Just letting you guys know.

well that sucks

For how valuable the user accounts are the measures 2p2 takes in making sure the dbs are inaccessible are simpy lol-worthy. They've been a flashing target for months now.

Now all you can hope they used proper encryption for user passes.

a week ago somoene hacked my 2p2/skype acct and was using them to vouch for scammers in fake trades

running out of good passwords to use that i will remember

Wow that is just so great, my main password was on that account.

Luckily it's not one shared with my e-mail address registered to it and I don't have that name anywhere else.

Seriously though, what excuse do they have to not completely release the information
of how he indicated he could decrypt those passwords and to what extent the information he has is encrypted?

pretty incredible how skilled hackers are these days

I use different pws for sites with tons of security (google) and different ones for sites like 2p2, lp, tl, etc. So when this happens I don't have to care

HEM forums are down too. Maybe I need to patch my forum since I got a bunch of emails from vbulletin today lol

I don't have an account at 2p2, but as far as passwords go, I started mentally lose track of passwords after 10 or so, so now I use the same 1 password for new sites I don't care about like 4 different clothing sites, 3 different shoe sites, Yelp account, etc.

stop being mongs and get keepass already, i mention it every time in these types of threads

ket should i get keepass?









._.

Where I get keepass?

The smart people have a separate password for a site that has access to billions of player accounts and lolz security

erg I just went to the site clicked forums and a suspicious popup came to enter my info this might get some n00bs =[

On April 26 2012 18:55 TheHuHu3 wrote: Where I get keepass?

On April 26 2012 22:18 Silver_nz wrote:

2p2 was my drug. i'm having pretty bad withdrawal

i dunno, these days you can get like rsatoken for pretty much everything
gmail has one, ps has one etc ... and its not like its gonna cost you a fortune

liquid poker should steal there traffic ASAP

On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP

HERO style

On April 27 2012 01:35 N1GhtFoX wrote: i dunno, these days you can get like rsatoken for pretty much everything gmail has one, ps has one etc ... and its not like its gonna cost you a fortune

gmail has a RSA token? :o

ye, they have an app for diff phones that is basicly a rsa token
I dont remember exactly where but it should around security in settings ...
I have an iphone and the app is called google authenticator and you could add several accounts to it and generates diff numbers every 20-30 secs

hmmm k, i'll take a look ty. what if you lose your phone btw?:o

They also give you like 8-10 one time passes i think

like i can fucking remember what my pw was

brb login once "remember me"

On April 27 2012 03:59 byrnesam wrote: like i can fucking remember what my pw was brb login once "remember me"

qft lol

On April 27 2012 01:52 NeillyJQ wrote: Show nested quote + On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP HERO style

Pffffft. Idiots. Lol

lol they're still down?

That's some pretty legit ownage

mehh, hate having multiple usernames/passwords -_______-

On April 27 2012 04:00 bigredhoss wrote: Show nested quote + On April 27 2012 03:59 byrnesam wrote: like i can fucking remember what my pw was brb login once "remember me" qft lol

qftx2

On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP

add photoshop forum and gossip forum.
Make news on front Page of LP
Massive influx of 2+2'ers then
then we have massive amounts of new members we can troll and hate on ;D

On April 27 2012 15:23 uiCk wrote: Show nested quote + On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP add photoshop forum and gossip forum. Make news on front Page of LP Massive influx of 2+2'ers then then we have massive amounts of new members we can troll and hate on ;D

hummm but hummm we still can hate them and do neither of these activities that require actually doing something. Pure hatred and lazyness

On April 27 2012 15:47 killmepl wrote: Show nested quote + On April 27 2012 15:23 uiCk wrote:   On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP add photoshop forum and gossip forum. Make news on front Page of LP Massive influx of 2+2'ers then then we have massive amounts of new members we can troll and hate on ;D hummm but hummm we still can hate them and do neither of these activities that require actually doing something. Pure hatred and lazyness

i don't hate em, just that there will be more newcomers to hate/troll on. LP Style.

On April 27 2012 15:50 uiCk wrote: Show nested quote + On April 27 2012 15:47 killmepl wrote:   On April 27 2012 15:23 uiCk wrote:   On April 27 2012 01:48 Target-x17 wrote: liquid poker should steal there traffic ASAP add photoshop forum and gossip forum. Make news on front Page of LP Massive influx of 2+2'ers then then we have massive amounts of new members we can troll and hate on ;D hummm but hummm we still can hate them and do neither of these activities that require actually doing something. Pure hatred and lazyness i don't hate em, just that there will be more newcomers to hate/troll on. LP Style.

Yeah
I miss pokraight so much

all the good players are from 2p2 lol

How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs.

Can someone who is a more computer savy confirm this one way or the other?

Can't remember if the password I just changed to on their site was a really random horrible one or if I changed it to an actual good password hmhmhmhm

Annoying.

Keepass time.

On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other?

There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.

