Old 09-6-2016, 06:41 AM   #1
sk8tr220
FFR Oldie McOlderton
FFR Veteran
 
sk8tr220's Avatar
 
Join Date: Jun 2006
Posts: 20
Default FFR Hacked.

Here's what's known about the breach:

Breach: Flash Flash Revolution
Date of breach: 1 Feb 2016
Number of accounts: 1,771,845
Compromised data: Email addresses, Passwords, Usernames
Description: In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.
You can also run a search for breaches of your email address again at any time to get a complete list of sites where your account has been compromised.
sk8tr220 is offline  
Old 09-6-2016, 06:54 AM   #2
TheThong
♩♪♫♬♭♮♯
FFR Veteran
 
TheThong's Avatar
 
Join Date: May 2009
Location: Antarctica
Age: 32
Posts: 510
Send a message via Skype™ to TheThong
Default Re: FFR Hacked.

Wot
__________________
TheThong is offline  
Old 09-6-2016, 07:02 AM   #3
XelNya
[Nobody liked that.]
FFR Simfile AuthorFFR Veteran
 
XelNya's Avatar
 
Join Date: Sep 2012
Posts: 3,355
Default Re: FFR Hacked.

Already had the JOY of doing a very large password change binge.

Siiiiiiiiiiiiiigh

Not that in the long run it does any good.

Unless you have literally a different password for EVERYTHING it's kinda pointless.
XelNya is offline  
Old 09-6-2016, 07:02 AM   #4
Dynam0
The Dominator
D7 Elite KeysmasherFFR Veteran
 
Dynam0's Avatar
 
Join Date: Sep 2005
Location: North Bay, ON
Age: 34
Posts: 8,987
Default Re: FFR Hacked.

iirc most organizations are required by law to notify their clients when confidential information has been obtained from a breach.

gg it's been months

Last edited by Dynam0; 09-6-2016 at 07:03 AM..
Dynam0 is offline  
Old 09-6-2016, 07:10 AM   #5
sk8tr220
FFR Oldie McOlderton
FFR Veteran
 
sk8tr220's Avatar
 
Join Date: Jun 2006
Posts: 20
Default Re: FFR Hacked.

Quote:
Originally Posted by Dynam0 View Post
iirc most organizations are required by law to notify their clients when confidential information has been obtained from a breach.

gg it's been months
I recieved this notification this morning from a breach monitoring website. Maybe FFR isn't aware yet.

Hacks/breaches aren't always apparant and may not come to light until months later. Data that is stolen is not always immediately sold and may not be put onto the black market until long after the attack.
sk8tr220 is offline  
Old 09-6-2016, 07:11 AM   #6
sk8tr220
FFR Oldie McOlderton
FFR Veteran
 
sk8tr220's Avatar
 
Join Date: Jun 2006
Posts: 20
Default Re: FFR Hacked.

Run your email address here: https:// haveibeenpwned .com
sk8tr220 is offline  
Old 09-6-2016, 08:06 AM   #7
Deadlyx39
FFR Player
 
Deadlyx39's Avatar
 
Join Date: Sep 2014
Location: Michigan
Posts: 1,047
Default Re: FFR Hacked.

GG site says I've been "pwned"

Not gonna lie it's hard to take it seriously when the site tells me I've been pwned.
__________________
Quote:
Originally Posted by Wayward Vagabond View Post
I want another DJ hero
Quote:
Originally Posted by Red Blaster View Post
Why should I care about this thread
Quote:
Originally Posted by choof View Post
whats in it for me
Quote:
Originally Posted by grizz13114 View Post
Fun times and meme sluts
Quote:
Originally Posted by choof View Post
ew meme sluts
ew fun

Quote:
Originally Posted by MinaciousGrace View Post
do you realize how asinine all of your posts are
Quote:
Originally Posted by MinaciousGrace View Post
i would also like to take this opportunity to shout out deadlyx39

on the one hand i feel as though your absence from these forums is a shelled victory for all ffr forumites however after careful examination of my internal feeling apparatus i have come to the conclusion that i do in fact miss your posts

[...]

come back

i need to laugh at you

once more

Deadlyx39 is offline  
Old 09-6-2016, 08:43 AM   #8
Saik0Shinigami
FFR Player
 
Join Date: Feb 2007
Posts: 458
Default Re: FFR Hacked.

*sigh* So now that I've logged into this site and changed my password, can any admin/moderator tell me why nobody was notified? Other sites that get their information stolen notify every single user so that those users can hopefully replace all common passwords before a issue arises with another account such as banking. This didn't affect me since I use different passwords for everything except a select few, but still, this doesn't look good when there are so many people potentially affected and they don't even know. I've looked at the news feed for the past ~8 months and see nothing from Feb 01 onward. You cannot cover this up, this is a huge problem that needs to be addressed.

Edit: After all these years, I still didn't get a different forum rank eh? Funny.
__________________


Last edited by Saik0Shinigami; 09-6-2016 at 08:55 AM..
Saik0Shinigami is offline  
Old 09-6-2016, 09:13 AM   #9
Charu
Snivy! Dohoho!
FFR Simfile AuthorFFR Veteran
 
Charu's Avatar
 
Join Date: Mar 2006
Age: 33
Posts: 6,161
Default Re: FFR Hacked.

Huh... guess that's why some users before reported they suddenly couldn't get in their accounts.

Makes sense I guess.
__________________


Quote:
Originally Posted by JohnRedWolf87 View Post
Charu the red-nosed Snivy
Had a very shiny nose
And if you ever saw it
You could even say it glows

All of the other Snivies
Used to laugh and call him names
They never let poor Charu
Join in any Snivy games

(Click the arrow to see the rest)


Quote:
Originally Posted by Vendetta21 View Post
All in all I would say that Charu not only won this game, his play made me reconsider how I play it.
Charu is offline  
Old 09-6-2016, 09:14 AM   #10
andy-o24
Private Messages, please.
FFR Veteran
 
andy-o24's Avatar
 
Join Date: May 2006
Location: Central Indiana
Age: 30
Posts: 1,525
Send a message via Skype™ to andy-o24
Default Re: FFR Hacked.

Today, 6:56 AM
Greetings,

We were informed by one of our information intelligence services that your e-mail address was compromised in a breach of the Flash Flash Revolution site. This does not necessarily mean that your BSU credentials have been exposed; however, if you use the same password for multiple sites it is possible. If you believe you've used the same password, please proceed with changing your BSU password by visiting https://password.bsu.edu/

If you have any questions, please let us know.

The Office of Information Security Services
Ball State University
Muncie, IN 47306
765-285-4390
security@bsu.edu

Email from my University. I guess this is real.

-o24
__________________
Quote:
Originally Posted by hi19hi19 View Post
Best strat: enjoy the game, play what you feel like when you feel like it. Don't think about what you are doing or why, enjoy the gameplay, the artistry behind the stepfile, and enjoy the music.

When the game isn't fun for you anymore, take a break. It's not a job, nobody here is professional and getting paid to play and force themselves to constantly improve... it's a game.

Quote:
Originally Posted by Shashakiro View Post
Yeah, FFR is addicting...I don't think I'll get bored with this game unless I somehow become the best at it, which won't happen.
andy-o24 is offline  
Old 09-6-2016, 09:42 AM   #11
Xiz
TWG Chaos
FFR Simfile AuthorFFR Veteran
 
Xiz's Avatar
 
Join Date: Feb 2012
Location: Cali4nia
Age: 32
Posts: 3,399
Send a message via Skype™ to Xiz
Default Re: FFR Hacked.

Pro tip:

Literally have passwords for everything. It's annoying as fuck but hell, it's great when you only need to change one password but not all. Just keep a book by your desk or the passwords in your phone or something.
__________________

Xiz is offline  
Old 09-6-2016, 09:42 AM   #12
Staiain
Can't handle my ÆØÅ
Retired StaffD7 Elite KeysmasherFFR Veteran
 
Staiain's Avatar
 
Join Date: Aug 2009
Location: Norway
Posts: 4,544
Send a message via AIM to Staiain Send a message via MSN to Staiain Send a message via Skype™ to Staiain
Default Re: FFR Hacked.

Oh no Well as it turns out I've used a temporary pw for almost a year, and that actually saved me from being at risk on other sites
Staiain is offline  
Old 09-6-2016, 10:33 AM   #13
inDheart
Picker @ JAX2
FFR Simfile Author
 
inDheart's Avatar
 
Join Date: Aug 2011
Posts: 505
Default Re: FFR Hacked.

hmm, i searched on both my main emails and neither came up for this breach, so i guess i used a throwaway when i registered this account. that actually makes sense, thinking back.

regardless, changing pw and probably my recovery email too to be in line
inDheart is offline  
Old 09-6-2016, 10:47 AM   #14
PrawnSkunk
Administrator
User Administrator
AdministratorDeveloperFFR Simfile AuthorFFR Veteran
 
PrawnSkunk's Avatar
 
Join Date: Dec 2007
Location: Vancouver, BC
Age: 29
Posts: 3,902
Default Re: FFR Hacked.

We have no record of any data breaches of this scale being made, only attempts to compromise individual staff accounts. Since July, I have been focusing most of my attention on preparing the development site, so we can make the necessary upgrades to improve account security without breaking the site. We are continuing to dig around to find more details, as we currently know as much about the breach as haveibeenpwned.com provides.

Last edited by PrawnSkunk; 09-6-2016 at 11:11 AM.. Reason: compressed post info
PrawnSkunk is offline  
Old 09-6-2016, 11:09 AM   #15
botchi246
Keepin it Real since '05
FFR Veteran
 
botchi246's Avatar
 
Join Date: Mar 2005
Location: Steamboat Springa, CO
Age: 34
Posts: 549
Default Re: FFR Hacked.

uggggghhhhh i was pwned twice apparently. ffr and tumblr. password changes here we go
__________________

botchi246 is offline  
Old 09-6-2016, 11:11 AM   #16
Dinglesberry
longing
FFR Veteran
 
Dinglesberry's Avatar
 
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
Default Re: FFR Hacked.

