FYI: Planet Calypso forum Data Breach

Status
Not open for further replies.

AkiranBlade

Slayer
Joined
Nov 9, 2005
Posts
9,392
Location
UK
Society
Shaolin
Avatar Name
Akira AkiranBlade Kurusowa
Hi all,

Just been notified by "Have I been pwned" that this site has suffered a data breach.

Has the breach been sealed before I go about changing my password?
 

Luu

Prowler
Joined
Sep 13, 2005
Posts
1,135
Location
England
Society
Freelancer
Avatar Name
Mighty Luu Buu
I received this email too
 

Killahbee

Elite
Joined
Aug 30, 2005
Posts
4,861
Location
The Netherlands
Society
Silly Underground Family
Avatar Name
Killahbee Killer Bee Killahbee
Where do you sign up for this to get a notification? :eek:
 

Jas

Alpha
Joined
Nov 28, 2006
Posts
678
Society
Shaolin
Avatar Name
Jar Jasis Sismondi
Firefox just informed me of the same breach including password having been breached.

More concerning, according to Firefox the breach date was 1 July 2019.

Why was this breach not notified earlier?
 

mastermesh

Mutated
Joined
Apr 21, 2007
Posts
15,184
Location
Billy Bar
Society
the Ministry
Avatar Name
Maria Mesh
Yes, why wasn't community let know? They should have at least sent out a notice to change passwords or something as it states that passwords were included.
 
Last edited:

Mac Farmer

Old Alpha
Joined
Apr 19, 2015
Posts
852
Its a Chrome problem i think . Got it today on biggest site i use on my country and only on chrome:)
 

Jan Universe

Alpha
Joined
May 15, 2009
Posts
694
Location
Green Corner
Society
Freelancer
Avatar Name
Jan Candydog NL Universe
Password changed, catastrophe avoided, for now. :rolleyes:
 
Last edited:

Taldur

Provider
Joined
Jan 28, 2018
Posts
128
Code:
Planet Calypso: In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Compromised data: Email addresses, IP addresses, Passwords, Usernames
At least it is "just" salted hashes of names and passwords
 

chronos

Old Alpha
Joined
Apr 14, 2006
Posts
885
Location
Sweden
Society
Project-Asylum Corp
Avatar Name
Stig Chronos Brannlund
me 2, seems there was 62 261 accounts that got breeched.
Why no information to us? or wasnt it known the the owners of PCF?
 

Jan Universe

Alpha
Joined
May 15, 2009
Posts
694
Location
Green Corner
Society
Freelancer
Avatar Name
Jan Candydog NL Universe
I'll do this when we know the breach has been sealed.
It was done in a reflex.
I will change again at that point.
Thanks for pointing that out.
 
Last edited:

Luu

Prowler
Joined
Sep 13, 2005
Posts
1,135
Location
England
Society
Freelancer
Avatar Name
Mighty Luu Buu
Hopefully we will get an official statement.
 

trance

Elite
Joined
Mar 31, 2006
Posts
4,283
Location
Old Switzerland
Society
Natural Born Killers
Avatar Name
hypnotica TRANCE blain
I got This message from Firefox monitor:

Planet Calypso
Datenleck hinzugefügt:
12. Januar 2020
 

Max Hec

Dominant
Joined
Jun 25, 2016
Posts
360
Avatar Name
Max Hec Walker
Passwords kept as salted hashes is the correct and secure way of storing them.

However over the past decade MD5 is proven to have a number of weaknesses.
Thankfully most MD5 attacks take time and computational power if everything else is done right.
Ideally MA/EU upgrades to something more secure like SHA-2 or SHA-3 hash function in the near future.


BUT, MA/EU should never publicly discuss or disclose their technical side of these things.

However, MA/EU should always disclose when there's been a data breach that includes names, emails, etc.
Also when their security breach was sealed.
 

kingofaces

Alpha
Joined
Jun 9, 2013
Posts
693
Location
US
Avatar Name
Tony KingofAces Hans
One thing I've noticed is that forums tend to be targets (or at least show up in breaches) often. One can talk about having separate passwords for every single site, but forums are the one area I always make sure to give priority to not using one similar to other sites or game logins because of that.
 

The Stare

Provider
Joined
May 17, 2016
Posts
147
Location
Deathplace of Bausch & Lomb, Kodak, Xerox
Society
Spectra
Avatar Name
Hellbound Happy Heathcliff
I was notified by Firefox via email and changed my password. I'll change it again when it seems appropriate to do so. This isn't the first data breach my information has been compromised in and I highly doubt it will be the last.
 

AkiranBlade

Slayer
Joined
Nov 9, 2005
Posts
9,392
Location
UK
Society
Shaolin
Avatar Name
Akira AkiranBlade Kurusowa
I think it's concerning there's been no notification from officials to say this is either under investigation or that the breach has been found and/or sealed.
 

trance

Elite
Joined
Mar 31, 2006
Posts
4,283
Location
Old Switzerland
Society
Natural Born Killers
Avatar Name
hypnotica TRANCE blain
It should give 10 years of prison for illegal hackers. Also email spaming should give 2 - 5 years.
 

