FYI: Planet Calypso forum Data Breach

Status
Not open for further replies.

Saphira Lucky

Old Alpha
Joined
Jul 17, 2007
Posts
823
Location
www.ascendedgamers.se
Society
Ascended Gamers
Avatar Name
Saphira Amethyst Star
Let me ask you all this; Do you have the same password on the forum and ingame? In that case I'd suggest you to change el pronto, and make it 2 different passwords.
 

San

Elite
Joined
Aug 5, 2007
Posts
2,529
Location
That freaking cold place (in RL)
Society
OldTimers
Avatar Name
Sandal San Tolk
This issue is being investigated.

As explained by others in this thread, user passwords are not actually stored in the forum database (or anywhere else). Thus, no actual passwords were compromised, only the salted hashes of those passwords.

In any case, as a precaution, it is recommended that all PCF members change their account password as soon as possible, and be sure that it is a unique password not used for any other websites or services (i.e Entropia Universe).

PCF was moved to a new, more secure server a couple of months ago, so similar attacks are unlikely.
Thanks, but as also explained by others in this thread, you should have come out with a warning immediately. Or are you saying you were not aware of the breach?
 

Max Hec

Dominant
Joined
Jun 25, 2016
Posts
360
Avatar Name
Max Hec Walker
WOW what?! I didn't even notice that in the statement. MD5 has been shown to be cryptographically unsuitable for password hashing since the early/mid 90's. It's really shocking to find out they are still using it. For the past 30 years it's only been useful for calculating checksums.

And no, MD5 attacks don't take any time, you can brute force a 10-char pw on a modern cell phone processor in like 30 mins.

BTW, SHA is designed for speed, and should never be used for pw hashing. Go with PBKDF2 or bcrypt.


wtf MA
Hey relax and chill angry dude.
I admit leaving crypto by 2011 after the police hunt for Satoshi but charging anyone with btc purse.
Just curious how things have changed after a decade?
What's the maximum length of output that MD5 can do nowadays?
What's the maximum length of input that MD5 can use today?

Used to be something like 3dc0a1b5504a388f9ddbe63f11b0e83b
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
Hey relax and chill angry dude.
I admit leaving crypto by 2011 after the police hunt for Satoshi but charging anyone with btc purse.
Just curious how things have changed after a decade?
What's the maximum length of output that MD5 can do nowadays?
What's the maximum length of input that MD5 can use today?

Wasn't meaning to sound angry, just shocked (at MA, not at you). Using MD5 for password hashing is crazy irresponsible, and this has been well known for around 25 years now.

As for your questions: MD5 always outputs 128 bits, and hashing functions don't have any maximum input.

MD5 was never used in crypto currency, btw. It's too fast and too narrow.
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
dear mindark, i know we're not best friends, but i really urge you to send a databreach notification to the Swedish Data Protection Authority, a notification email to all affected users, and also reset all PCF passwords ASAP. thats the least you can do, for your own sake ... as i can smell some complaints already!

:dunce:

edit: reported my own post, and added that it's only a suggestion :)
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
email-adresses are considered personal data in the GDPR, i just checked it again. it doesn't really matter if those addresses also contain any other things like name or birth year. i guess my suggestion isn't that bad!
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
i've sent an inquiry to the austrian dataprotection agency, without mentioning game or developer at all.

while i did this, i've noticed that IP-addresses were also included in the databreach, and actually this adds quite some more security issues for everyone here.

do i need to mention portscans, cracking and phishing attempts? attacks that target EU account holders, which visit PCF in large numbers?

:rolleyes:
 
Last edited:

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
PS: you have to notify data breaches within 72 hours in austria, that shouldn't be too different in sweden. good luck!
 

Liu

Old Alpha
Joined
Oct 26, 2006
Posts
802
Location
Paris, France
Society
Alchemic Dream
Avatar Name
Killashandra Liu Ling
PS: you have to notify data breaches within 72 hours in austria, that shouldn't be too different in sweden. good luck!
Europe means same rules everywhere, so yes, massive failure here from MA and PCF administrators.
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
Europe means same rules everywhere, so yes, massive failure here from MA and PCF administrators.
just one in a row of many, amongst others...

still, there's the other thing with laws and such nasty issues. it's not only about creative bookkeeping and a still "very profitable product". :silly2:
 

Max Hec

Dominant
Joined
Jun 25, 2016
Posts
360
Avatar Name
Max Hec Walker
Wasn't meaning to sound angry, just shocked (at MA, not at you). Using MD5 for password hashing is crazy irresponsible, and this has been well known for around 25 years now.

