Flash Flash Revolution - View Single Post

**devonin** · 09-8-2016, 11:08 PM

Hello everybody.

As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

Devonin and the FFR Team

09-8-2016, 11:08 PM	#57
devonin Very Grave Indeed Join Date: Apr 2004 Location: Ontario, Canada Age: 40 Posts: 10,098	Re: FFR Hacked. Hello everybody. As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext. What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact. What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now. Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password. Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc). While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now. We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something. Devonin and the FFR Team