HACKED By SMAIL MAX
- Thread starter Mina
- Start date
dude needs to get laid or something
That does not really shorten the list of possible culprits here in GTAM
Hah, hah. (Old, married guy)
Shaman
Well-known member
So, you haven't had sex since 1985?
(says the guy in NYC celebrating his 20th anniv. for the last few days)
And you've been dry since '03?
Hey folks
We're working with the security/abuse team for the server to find out how this is happening. It appears the database and all info is in tact. Passwords are scrambled, even in the database. We are doing daily backups so if anything does happen we can simply restore from the previous day.
Hackers are like trolls...they just want attention...LOL
THanks
We're working with the security/abuse team for the server to find out how this is happening. It appears the database and all info is in tact. Passwords are scrambled, even in the database. We are doing daily backups so if anything does happen we can simply restore from the previous day.
Hackers are like trolls...they just want attention...LOL
THanks
robmack
Well-known member
Thanks for the update Paul.
The issue is not whether the passwords are scrambled or not. It's whether the cypher text is created using the same seed. If yes, then all passwords are vulnerable to disclosure and there is a higher probability of successfully cracking them. If a random seed is used to create each cypher text, then the exposure consequently smaller.
Prudence would dictate that everyone change their passwords to protect themselves; and maybe an announcement to the community is in order. Forewarned is forearmed. Let each person decide how they handle their password once they know the exposure.
Last edited:
Splash
Well-known member
What does "scrambled" mean?
Are the passwords encrypted and salted? If they are just encrypted then a simple rainbow table lookup would reveal most user's passwords... Most people don't use secure passwords... They also use the same insecure password on multiple sites.
The right thing to do right now would be to force everyone to change their password.
I agree with SPLASH and Robmack.
If any data was taken including dumps of hashed passwords you should be making a community announcement and forcing password changes. If the data was taken you should assume thats its already been compromised. You would not believe the amount of people that use the same password for their primary email that will then be linked to things like Banking, Netflix, Facebook, PayPal, ebay etc. If they got the email address and its the same one you use to pay pal they then have Half the required credentials to access your paypal. If they have your email and your password is the same as the captured one they can then easily access your Paypal by hijacking the email. So its really important to let us know what was taken via an announcement. By not doing you actually may be opening yourself up to liability issues.
Good luck working with the security to get the stuff locked down. If you need a private security guy to step in Im sure I and others on the forum can recommend you some people. (Probably some users are in this feild)
If any data was taken including dumps of hashed passwords you should be making a community announcement and forcing password changes. If the data was taken you should assume thats its already been compromised. You would not believe the amount of people that use the same password for their primary email that will then be linked to things like Banking, Netflix, Facebook, PayPal, ebay etc. If they got the email address and its the same one you use to pay pal they then have Half the required credentials to access your paypal. If they have your email and your password is the same as the captured one they can then easily access your Paypal by hijacking the email. So its really important to let us know what was taken via an announcement. By not doing you actually may be opening yourself up to liability issues.
Good luck working with the security to get the stuff locked down. If you need a private security guy to step in Im sure I and others on the forum can recommend you some people. (Probably some users are in this feild)
Last edited:
wheeliemachine
Banned
If... IF any data was taken?? The hacker has an entire copy of the GTAM database! Didn't you see the screencaps he posted on the hacked home page??
I don't think Paul is handling this properly.
If you used the same password on GTAM that you've used on other sites (especially PayPal), then you need to change your password ON THOSE OTHER SITES asap. Like now.
Changing your GTAM password won't do much good, that'll just stop the hackers from "posting as you", shouldn't be your top concern at the moment.
And in the future, NEVER use the same password for every website
Passwords are (generally) never encrypted, they are hashed. On top of that, vBulletin uses per-user salts for those hashes. That breaks rainbow tables but these days, consumer computing hardware is fast enough for that to not matter much. There was a screen shot posted on the hacked page, ostensibly of a database dump that had password hashes in it (matched usernames from this site). If it mattered to the guy, and he knew what he was doing, I conservatively estimate he would have 80% of the user's passwords in a week.
wheeliemachine
Banned
Thanks Paul. How about an e-mail sent out to the userbase letting them know their e-mail address and password have been compromised and to change it on every site where they used the same ones?
Last edited:
