when updating your password, please wait for email and don't send another email, otherwise it can create problems - we are using ONE confirmation string per User, so when you create second request for password change and you will receive email from first password change, you will get error. This post will be updated over time to add some important information. We will become members of HackTrophy to avoid similar attacks in future, it is better to deal with white-hat hackers. We are in contact with Troy Hunt, if you are not using HaveIbeenPwned service, it is about time. If you are not using some password manager, it can be a good time to consider it, they'll help you switch to using long and complex passwords, notify you of security issues, manage 2FA, and access your passwords from all your devices with the only need to remember one master password (or have it linked with your fingerprints or other) List of best password managers Then you can use new temporary password which is in the same email) Reset password on (please make sure you insert your valid email, you receive email, where is confirmation link - you need to click on it. If you didn't change your password yet, please do it now - use different password than before: Please don't use the same passwords across different projects - that's the biggest possible mistake you can do. Note that our new site, was built with stronger security concerns, and already included all the points described above.Īccept our humble apologies, as you can see a hack can occur at any moment, and there is nothing much that you can do, even paying a ransom doesn't guarantee your safety. For IT geeks - yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify() The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. We should have spent more energy on securing the site and kick out the old md5() without salt passwords long time ago. First of all, if a site is hacked, there should be minimal talk with hacker, if he promise something - it means in reality nothing as we learned in hard way. It is kind of amazing, that the site was hacked now, after 15 years - so that hacker must have spent quite a lot of time and energy on it. if you used password somewhere else, change it as well, specially important for emails and services where you have any payments and personal details change and and forum password (we are requesting this) So he can download subtitles and so on, he didn't gain access to any credit card data or so - these are stored outside of our platform. Most users didn't use these strong passwords, it means, hacker can get access to user accounts. The site was created in 2006 with little knowledge of security, so passwords were stored in md5() hashes without salt It means, if you used strong password (lets say at least 10 characters with lowercase, uppercase, number and special characters) you should be safe, but short easy passwords, specially if they are in the english dictionary can rather easily be extracted from these data. He gained access to all users data - email, username, password.He promised the data would be erased and he would help us secure the site after the payment. This script allowed him to perform SQL injections and extract the data. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. He explained us how he could gain access, and helped us fix the error. We hardly agreed, because it was not low amount of money. He asked for a BTC ransom to not disclose this to public and promise to delete the data. In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of, and downloaded a SQL dump from it.
0 Comments
Leave a Reply. |