LOOOOOOOOOOOOOOL bnoooocjvkbs

On April 28 2012 03:29 Liquid`Meat wrote: Show nested quote + On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other? There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.

so you are saying they did not use salt at 2p2?

On April 28 2012 13:28 Highcard wrote: Show nested quote + On April 28 2012 03:29 Liquid`Meat wrote:   On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other? There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list. so you are saying they did not use salt at 2p2?

Hmm? Liqui'dMeat was just responding to a general inquiry and said nothing at all about anything directly related to 2p2.

On April 28 2012 14:51 taco wrote: Show nested quote + On April 28 2012 13:28 Highcard wrote:   On April 28 2012 03:29 Liquid`Meat wrote:   On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other? There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list. so you are saying they did not use salt at 2p2? Hmm? Liqui'dMeat was just responding to a general inquiry and said nothing at all about anything directly related to 2p2.

Exactly, I have no idea if they did use a proper salt. All I know is that it should not be possible to decrypt a md5 hash so 'decryption' is usually done by looking up the hash in a database.

No. MD5 is not encryption (though it may be used as part of some encryption algorithms), it is a one way hash function. Much of the original data is actually "lost" as part of the transformation. Think about this: An MD5 is always 128 bits long. That means that there are 2128 possible MD5 hashes. That is a reasonably large number, and yet it is most definitely finite. And yet, there are an infinite number of possible inputs to a given hash function (and most of them contain more than 128 bits, or a measly 16 bytes). So there are actually an infinite number of possibilities for data that would hash to the same value. The thing that makes hashes interesting is that it is incredibly difficult to find two pieces of data that hash to the same value, and the chances of it happening by accident are almost 0. A simple example for a (very insecure) hash function (and this illustrates the general idea of it being one-way) would be to take all of the bits of a piece of data, and treat it as a large number. Next, perform integer division using some large (probably prime) number n and take the remainder (see: Modulus). You will be left with some number between 0 and n. If you were to perform the same calculation again (any time, on any computer, anywhere), using the exact same string, it will come up with the same value. And yet, there is no way to find out what the original value was, since there are an infinite number of numbers that have that exact remainder, when divided by n. That said, MD5 has been found to have some weaknesses, such that with some complex mathematics, it may be possible to find a collision without trying out 2128 possible input strings. And the fact that most passwords are short, and people often use common values (like "password" or "secret") means that in some cases, you can make a reasonably good guess at someone's password by Googling for the hash or using a Rainbow table. That is one reason why you should always "salt" hashed passwords, so that two identical values, when hashed, will not hash to the same value. Once a piece of data has been run through a hash function, there is no going back.

On NoahSD's blog he said the salts used had been compromised as well o.o

The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

On April 28 2012 03:29 Liquid`Meat wrote: Show nested quote + On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other? There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.

thanks meat, that was very informative.

On April 29 2012 09:31 TianYuan wrote: On NoahSD's blog he said the salts used had been compromised as well o.o Show nested quote + The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

Wait a minute, the salt adds a bit of complexity to the password, "a bit more" than what the original password was.

The attack would involve Rainbow Tables, where you run all the common passwords through the hash function and compare the results with the hashes you stole. So all common ones are revealed. The salt makes the problem more difficult, since you would need a much larger rainbow table for all the password with all the salts. In a way all passwords become unique, and more difficult than what the account owner intended.

The only way salts are compromised is if they are reused for multiple accounts, having them in the same file with the hashed passwords is OK.

On April 29 2012 09:31 TianYuan wrote: On NoahSD's blog he said the salts used had been compromised as well o.o Show nested quote + The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

Hmm that sucks, the traditional tables are still useless but then they can create a custom rainbow table for 2+2 much easier.

it looks like the hacker broke 2+2's will to live, gone forever RIP

Why scare me like that o.o

Update May 1st After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.

Does not sound like "gone forever".

I really, really wish I remembered what I had made my password for the site so I know if I should be worried --- already changed a few important ones just because, well, no reason not to. Pretty sure I had it set to a useless 2p2 only password tho.

nah gone forever 93% sure

2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up.

On May 02 2012 22:49 intown wrote: 2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up.

I thought the issue was security -.-

Probably is but still it's not hard to isolate and plug the problem once you're offline. Unless if the database was fucked up bad.

fwiw even if the site in question takes into account the most recent standards of securing passwords (2+2 didn't because vbulletin is pure shit software), that's still not even close to a guarantee that the attacker can't reveal your passwords. there's just too much computing power available these days. for all of you who use online banking, and poker sites with lots of money, use long mother fucking passwords, make them unique per-site, and if you have the option of using a physical authenticator, GET IT.

This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime

2+2 was to easy to hack, they should rebrand it to:



this should do it

On May 08 2012 17:51 Roald wrote: This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime

increase search engine rank ?_?

so is 2+2 finished? is anything being done

merge this with FTP threads more like

2p2 is back...thank god

i have 3 accounts for 2p2 and no longer have the e-mail addresses to any of them LOL gg

ITs back? wtf fucking slowfags

how long should i wait for pass email?