As for your questions: MD5 always outputs 128 bits, and hashing functions don't have any maximum input.

MD5 was never used in crypto currency, btw. It's too fast and too narrow.
Ah it must been your forum picture that got me thinking your angry then, my bad. :D


Actually I didn't write MD5 had anything to do with crypto currencies.
But since you brought it up, RIPEMD-160 and SHA256 are used for bitcoin addresses.
SHA-2 is susceptible to length extension attacks and SHA256 is a weak variant of SHA-2 algorithm.
Original RIPEMD has collision weaknesses since 1996' so not entirely dissimilar situation to MD5.
But people still use them for the same reason as any variant of MD5, for the speed and size.

Regarding SHA-3 it has no known weaknesses unlike previous version SHA-2.
Although, heard some are still upset at how the SHA-3 competition went......
If concerned about SHA-3 (no known weaknesses), then suggest avoiding PBKDF2 which has known weaknesses.
Agree that bcrypt is a good one, but there's also Whirlpool, Blake2, and scrypt.


Anyways your reply to both MD5 lengths is correct.
In the past I found half the people will answer the input length question wrong.
And anyone can confirm that by decrypting my MD5 example in previous post.
Don't worry no salt added, just use one of the oldest crypto tricks in the book.

Have fun.
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
i really wonder, does noone care about this?

72% really should, and 28% should keep it in mind and check, where they maybe also used the non-salted data, or think about strongness of their passwords.

btw, did you know that you can also check your password on haveibeenpwned.com/Passwords? it's maybe a good idea to first check, and then change your password anyways.

personal suggestion: use 2FA whenever possible, and store passwords in an email draft of a free protonmail account (paid accounts well worth too!)

stay safe, or become salty. u decide! ;)
 

Liu

Old Alpha
Joined
Oct 26, 2006
Posts
802
Location
Paris, France
Society
Alchemic Dream
Avatar Name
Killashandra Liu Ling
Looks like nobody cares. This is where I am happy the email i use for this forum I use for nothing else and the password is unique.

I thought Scandinavia was all about caring and transparency.
 
Joined
May 20, 2007
Posts
9,417
Location
England
Society
Guess Who
Avatar Name
George Ace Skywalker
People care but perhaps have little to add to the debate here
 

mg Joda VVV

Prowler
Joined
Oct 31, 2006
Posts
1,239
Avatar Name
mg Joda VVV VVV
I have looked into the matter and been told that there is nothing to worry about.
Nothing to worry about?

Fairly confident ur based in a sweden, fairly confident that EU law requires u to notify upon data breach.
Failing to comply is actually a very very costly exercise.
 

Post_History

Prowler
Joined
Jul 26, 2007
Posts
1,219
Location
Western Australia
Society
Space Police
Avatar Name
PostHistory PostHistory Hax
Funny how we have only had one comment from a MA official and nothing that is concrete in regards to what is happening....

No notification in my Email Inbox
No notification on this website
No notification that the hole has been plugged
No notification to all of us to change our passwords
No nothing...…

Love your glacial speed MA
 

Geralt

Guardian
Joined
Mar 13, 2016
Posts
215
Avatar Name
tyires tyirepl tyirepl
Your personal data might have been stolen!

I know there was a question about this in section "about pc forum" but I guess people rarely go there, most of us just lurk General Discussion and the matter is serious so I believe it is worth to spread the message:

Your personal data you use here, including IP adress, e-mail, e-mail password and username might have been stolen:



If you use the password or part of it and username from this forum somewhere else I urge you to immediately change your password here and on other sites.

Also, beware of phishing attempts. Someone may try to steal your sensitive information by disguising as a trustworthy. Watch our for suspicious e-mails!

Just for fun, I quote MA official statement on this data breach :D:D

I have looked into the matter and been told that there is nothing to worry about.
Nothing to worry about? I don't think so!

Check here if your e-mail was also breached:
https://haveibeenpwned.com/
 

Kerham

Elite
Joined
Sep 6, 2006
Posts
4,728
Location
to the moon and back
Society
Project Y
Avatar Name
Kerawan Kerham Maddahy
Without clicking the last link, it sounds glorious. Like how can it not be e-mail address stealing in itself?
 

Jhereg

Stalker
Joined
Dec 13, 2005
Posts
1,587
Society
Rangers
Avatar Name
Feng Huan SecretAznMan Zho


To be honest, this has been this way for a long time.

The forums at some point should have been updated to using appropriate encryption to secure everyone's data, but chrome recognizes it has issues, so I've been pretty cautious about information I use on this site...

