FFR Hacked.
 

Here's what's known about the breach:

Breach: Flash Flash Revolution
Date of breach: 1 Feb 2016
Number of accounts: 1,771,845
Compromised data: Email addresses, Passwords, Usernames
Description: In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.
You can also run a search for breaches of your email address again at any time to get a complete list of sites where your account has been compromised.

Re: FFR Hacked.
 

Wot

Re: FFR Hacked.
 

Already had the JOY of doing a very large password change binge.

Siiiiiiiiiiiiiigh

Not that in the long run it does any good.

Unless you have literally a different password for EVERYTHING it's kinda pointless.

Re: FFR Hacked.
 

iirc most organizations are required by law to notify their clients when confidential information has been obtained from a breach.

gg it's been months

Re: FFR Hacked.
 

I recieved this notification this morning from a breach monitoring website. Maybe FFR isn't aware yet.

Hacks/breaches aren't always apparant and may not come to light until months later. Data that is stolen is not always immediately sold and may not be put onto the black market until long after the attack.

Re: FFR Hacked.
 

Run your email address here: https:// haveibeenpwned .com

Re: FFR Hacked.
 

GG site says I've been "pwned"

Not gonna lie it's hard to take it seriously when the site tells me I've been pwned.

Re: FFR Hacked.
 

*sigh* So now that I've logged into this site and changed my password, can any admin/moderator tell me why nobody was notified? Other sites that get their information stolen notify every single user so that those users can hopefully replace all common passwords before a issue arises with another account such as banking. This didn't affect me since I use different passwords for everything except a select few, but still, this doesn't look good when there are so many people potentially affected and they don't even know. I've looked at the news feed for the past ~8 months and see nothing from Feb 01 onward. You cannot cover this up, this is a huge problem that needs to be addressed.

Edit: After all these years, I still didn't get a different forum rank eh? Funny.

Re: FFR Hacked.
 

Huh... guess that's why some users before reported they suddenly couldn't get in their accounts.

Makes sense I guess.

Re: FFR Hacked.
 

Today, 6:56 AM
Greetings,

We were informed by one of our information intelligence services that your e-mail address was compromised in a breach of the Flash Flash Revolution site. This does not necessarily mean that your BSU credentials have been exposed; however, if you use the same password for multiple sites it is possible. If you believe you've used the same password, please proceed with changing your BSU password by visiting https://password.bsu.edu/

If you have any questions, please let us know.

The Office of Information Security Services
Ball State University
Muncie, IN 47306
765-285-4390
security@bsu.edu

Email from my University. I guess this is real.

-o24

Re: FFR Hacked.
 

Pro tip:

Literally have passwords for everything. It's annoying as fuck but hell, it's great when you only need to change one password but not all. Just keep a book by your desk or the passwords in your phone or something.

Re: FFR Hacked.
 

Oh no :( Well as it turns out I've used a temporary pw for almost a year, and that actually saved me from being at risk on other sites

Re: FFR Hacked.
 

hmm, i searched on both my main emails and neither came up for this breach, so i guess i used a throwaway when i registered this account. that actually makes sense, thinking back.

regardless, changing pw and probably my recovery email too to be in line

Re: FFR Hacked.
 

We have no record of any data breaches of this scale being made, only attempts to compromise individual staff accounts. Since July, I have been focusing most of my attention on preparing the development site, so we can make the necessary upgrades to improve account security without breaking the site. We are continuing to dig around to find more details, as we currently know as much about the breach as haveibeenpwned.com provides.

Re: FFR Hacked.
 

uggggghhhhh i was pwned twice apparently. ffr and tumblr. password changes here we go

Re: FFR Hacked.
 

Development site = site we can go to and view and comment and help with the development of FFR??

Am I dreaming

Jk I realize now you just mean create a test environment so you can make changes without it affecting the main site :(

As long as there's no code in it that causes it to crash when you try to change from debug -> release lol (I'm lookin at you, FFR engine...)

Edit: also lol somehow didn't get pwned which is funny to me.. Honestly I'm not worried if they just have md5 hashes lol, hell if they get passwords from those I'll actually be happy, maybe then I can learn how lolz cause as far as I'm concerned it's impossible.

Edit2: alright maybe not "impossible" but it's pretty likely nothing would come of it.. Lol makes me wonder why they even use md5 for passwords, oh well

Re: FFR Hacked.
 

february? ive changed my password twice since then lol. spose i shouldnt be too worried then.

Re: FFR Hacked.
 

Dam, hopefully they AAA things for me.

Re: FFR Hacked.
 

MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.

Re: FFR Hacked.
 

Well, the whole point of the salt is really to just slow down the rainbow tables that hash cat uses, or make it not work.

For example, lets get a real example in here for what we want to do:

Lets say we have a database of 1,954,977 members. If the password isn't salted, it's literally a matter of running your tool or whatnot, iterating through the list for each "word", and see if any passwords match.. Sure, we need to check almost 2 million data entries like 70 million times, but I mean, it's not TOO bad.. Not only that, since the passwords are represented in our table, we actually don't need to hash anything or call anything to check it -> we just access the table and make our comparisions

Essentially, imagine: we check the first word in the table, scan the "leak" for matches in the list of hashes, if so, boom, easy.

