2p2 Hacked.

On NoahSD's blog he said the salts used had been compromised as well o.o

The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

On April 28 2012 03:29 Liquid`Meat wrote: Show nested quote + On April 28 2012 03:05 capaneo wrote: How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs. Can someone who is a more computer savy confirm this one way or the other? There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.

thanks meat, that was very informative.

On April 29 2012 09:31 TianYuan wrote: On NoahSD's blog he said the salts used had been compromised as well o.o Show nested quote + The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

Wait a minute, the salt adds a bit of complexity to the password, "a bit more" than what the original password was.

The attack would involve Rainbow Tables, where you run all the common passwords through the hash function and compare the results with the hashes you stole. So all common ones are revealed. The salt makes the problem more difficult, since you would need a much larger rainbow table for all the password with all the salts. In a way all passwords become unique, and more difficult than what the account owner intended.

The only way salts are compromised is if they are reused for multiple accounts, having them in the same file with the hashed passwords is OK.

On April 29 2012 09:31 TianYuan wrote: On NoahSD's blog he said the salts used had been compromised as well o.o Show nested quote + The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

Hmm that sucks, the traditional tables are still useless but then they can create a custom rainbow table for 2+2 much easier.

it looks like the hacker broke 2+2's will to live, gone forever RIP

Why scare me like that o.o

Update May 1st After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.

Does not sound like "gone forever".

I really, really wish I remembered what I had made my password for the site so I know if I should be worried --- already changed a few important ones just because, well, no reason not to. Pretty sure I had it set to a useless 2p2 only password tho.

nah gone forever 93% sure

2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up.

On May 02 2012 22:49 intown wrote: 2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up.

I thought the issue was security -.-

Probably is but still it's not hard to isolate and plug the problem once you're offline. Unless if the database was fucked up bad.

fwiw even if the site in question takes into account the most recent standards of securing passwords (2+2 didn't because vbulletin is pure shit software), that's still not even close to a guarantee that the attacker can't reveal your passwords. there's just too much computing power available these days. for all of you who use online banking, and poker sites with lots of money, use long mother fucking passwords, make them unique per-site, and if you have the option of using a physical authenticator, GET IT.

This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime

2+2 was to easy to hack, they should rebrand it to:



this should do it

On May 08 2012 17:51 Roald wrote: This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime

increase search engine rank ?_?

so is 2+2 finished? is anything being done

merge this with FTP threads more like

2p2 is back...thank god

i have 3 accounts for 2p2 and no longer have the e-mail addresses to any of them LOL gg

ITs back? wtf fucking slowfags

how long should i wait for pass email?