Multiuniverse wrote:So why don't you guys change to use a better hashing software?
Switching to a different hash algorithm retroactively is hard because BMG shouldn't and hopefully don't have access to the unencrypted passwords. Maybe new passwords.
Multiuniverse wrote:So why don't you guys change to use a better hashing software?
Achilles wrote:Technetium wrote:Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".
So...if the hashing isn't doing its job...why is that hashing method in use?
Because we’re terrible developers obviously
Jackparrot wrote:]
Do you plan on, or are looking into who did this? I would really like to know who did this so that you can bring them to court. An attack this big is probably carried out by some very vengeful people, therefore I suspect that the botters could be behind this.
Technetium wrote:This is probably a stupid idea, but what would prevent them from, say, using a new hash algorithm on top of the old one, re-hash all the existing passwords, and have login run the two hashes in sequence?
So currently it uses what we'll call Hash A.
When a password is input on login, it goes plaintext>Hash A and is checked against the stored password, already converted plaintext>Hash A before storing.
What I'm thinking, is, they convert all the stored passwords with another hash, we'll call it B, and have the login setup hash the passwords twice to match, so it goes plaintext>Hash A>Hash B.
Now, I figure there's very likely some reason why this wouldn't work, so if there is, could someone explain what that reason is?
Deagler wrote:Just let BMG handle it in peace, No one knows if BMG even has control of the hashing of the passwords... It could easily have been a phpBB vulnerability since those have existed in the past... It's amazing how everyone in the ToS community is suddenly an experienced Software Engineer and is so ready to put BMG to shame.
Yeah it happened, Yeah it sucks. Yeah they could have told us sooner. But so what, they were on a 5 day holiday when most software companies take 10 days during this time of the year. Give them a break and stop crying about it. Crying about it doesn't help the situation or speed up any process.
Data breaches are a reality in this day and age. Equifax actively tried to cover up their data breach for almost 3 months. BMG was on holiday for 5 days and didn't see a couple emails, relax guys... It's no big conspiracy
For now, since everyone is so worried:
- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail
kristian818 wrote:Deagler wrote:Just let BMG handle it in peace, No one knows if BMG even has control of the hashing of the passwords... It could easily have been a phpBB vulnerability since those have existed in the past... It's amazing how everyone in the ToS community is suddenly an experienced Software Engineer and is so ready to put BMG to shame.
Yeah it happened, Yeah it sucks. Yeah they could have told us sooner. But so what, they were on a 5 day holiday when most software companies take 10 days during this time of the year. Give them a break and stop crying about it. Crying about it doesn't help the situation or speed up any process.
Data breaches are a reality in this day and age. Equifax actively tried to cover up their data breach for almost 3 months. BMG was on holiday for 5 days and didn't see a couple emails, relax guys... It's no big conspiracy
For now, since everyone is so worried:
- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail
Deagler, perhaps it would help if you read the article by dehashed (https://blog.dehashed.com/town-of-salem ... es-hacked/). They clearly state having called and received answer on December 28th. Their hashing algorithm is old and outdated, declared unsafe by various people in tech. All these things are not complicated and if you have the slightest interest in security as a hobby then you can understand it with a bit of reading. Mostly, people are unhappy with how the breach is handled, at least that is what I am, because breaches happen and sometimes in the weirdest ways. I bet if this really was a LFI or RFI attack then it was some weird form or file upload that accepted the attack. Easily forgetable and totally understandable, especially for a team of their size. However when they don't react to calls of a security site then it is a problem. No matter a vacation someone should always keep a little tab on logs and so on. Swap the duty around each day or something but just keep an eye out.
TheGarner wrote:Anyway to delete an account? Haven’t used this for years and only remembered it due to the news of the breach.
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/
if you want to check
Royee wrote:ChubbyMooshroom9 wrote:https://haveibeenpwned.com/
if you want to check
i am not in there, do i consider myself as safe?
Bodhrak wrote:Royee wrote:ChubbyMooshroom9 wrote:https://haveibeenpwned.com/
if you want to check
i am not in there, do i consider myself as safe?
It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.
Chemist1422 wrote:So what should we do about it if we have been pwned?
Royee wrote:Chemist1422 wrote:So what should we do about it if we have been pwned?
I am joining the question too.
What do we do besides changing the password?
Achilles wrote:Technetium wrote:Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".
So...if the hashing isn't doing its job...why is that hashing method in use?
Because we’re terrible developers obviously
Bodhrak wrote:Royee wrote:ChubbyMooshroom9 wrote:https://haveibeenpwned.com/
if you want to check
i am not in there, do i consider myself as safe?
It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.
Users browsing this forum: No registered users and 20 guests