Flash Flash Revolution: Community Forums

Flash Flash Revolution: Community Forums (http://www.flashflashrevolution.com/vbz/index.php)
-   FFR General Talk (http://www.flashflashrevolution.com/vbz/forumdisplay.php?f=14)
-   -   FFR Hacked. (http://www.flashflashrevolution.com/vbz/showthread.php?t=145431)

sk8tr220 09-6-2016 06:41 AM

FFR Hacked.
 
Here's what's known about the breach:

Breach: Flash Flash Revolution
Date of breach: 1 Feb 2016
Number of accounts: 1,771,845
Compromised data: Email addresses, Passwords, Usernames
Description: In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.
You can also run a search for breaches of your email address again at any time to get a complete list of sites where your account has been compromised.

TheThong 09-6-2016 06:54 AM

Re: FFR Hacked.
 
Wot

XelNya 09-6-2016 07:02 AM

Re: FFR Hacked.
 
Already had the JOY of doing a very large password change binge.

Siiiiiiiiiiiiiigh

Not that in the long run it does any good.

Unless you have literally a different password for EVERYTHING it's kinda pointless.

Dynam0 09-6-2016 07:02 AM

Re: FFR Hacked.
 
iirc most organizations are required by law to notify their clients when confidential information has been obtained from a breach.

gg it's been months

sk8tr220 09-6-2016 07:10 AM

Re: FFR Hacked.
 
Quote:

Originally Posted by Dynam0 (Post 4472513)
iirc most organizations are required by law to notify their clients when confidential information has been obtained from a breach.

gg it's been months

I recieved this notification this morning from a breach monitoring website. Maybe FFR isn't aware yet.

Hacks/breaches aren't always apparant and may not come to light until months later. Data that is stolen is not always immediately sold and may not be put onto the black market until long after the attack.

sk8tr220 09-6-2016 07:11 AM

Re: FFR Hacked.
 
Run your email address here: https:// haveibeenpwned .com

Deadlyx39 09-6-2016 08:06 AM

Re: FFR Hacked.
 
GG site says I've been "pwned"

Not gonna lie it's hard to take it seriously when the site tells me I've been pwned.

Saik0Shinigami 09-6-2016 08:43 AM

Re: FFR Hacked.
 
*sigh* So now that I've logged into this site and changed my password, can any admin/moderator tell me why nobody was notified? Other sites that get their information stolen notify every single user so that those users can hopefully replace all common passwords before a issue arises with another account such as banking. This didn't affect me since I use different passwords for everything except a select few, but still, this doesn't look good when there are so many people potentially affected and they don't even know. I've looked at the news feed for the past ~8 months and see nothing from Feb 01 onward. You cannot cover this up, this is a huge problem that needs to be addressed.

Edit: After all these years, I still didn't get a different forum rank eh? Funny.

Charu 09-6-2016 09:13 AM

Re: FFR Hacked.
 
Huh... guess that's why some users before reported they suddenly couldn't get in their accounts.

Makes sense I guess.

andy-o24 09-6-2016 09:14 AM

Re: FFR Hacked.
 
Today, 6:56 AM
Greetings,

We were informed by one of our information intelligence services that your e-mail address was compromised in a breach of the Flash Flash Revolution site. This does not necessarily mean that your BSU credentials have been exposed; however, if you use the same password for multiple sites it is possible. If you believe you've used the same password, please proceed with changing your BSU password by visiting https://password.bsu.edu/

If you have any questions, please let us know.

The Office of Information Security Services
Ball State University
Muncie, IN 47306
765-285-4390
security@bsu.edu

Email from my University. I guess this is real.

-o24

Xiz 09-6-2016 09:42 AM

Re: FFR Hacked.
 
Pro tip:

Literally have passwords for everything. It's annoying as fuck but hell, it's great when you only need to change one password but not all. Just keep a book by your desk or the passwords in your phone or something.

Staiain 09-6-2016 09:42 AM

Re: FFR Hacked.
 
Oh no :( Well as it turns out I've used a temporary pw for almost a year, and that actually saved me from being at risk on other sites

inDheart 09-6-2016 10:33 AM

Re: FFR Hacked.
 
hmm, i searched on both my main emails and neither came up for this breach, so i guess i used a throwaway when i registered this account. that actually makes sense, thinking back.

regardless, changing pw and probably my recovery email too to be in line

PrawnSkunk 09-6-2016 10:47 AM

Re: FFR Hacked.
 
