FYI: Planet Calypso forum Data Breach

Status

AkiranBlade

Slayer
Joined
Nov 9, 2005
Posts
9,421
Location
UK
Society
Shaolin
Avatar Name
Akira AkiranBlade Kurusowa
Hi all,

Just been notified by "Have I been pwned" that this site has suffered a data breach.

Has the breach been sealed before I go about changing my password?
 
I received this email too
 
Where do you sign up for this to get a notification? :eek:
 
Firefox just informed me of the same breach including password having been breached.

More concerning, according to Firefox the breach date was 1 July 2019.

Why was this breach not notified earlier?
 
Yes, why wasn't community let know? They should have at least sent out a notice to change passwords or something as it states that passwords were included.
 
Last edited:
Its a Chrome problem i think . Got it today on biggest site i use on my country and only on chrome:)
 
Password changed, catastrophe avoided, for now. :rolleyes:
 
Last edited by a moderator:
Code:
Planet Calypso: In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Compromised data: Email addresses, IP addresses, Passwords, Usernames

At least it is "just" salted hashes of names and passwords
 
me 2, seems there was 62 261 accounts that got breeched.
Why no information to us? or wasnt it known the the owners of PCF?
 
Hopefully we will get an official statement.
 
I got This message from Firefox monitor:

Planet Calypso
Datenleck hinzugefügt:
12. Januar 2020
 
Passwords kept as salted hashes is the correct and secure way of storing them.

However over the past decade MD5 is proven to have a number of weaknesses.
Thankfully most MD5 attacks take time and computational power if everything else is done right.
Ideally MA/EU upgrades to something more secure like SHA-2 or SHA-3 hash function in the near future.


BUT, MA/EU should never publicly discuss or disclose their technical side of these things.

However, MA/EU should always disclose when there's been a data breach that includes names, emails, etc.
Also when their security breach was sealed.
 
One thing I've noticed is that forums tend to be targets (or at least show up in breaches) often. One can talk about having separate passwords for every single site, but forums are the one area I always make sure to give priority to not using one similar to other sites or game logins because of that.
 
I was notified by Firefox via email and changed my password. I'll change it again when it seems appropriate to do so. This isn't the first data breach my information has been compromised in and I highly doubt it will be the last.
 
I think it's concerning there's been no notification from officials to say this is either under investigation or that the breach has been found and/or sealed.
 
It should give 10 years of prison for illegal hackers. Also email spaming should give 2 - 5 years.
 
110 grains of lead travelling 800 feet per second, applied to the frontal lobe of the suspect.

If not allowed, then a #10 boot thrust squarely into the anal sphincter of said suspect. Daily.

After spending 10 years "married" to my Mother (thanks to a hacker), I have 0% humor for their antics.

I guess you had to be there.
 
I have looked into the matter and been told that there is nothing to worry about.
 
I have looked into the matter and been told that there is nothing to worry about.

When Firefox reports a breach, I expect a bit more from the provider that has apparently been breached then "There's nothing to worry about". Some details? What was breached, why and how was it resolved? Credibility and Trust?
 
110 grains of lead travelling 800 feet per second, applied to the frontal lobe of the suspect.

If not allowed, then a #10 boot thrust squarely into the anal sphincter of said suspect. Daily.

After spending 10 years "married" to my Mother (thanks to a hacker), I have 0% humor for their antics.

I guess you had to be there.

You were spoofed into marrying your mother ? awkward
 
When Firefox reports a breach, I expect a bit more from the provider that has apparently been breached then "There's nothing to worry about". Some details? What was breached, why and how was it resolved? Credibility and Trust?

Yes MA/PCF

You should be required to disclose when you became aware of the breach, the breach location and also advise that the breach has been fixed... if this isn't done how are we to know when and what passwords / emails have been breached.....

Not good enough to say what you have said at this point!

Not happy...
 
I have looked into the matter and been told that there is nothing to worry about.

"I have looked" ..."and been told"

So, you looked into it, and somebody else told you to not worry about it. :scratch2:
Who told you that?
The toilet lady?
 
PCF holds Personally Idenitfiable Information (PII) about it's participants and thus comes under the EU GDPR rules. This is a GDPR breach and should be reported as such. If MA have evidence that tells them that no breach has occurred then they have nothing to worry about, but in the meantime there should be an investigation to understand what has happened here.
 
PCF holds Personally Idenitfiable Information (PII) about it's participants and thus comes under the EU GDPR rules. This is a GDPR breach and should be reported as such. If MA have evidence that tells them that no breach has occurred then they have nothing to worry about, but in the meantime there should be an investigation to understand what has happened here.

MA does not say no breach has occurred.
MA says we just should not worry about the breach that DID happen.
Well, at least, that's what somebody told them, that we should not worry about it.

So, nothing to see here, move along.
 
This issue is being investigated.

As explained by others in this thread, user passwords are not actually stored in the forum database (or anywhere else). Thus, no actual passwords were compromised, only the salted hashes of those passwords.

In any case, as a precaution, it is recommended that all PCF members change their account password as soon as possible, and be sure that it is a unique password not used for any other websites or services (i.e Entropia Universe).

PCF was moved to a new, more secure server a couple of months ago, so similar attacks are unlikely.
 
Passwords kept as salted hashes is the correct and secure way of storing them.

However over the past decade MD5 is proven to have a number of weaknesses.
Thankfully most MD5 attacks take time and computational power if everything else is done right.
Ideally MA/EU upgrades to something more secure like SHA-2 or SHA-3 hash function in the near future.


WOW what?! I didn't even notice that in the statement. MD5 has been shown to be cryptographically unsuitable for password hashing since the early/mid 90's. It's really shocking to find out they are still using it. For the past 30 years it's only been useful for calculating checksums.

And no, MD5 attacks don't take any time, you can brute force a 10-char pw on a modern cell phone processor in like 30 mins.

BTW, SHA is designed for speed, and should never be used for pw hashing. Go with PBKDF2 or bcrypt.


wtf MA
 
Last edited:
Status
Back
Top