FYI: Planet Calypso forum Data Breach

Status
Let me ask you all this; Do you have the same password on the forum and ingame? In that case I'd suggest you to change el pronto, and make it 2 different passwords.
 
This issue is being investigated.

As explained by others in this thread, user passwords are not actually stored in the forum database (or anywhere else). Thus, no actual passwords were compromised, only the salted hashes of those passwords.

In any case, as a precaution, it is recommended that all PCF members change their account password as soon as possible, and be sure that it is a unique password not used for any other websites or services (i.e Entropia Universe).

PCF was moved to a new, more secure server a couple of months ago, so similar attacks are unlikely.

Thanks, but as also explained by others in this thread, you should have come out with a warning immediately. Or are you saying you were not aware of the breach?
 
WOW what?! I didn't even notice that in the statement. MD5 has been shown to be cryptographically unsuitable for password hashing since the early/mid 90's. It's really shocking to find out they are still using it. For the past 30 years it's only been useful for calculating checksums.

And no, MD5 attacks don't take any time, you can brute force a 10-char pw on a modern cell phone processor in like 30 mins.

BTW, SHA is designed for speed, and should never be used for pw hashing. Go with PBKDF2 or bcrypt.


wtf MA

Hey relax and chill angry dude.
I admit leaving crypto by 2011 after the police hunt for Satoshi but charging anyone with btc purse.
Just curious how things have changed after a decade?
What's the maximum length of output that MD5 can do nowadays?
What's the maximum length of input that MD5 can use today?

Used to be something like 3dc0a1b5504a388f9ddbe63f11b0e83b
 
Hey relax and chill angry dude.
I admit leaving crypto by 2011 after the police hunt for Satoshi but charging anyone with btc purse.
Just curious how things have changed after a decade?
What's the maximum length of output that MD5 can do nowadays?
What's the maximum length of input that MD5 can use today?


Wasn't meaning to sound angry, just shocked (at MA, not at you). Using MD5 for password hashing is crazy irresponsible, and this has been well known for around 25 years now.

As for your questions: MD5 always outputs 128 bits, and hashing functions don't have any maximum input.

MD5 was never used in crypto currency, btw. It's too fast and too narrow.
 
dear mindark, i know we're not best friends, but i really urge you to send a databreach notification to the Swedish Data Protection Authority, a notification email to all affected users, and also reset all PCF passwords ASAP. thats the least you can do, for your own sake ... as i can smell some complaints already!

:dunce:

edit: reported my own post, and added that it's only a suggestion :)
 
email-adresses are considered personal data in the GDPR, i just checked it again. it doesn't really matter if those addresses also contain any other things like name or birth year. i guess my suggestion isn't that bad!
 
i've sent an inquiry to the austrian dataprotection agency, without mentioning game or developer at all.

while i did this, i've noticed that IP-addresses were also included in the databreach, and actually this adds quite some more security issues for everyone here.

do i need to mention portscans, cracking and phishing attempts? attacks that target EU account holders, which visit PCF in large numbers?

:rolleyes:
 
Last edited:
PS: you have to notify data breaches within 72 hours in austria, that shouldn't be too different in sweden. good luck!
 
PS: you have to notify data breaches within 72 hours in austria, that shouldn't be too different in sweden. good luck!

Europe means same rules everywhere, so yes, massive failure here from MA and PCF administrators.
 
Europe means same rules everywhere, so yes, massive failure here from MA and PCF administrators.

just one in a row of many, amongst others...

still, there's the other thing with laws and such nasty issues. it's not only about creative bookkeeping and a still "very profitable product". :silly2:
 
Wasn't meaning to sound angry, just shocked (at MA, not at you). Using MD5 for password hashing is crazy irresponsible, and this has been well known for around 25 years now.

As for your questions: MD5 always outputs 128 bits, and hashing functions don't have any maximum input.

MD5 was never used in crypto currency, btw. It's too fast and too narrow.
Ah it must been your forum picture that got me thinking your angry then, my bad. :D


Actually I didn't write MD5 had anything to do with crypto currencies.
But since you brought it up, RIPEMD-160 and SHA256 are used for bitcoin addresses.
SHA-2 is susceptible to length extension attacks and SHA256 is a weak variant of SHA-2 algorithm.
Original RIPEMD has collision weaknesses since 1996' so not entirely dissimilar situation to MD5.
But people still use them for the same reason as any variant of MD5, for the speed and size.

Regarding SHA-3 it has no known weaknesses unlike previous version SHA-2.
Although, heard some are still upset at how the SHA-3 competition went......
If concerned about SHA-3 (no known weaknesses), then suggest avoiding PBKDF2 which has known weaknesses.
Agree that bcrypt is a good one, but there's also Whirlpool, Blake2, and scrypt.


Anyways your reply to both MD5 lengths is correct.
In the past I found half the people will answer the input length question wrong.
And anyone can confirm that by decrypting my MD5 example in previous post.
Don't worry no salt added, just use one of the oldest crypto tricks in the book.

Have fun.
 
i really wonder, does noone care about this?

72% really should, and 28% should keep it in mind and check, where they maybe also used the non-salted data, or think about strongness of their passwords.

btw, did you know that you can also check your password on haveibeenpwned.com/Passwords? it's maybe a good idea to first check, and then change your password anyways.

personal suggestion: use 2FA whenever possible, and store passwords in an email draft of a free protonmail account (paid accounts well worth too!)

stay safe, or become salty. u decide! ;)
 
Looks like nobody cares. This is where I am happy the email i use for this forum I use for nothing else and the password is unique.