Development site = site we can go to and view and comment and help with the development of FFR??

Am I dreaming

Jk I realize now you just mean create a test environment so you can make changes without it affecting the main site

As long as there's no code in it that causes it to crash when you try to change from debug -> release lol (I'm lookin at you, FFR engine...)

Edit: also lol somehow didn't get pwned which is funny to me.. Honestly I'm not worried if they just have md5 hashes lol, hell if they get passwords from those I'll actually be happy, maybe then I can learn how lolz cause as far as I'm concerned it's impossible.

Edit2: alright maybe not "impossible" but it's pretty likely nothing would come of it.. Lol makes me wonder why they even use md5 for passwords, oh well

Last edited by Dinglesberry; 09-6-2016 at 11:22 AM..
Dinglesberry is offline  
Old 09-6-2016, 11:38 AM   #17
PhantomPuppy
Washed and Irrelevant D7
D7 Elite KeysmasherFFR Veteran
 
PhantomPuppy's Avatar
 
Join Date: May 2012
Age: 26
Posts: 1,804
Default Re: FFR Hacked.

february? ive changed my password twice since then lol. spose i shouldnt be too worried then.
__________________

10th OT (D3): 13th
11th OT (D6): 11th
12th OT (D6): 6th
13th OT (D7): 31st
14th OT (D7): 25th
15th OT (D7): LAST PLACE
16th OT (D7): LAST PLACE LOL


Quote:
Originally Posted by Funnygurl555 View Post
you know what they say

under all the rust is really shiny...……… metal
PhantomPuppy is offline  
Old 09-6-2016, 12:14 PM   #18
Fantasticone
D7 Elite Keymasher
D7 Elite KeysmasherFFR Veteran
 
Fantasticone's Avatar
 
Join Date: Aug 2006
Age: 33
Posts: 6,003
Default Re: FFR Hacked.

Dam, hopefully they AAA things for me.
__________________
Fantasticone is offline  
Old 09-6-2016, 12:16 PM   #19
DeBlackKnite
FFR Player
 
Join Date: May 2007
Posts: 1
Default Re: FFR Hacked.

Quote:
Originally Posted by Dinglesberry View Post
Honestly I'm not worried if they just have md5 hashes lol, hell if they get passwords from those I'll actually be happy, maybe then I can learn how lolz cause as far as I'm concerned it's impossible.
MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.
DeBlackKnite is offline  
Old 09-6-2016, 01:11 PM   #20
Dinglesberry
longing
FFR Veteran
 
Dinglesberry's Avatar
 
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
Default Re: FFR Hacked.

Quote:
Originally Posted by DeBlackKnite View Post
MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.
Well, the whole point of the salt is really to just slow down the rainbow tables that hash cat uses, or make it not work.

For example, lets get a real example in here for what we want to do:

Lets say we have a database of 1,954,977 members. If the password isn't salted, it's literally a matter of running your tool or whatnot, iterating through the list for each "word", and see if any passwords match.. Sure, we need to check almost 2 million data entries like 70 million times, but I mean, it's not TOO bad.. Not only that, since the passwords are represented in our table, we actually don't need to hash anything or call anything to check it -> we just access the table and make our comparisions

Essentially, imagine: we check the first word in the table, scan the "leak" for matches in the list of hashes, if so, boom, easy.

If the password is salted however, NOTHING in that table is going to match anymore. Obviously, we know the salt - it's written right in the MD5 hash (since salted hash is just hash:salt or salt:hash or whatever), the person trying to crack knows the salt.. Despite this, the amount of work that has to be done is like freakin n^2 compared to n! lol.. If the passwords are salted, your table mapping "xsoekcnm" -> 4ecf096b453a0760b02bd0aa0f3740fa suddenly does not match - xsoekcnm doesn't hash to that anymore, so you would need to calculate md5($salt, $plaintextpw), and remake the table.

Regardless, it's gonna slow it the hell down.. Now suddenly instead of:

- for each word in the rainbow table
- Parse hashes for match

you are suddenly:

- for each word in the rainbow table
- calculate what hash would be generated using a given salt
---> (note, you might realise - in order to calculate what the hash would be for a given salt, they would need to know #1 a plaintext password and #2 the hash that is generated that corresponds to this plaintext password)
- parse hashes for matches

Regardless, I doubt anyone would bother doing this for this game.. there is literally no motivation behind trying to access anyone account here, to be honest. I can see if someone would want to hack the admins password or something, but even so, there really isn't a gain to that - what you should be worried about is using the same password for different websites, registered with that username/email.

To be honest, I don't even think the leak was specifically regarding flashflashrevolution, but obviously I don't know for sure - probably related to this:

https://haveibeenpwned.com/PwnedWebsites#VBulletin

EDIT: lol nvm theres a specific section for just FFR
https://haveibeenpwned.com/PwnedWebs...lashRevolution

INTERNET FAMOUS BOIZ

Last edited by Dinglesberry; 09-6-2016 at 01:27 PM..
Dinglesberry is offline  
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 01:19 AM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright FlashFlashRevolution