We have no record of any data breaches of this scale being made, only attempts to compromise individual staff accounts. Since July, I have been focusing most of my attention on preparing the development site, so we can make the necessary upgrades to improve account security without breaking the site. We are continuing to dig around to find more details, as we currently know as much about the breach as haveibeenpwned.com provides.

botchi246 09-6-2016 11:09 AM

Re: FFR Hacked.
 
uggggghhhhh i was pwned twice apparently. ffr and tumblr. password changes here we go

Dinglesberry 09-6-2016 11:11 AM

Re: FFR Hacked.
 
Development site = site we can go to and view and comment and help with the development of FFR??

Am I dreaming

Jk I realize now you just mean create a test environment so you can make changes without it affecting the main site :(

As long as there's no code in it that causes it to crash when you try to change from debug -> release lol (I'm lookin at you, FFR engine...)

Edit: also lol somehow didn't get pwned which is funny to me.. Honestly I'm not worried if they just have md5 hashes lol, hell if they get passwords from those I'll actually be happy, maybe then I can learn how lolz cause as far as I'm concerned it's impossible.

Edit2: alright maybe not "impossible" but it's pretty likely nothing would come of it.. Lol makes me wonder why they even use md5 for passwords, oh well

PhantomPuppy 09-6-2016 11:38 AM

Re: FFR Hacked.
 
february? ive changed my password twice since then lol. spose i shouldnt be too worried then.

Fantasticone 09-6-2016 12:14 PM

Re: FFR Hacked.
 
Dam, hopefully they AAA things for me.

DeBlackKnite 09-6-2016 12:16 PM

Re: FFR Hacked.
 
Quote:

Originally Posted by Dinglesberry (Post 4472562)
Honestly I'm not worried if they just have md5 hashes lol, hell if they get passwords from those I'll actually be happy, maybe then I can learn how lolz cause as far as I'm concerned it's impossible.

MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.

Dinglesberry 09-6-2016 01:11 PM

Re: FFR Hacked.
 
Quote:

Originally Posted by DeBlackKnite (Post 4472595)
MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.

Well, the whole point of the salt is really to just slow down the rainbow tables that hash cat uses, or make it not work.

For example, lets get a real example in here for what we want to do:

Lets say we have a database of 1,954,977 members. If the password isn't salted, it's literally a matter of running your tool or whatnot, iterating through the list for each "word", and see if any passwords match.. Sure, we need to check almost 2 million data entries like 70 million times, but I mean, it's not TOO bad.. Not only that, since the passwords are represented in our table, we actually don't need to hash anything or call anything to check it -> we just access the table and make our comparisions

Essentially, imagine: we check the first word in the table, scan the "leak" for matches in the list of hashes, if so, boom, easy.

If the password is salted however, NOTHING in that table is going to match anymore. Obviously, we know the salt - it's written right in the MD5 hash (since salted hash is just hash:salt or salt:hash or whatever), the person trying to crack knows the salt.. Despite this, the amount of work that has to be done is like freakin n^2 compared to n! lol.. If the passwords are salted, your table mapping "xsoekcnm" -> 4ecf096b453a0760b02bd0aa0f3740fa suddenly does not match - xsoekcnm doesn't hash to that anymore, so you would need to calculate md5($salt, $plaintextpw), and remake the table.

Regardless, it's gonna slow it the hell down.. Now suddenly instead of:

- for each word in the rainbow table
- Parse hashes for match

you are suddenly:

- for each word in the rainbow table
- calculate what hash would be generated using a given salt
---> (note, you might realise - in order to calculate what the hash would be for a given salt, they would need to know #1 a plaintext password and #2 the hash that is generated that corresponds to this plaintext password)
- parse hashes for matches

Regardless, I doubt anyone would bother doing this for this game.. there is literally no motivation behind trying to access anyone account here, to be honest. I can see if someone would want to hack the admins password or something, but even so, there really isn't a gain to that - what you should be worried about is using the same password for different websites, registered with that username/email.

To be honest, I don't even think the leak was specifically regarding flashflashrevolution, but obviously I don't know for sure - probably related to this:

https://haveibeenpwned.com/PwnedWebsites#VBulletin

EDIT: lol nvm theres a specific section for just FFR
https://haveibeenpwned.com/PwnedWebs...lashRevolution

INTERNET FAMOUS BOIZ


All times are GMT -5. The time now is 04:01 PM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Copyright FlashFlashRevolution