Naverith

Stalker
Joined
Sep 22, 2006
Posts
2,389
Location
Idaho, US
Society
Freelancer
Avatar Name
Acoomba Naverith Rafael
110 grains of lead travelling 800 feet per second, applied to the frontal lobe of the suspect.

If not allowed, then a #10 boot thrust squarely into the anal sphincter of said suspect. Daily.

After spending 10 years "married" to my Mother (thanks to a hacker), I have 0% humor for their antics.

I guess you had to be there.
 

Ludvig|MindArk

MindArk Official
Staff member
MindArk Official
Moderator
Joined
Feb 10, 2006
Posts
15,555
Location
Sweden
Avatar Name
Formerly "Foeburner Nighthawk Delta"
I have looked into the matter and been told that there is nothing to worry about.
 

Jas

Alpha
Joined
Nov 28, 2006
Posts
678
Society
Shaolin
Avatar Name
Jar Jasis Sismondi
I have looked into the matter and been told that there is nothing to worry about.
When Firefox reports a breach, I expect a bit more from the provider that has apparently been breached then "There's nothing to worry about". Some details? What was breached, why and how was it resolved? Credibility and Trust?
 

Bones

Elite
Joined
Sep 17, 2006
Posts
3,030
Location
In the Refrigerator, Behind the Mayonnaise, Next t
Society
Skillin Villains
Avatar Name
Bare BareBones Bones
110 grains of lead travelling 800 feet per second, applied to the frontal lobe of the suspect.

If not allowed, then a #10 boot thrust squarely into the anal sphincter of said suspect. Daily.

After spending 10 years "married" to my Mother (thanks to a hacker), I have 0% humor for their antics.

I guess you had to be there.
You were spoofed into marrying your mother ? awkward
 

Post_History

Prowler
Joined
Jul 26, 2007
Posts
1,219
Location
Western Australia
Society
Space Police
Avatar Name
PostHistory PostHistory Hax
When Firefox reports a breach, I expect a bit more from the provider that has apparently been breached then "There's nothing to worry about". Some details? What was breached, why and how was it resolved? Credibility and Trust?
Yes MA/PCF

You should be required to disclose when you became aware of the breach, the breach location and also advise that the breach has been fixed... if this isn't done how are we to know when and what passwords / emails have been breached.....

Not good enough to say what you have said at this point!

Not happy...
 

wizz

Elite
Joined
May 29, 2005
Posts
3,814
Location
Brabant
Society
The Ministry
Avatar Name
Wizzina Wizz Pale Moon
I have looked into the matter and been told that there is nothing to worry about.
"I have looked" ..."and been told"

So, you looked into it, and somebody else told you to not worry about it. :scratch2:
Who told you that?
The toilet lady?
 

Photon

Elite
Joined
Feb 1, 2006
Posts
2,963
Location
London
Society
Shaolin
Avatar Name
Photonic Edge
PCF holds Personally Idenitfiable Information (PII) about it's participants and thus comes under the EU GDPR rules. This is a GDPR breach and should be reported as such. If MA have evidence that tells them that no breach has occurred then they have nothing to worry about, but in the meantime there should be an investigation to understand what has happened here.
 

wizz

Elite
Joined
May 29, 2005
Posts
3,814
Location
Brabant
Society
The Ministry
Avatar Name
Wizzina Wizz Pale Moon
PCF holds Personally Idenitfiable Information (PII) about it's participants and thus comes under the EU GDPR rules. This is a GDPR breach and should be reported as such. If MA have evidence that tells them that no breach has occurred then they have nothing to worry about, but in the meantime there should be an investigation to understand what has happened here.
MA does not say no breach has occurred.
MA says we just should not worry about the breach that DID happen.
Well, at least, that's what somebody told them, that we should not worry about it.

So, nothing to see here, move along.
 

711

Site Admin
Admin
Joined
Aug 31, 2006
Posts
5,282
This issue is being investigated.

As explained by others in this thread, user passwords are not actually stored in the forum database (or anywhere else). Thus, no actual passwords were compromised, only the salted hashes of those passwords.

In any case, as a precaution, it is recommended that all PCF members change their account password as soon as possible, and be sure that it is a unique password not used for any other websites or services (i.e Entropia Universe).

PCF was moved to a new, more secure server a couple of months ago, so similar attacks are unlikely.
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
Passwords kept as salted hashes is the correct and secure way of storing them.

However over the past decade MD5 is proven to have a number of weaknesses.
Thankfully most MD5 attacks take time and computational power if everything else is done right.
Ideally MA/EU upgrades to something more secure like SHA-2 or SHA-3 hash function in the near future.

WOW what?! I didn't even notice that in the statement. MD5 has been shown to be cryptographically unsuitable for password hashing since the early/mid 90's. It's really shocking to find out they are still using it. For the past 30 years it's only been useful for calculating checksums.

And no, MD5 attacks don't take any time, you can brute force a 10-char pw on a modern cell phone processor in like 30 mins.

BTW, SHA is designed for speed, and should never be used for pw hashing. Go with PBKDF2 or bcrypt.


wtf MA
 
Last edited:
Status
Not open for further replies.
Top