An upgrade wouldn't hurt :p
 

Westy

Stalker
Joined
Jan 18, 2006
Posts
1,792
Location
Australia
Society
Antipodean Army
Avatar Name
Buster Westy Westmoreland
Troy Hunt (creator of haveibeenpwned) is quite passionate about mandatory breach notifications. I also work in this industry and am not at all surprised at this type of response. It is quite common with organisations who do not have incident response plans. The responses are vague, denying or often understating the issue.

Bit more about Troy - https://en.wikipedia.org/wiki/Troy_Hunt

He is an excellent presenter as well. I saw him at auscert 2016 and this prezo https://youtu.be/fAdNVxZ_0nc

If your at all interested in cyber security it’s worth a look.
 

Post_History

Prowler
Joined
Jul 26, 2007
Posts
1,219
Location
Western Australia
Society
Space Police
Avatar Name
PostHistory PostHistory Hax
Troy Hunt (creator of haveibeenpwned) is quite passionate about mandatory breach notifications. I also work in this industry and am not at all surprised at this type of response. It is quite common with organisations who do not have incident response plans. The responses are vague, denying or often understating the issue.

Bit more about Troy - https://en.wikipedia.org/wiki/Troy_Hunt

He is an excellent presenter as well. I saw him at auscert 2016 and this prezo https://youtu.be/fAdNVxZ_0nc

If your at all interested in cyber security it’s worth a look.
Do you mean to say you think MA/PFC do not have a policy in regards to Data Breach?

Oh my...
I doubt they have a policy on how to engage the public or how to engage their own customers
 

Svarog

Slayer
Joined
Dec 11, 2006
Posts
9,313
Without clicking the last link, it sounds glorious. Like how can it not be e-mail address stealing in itself?
It's a honest service, even was embedded into Firefox recently. Been using it for years.
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
that ignorance and lack of communication still pisses me off the most. this looks like nothing but zero intention to fix MA/PCF's reputation or security, or at least inform everyone properly.

it makes me really wonder how dataprotection agencies wanna enforce breach notifications within 72 hours, when one often can't even get a proper answer from certain companies in weeks, months, or even years.

oh, now i remember, it was today in the news - companies were fined over 114 million euros already since GDPR became applicable law in europe.

:laugh:
 

711

Site Admin
Admin
Joined
Aug 31, 2006
Posts
5,284
HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.

Note that on some pages (mainly thread discussions where user signatures are displayed) your browser may indicate that some of the content being served is not secure; this is caused by non-HTTPS signature images hosted on other servers (i.e. EntropiaLife).
 

711

Site Admin
Admin
Joined
Aug 31, 2006
Posts
5,284
As a security precaution, all members (who have not changed their password within the last 7 days) will be prompted to change their password upon their next visit to PCF.

It is strongly recommended to use a unique password that is at least 8 characters in length, difficult to guess, and that is not used for any other websites or services (i.e. Entropia Universe).

Apologies for the inconvenience.
 

Sub-Zero

Elite
Joined
Aug 7, 2007
Posts
3,105
Location
Sweden
Society
Guess Who
Avatar Name
Sub-Zero The Killer
[...]

Apologies for the inconvenience.
711, you don't need to apologize for making this forum more secure. We welcome it. Thank you!

Edit: I have checked on that site if I have been pwned. To my surprise, several ancient emails I stopped using a long time ago, and also the email address that I used on this forum was breached.

Then I was reading some of my recent emails.


I know you guys want me to go playing again. But this is a very unwise thing to do. For security reasons. Since all email adress appears to have been breached on this forum. If you used the same email address here on forum, that you also use on Entropia Universe, if that password to your email was used elsewhere, that was breached, or the password for was brute-forced or easy to guess.

You could get your account potentially hacked on Entropia Universe.

I would like if MA didn't say my username in my email address, for whatever reason.

Needless to say, I have changed the passwords for all my emails I ever used now, and I'm gonna be extra careful from now on.
 
Last edited:

mspatterson

Old Alpha
Joined
Sep 26, 2015
Posts
806
Location
SPACE
Society
Odysseus Unbound
Avatar Name
Count Sinner Gism
I wonder how many eu acct were hacked form this cuz so many use same password. this is the one time in decades I feel good about having a special forum password separate from anything important.. yay it came in handy finally =p
 

TSCRYPTO

Stalker
Joined
Nov 28, 2005
Posts
1,593
Location
A stone's throw away from Antarctica
Society
Shaolin
Avatar Name
TS TSEC CRYPTO
SSL, finally :)
Thank you.
 
Status
Not open for further replies.
Top