I thought Scandinavia was all about caring and transparency.
 
People care but perhaps have little to add to the debate here
 
I have looked into the matter and been told that there is nothing to worry about.

Nothing to worry about?

Fairly confident ur based in a sweden, fairly confident that EU law requires u to notify upon data breach.
Failing to comply is actually a very very costly exercise.
 
Funny how we have only had one comment from a MA official and nothing that is concrete in regards to what is happening....

No notification in my Email Inbox
No notification on this website
No notification that the hole has been plugged
No notification to all of us to change our passwords
No nothing...…

Love your glacial speed MA
 
Your personal data might have been stolen!

I know there was a question about this in section "about pc forum" but I guess people rarely go there, most of us just lurk General Discussion and the matter is serious so I believe it is worth to spread the message:

Your personal data you use here, including IP adress, e-mail, e-mail password and username might have been stolen:

pwned.jpg


If you use the password or part of it and username from this forum somewhere else I urge you to immediately change your password here and on other sites.

Also, beware of phishing attempts. Someone may try to steal your sensitive information by disguising as a trustworthy. Watch our for suspicious e-mails!

Just for fun, I quote MA official statement on this data breach :D:D

I have looked into the matter and been told that there is nothing to worry about.

Nothing to worry about? I don't think so!

Check here if your e-mail was also breached:
https://haveibeenpwned.com/
 
Without clicking the last link, it sounds glorious. Like how can it not be e-mail address stealing in itself?
 
zNbWhJG.png


To be honest, this has been this way for a long time.

The forums at some point should have been updated to using appropriate encryption to secure everyone's data, but chrome recognizes it has issues, so I've been pretty cautious about information I use on this site...

An upgrade wouldn't hurt :p
 

Troy Hunt (creator of haveibeenpwned) is quite passionate about mandatory breach notifications. I also work in this industry and am not at all surprised at this type of response. It is quite common with organisations who do not have incident response plans. The responses are vague, denying or often understating the issue.

Bit more about Troy - https://en.wikipedia.org/wiki/Troy_Hunt

He is an excellent presenter as well. I saw him at auscert 2016 and this prezo https://youtu.be/fAdNVxZ_0nc

If your at all interested in cyber security it’s worth a look.
 
Troy Hunt (creator of haveibeenpwned) is quite passionate about mandatory breach notifications. I also work in this industry and am not at all surprised at this type of response. It is quite common with organisations who do not have incident response plans. The responses are vague, denying or often understating the issue.

Bit more about Troy - https://en.wikipedia.org/wiki/Troy_Hunt

He is an excellent presenter as well. I saw him at auscert 2016 and this prezo https://youtu.be/fAdNVxZ_0nc

If your at all interested in cyber security it’s worth a look.

Do you mean to say you think MA/PFC do not have a policy in regards to Data Breach?

Oh my...
I doubt they have a policy on how to engage the public or how to engage their own customers
 
Without clicking the last link, it sounds glorious. Like how can it not be e-mail address stealing in itself?

It's a honest service, even was embedded into Firefox recently. Been using it for years.
 
that ignorance and lack of communication still pisses me off the most. this looks like nothing but zero intention to fix MA/PCF's reputation or security, or at least inform everyone properly.

it makes me really wonder how dataprotection agencies wanna enforce breach notifications within 72 hours, when one often can't even get a proper answer from certain companies in weeks, months, or even years.

oh, now i remember, it was today in the news - companies were fined over 114 million euros already since GDPR became applicable law in europe.

:laugh:
 
HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.

Note that on some pages (mainly thread discussions where user signatures are displayed) your browser may indicate that some of the content being served is not secure; this is caused by non-HTTPS signature images hosted on other servers (i.e. EntropiaLife).
 
As a security precaution, all members (who have not changed their password within the last 7 days) will be prompted to change their password upon their next visit to PCF.

It is strongly recommended to use a unique password that is at least 8 characters in length, difficult to guess, and that is not used for any other websites or services (i.e. Entropia Universe).

Apologies for the inconvenience.
 
[...]

Apologies for the inconvenience.
711, you don't need to apologize for making this forum more secure. We welcome it. Thank you!

Edit: I have checked on that site if I have been pwned. To my surprise, several ancient emails I stopped using a long time ago, and also the email address that I used on this forum was breached.

Then I was reading some of my recent emails.
info_about_username_because_of_inactivity.jpg


I know you guys want me to go playing again. But this is a very unwise thing to do. For security reasons. Since all email adress appears to have been breached on this forum. If you used the same email address here on forum, that you also use on Entropia Universe, if that password to your email was used elsewhere, that was breached, or the password for was brute-forced or easy to guess.

You could get your account potentially hacked on Entropia Universe.

I would like if MA didn't say my username in my email address, for whatever reason.

Needless to say, I have changed the passwords for all my emails I ever used now, and I'm gonna be extra careful from now on.
 
Last edited:
I wonder how many eu acct were hacked form this cuz so many use same password. this is the one time in decades I feel good about having a special forum password separate from anything important.. yay it came in handy finally =p
 
Status
Back
Top