If the password is salted however, NOTHING in that table is going to match anymore. Obviously, we know the salt - it's written right in the MD5 hash (since salted hash is just hash:salt or salt:hash or whatever), the person trying to crack knows the salt.. Despite this, the amount of work that has to be done is like freakin n^2 compared to n! lol.. If the passwords are salted, your table mapping "xsoekcnm" -> 4ecf096b453a0760b02bd0aa0f3740fa suddenly does not match - xsoekcnm doesn't hash to that anymore, so you would need to calculate md5($salt, $plaintextpw), and remake the table.

Regardless, it's gonna slow it the hell down.. Now suddenly instead of:

- for each word in the rainbow table
- Parse hashes for match

you are suddenly:

- for each word in the rainbow table
- calculate what hash would be generated using a given salt
---> (note, you might realise - in order to calculate what the hash would be for a given salt, they would need to know #1 a plaintext password and #2 the hash that is generated that corresponds to this plaintext password)
- parse hashes for matches

Regardless, I doubt anyone would bother doing this for this game.. there is literally no motivation behind trying to access anyone account here, to be honest. I can see if someone would want to hack the admins password or something, but even so, there really isn't a gain to that - what you should be worried about is using the same password for different websites, registered with that username/email.

To be honest, I don't even think the leak was specifically regarding flashflashrevolution, but obviously I don't know for sure - probably related to this:

https://haveibeenpwned.com/PwnedWebsites#VBulletin

EDIT: lol nvm theres a specific section for just FFR
https://haveibeenpwned.com/PwnedWebs...lashRevolution

INTERNET FAMOUS BOIZ

Re: FFR Hacked.
 

I'm CS so all this IA talk is making my head spin. Do I need to set my account on fire or not?

Re: FFR Hacked.
 

I was compromised but I changed all my passwords and made them all stronger so bleh.

Re: FFR Hacked.
 

Good thing I've not changed this password since way back when people were randomly logging into eachother's accounts back in like 2014.
I should be fine in other places since I regularly change those passwords every couple months.

Re: FFR Hacked.
 

Eh I'd consider cryptography part of CS :p


https://forum.hashkiller.co.uk/topic...spx?t=9971&p=5
(It's just forum with people begging for random leaks I found.. however, from this you can see that I guess people have known about it for a while?)

If you are worried about some chinese gold farmer maybe lol.. as far as I could find, it's a private database (l0l this makes me sound like im trying to find the list of password o_O Mark my words someday I will BECOME ETIENNE), so I don't know if anything would even come of it.

Should be fine tbh, worse leaks have happened to be fair.. I'd say yeah just change your password or w/e.

I'm just curious how it happened and why lol.. I swear, someone probably just tried to steal tons of random vB databases...

By the way, I also saw a website that was saying that of the accounts hacked, 300k~ of the passwords were actually encrypted and the rest were plaintext l0l gg, probably bs.

Re: FFR Hacked.
 

I did take a cryptography course... with the math department lmao. CS definitely does not go as in-depth as you would expect on the security protocols side of things.

Re: FFR Hacked.
 

if you enter your email and it says pwned twice, is there a way to see what the 2 sites were, or is it just to guess from the list they provide. clicking the 2 times or whatever doesnt show that

Re: FFR Hacked.
 

it should tell you below with descriptions of the leaks, like so:

Re: FFR Hacked.
 

Hard to take seriously a site that describes your information as having been pwned.

So the site tells me my email has been pwned 4 times in the past 8 years, and yet all four sites, that email address was tied to the same username, which it informs me has been pwned 0 times.

So I should panic because they got my email and username, except they've never gotten my username. Seems legit.

Re: FFR Hacked.
 

Pwned on here, MySpace, and tumblr, oh well.

Re: FFR Hacked.
 

oh woops im dumb ok thank you

Re: FFR Hacked.
 

my throwaway email got pwned, but similar to devonin, my usernames were not, so meh

Re: FFR Hacked.
 

I would recommend users to change their passwords to something that is:
1) Reasonably strong. Avoid common dictionary words and try to mix in numbers, symbols, and/or mixed capitalization of letters.
2) A password that is not used anywhere else.
3) Not easily guessed by someone who knows you personally. For example, if your password included something about soccer because you have a personal interest in soccer as a hobby, it can be guessed. This has happened to some friends I know.

Additionally, keep in mind that:
- 61% of the 1.8 million user accounts were already stated to be hacked (i.e. compromised on other sites) in February. One of the easiest ways to have an account compromised is sharing a password amongst different sites that were already breached, so please use different passwords.
- A large majority of that 1.8 million account demographic is inactive and the passwords are probably simple (e.g. dictionary words or "abc123", I have guessed some user account passwords before on this site from being common dictionary words).
- There isn't any evidence from what we know about an attack happening through vbulletin. I did have a talk with Velocity about user security recently and he can chime in here if needed.

Re: FFR Hacked.
 

Nooo!!!

Re: FFR Hacked.
 

I.. Uhh.. What?

Edit: am I the only one slightly concerned about this comment? You being a "game manager/developer" and having access to the back end? I'll take "things I should have never said given my role here" for $500

Re: FFR Hacked.
 

^ ^

Re: FFR Hacked.
 

Just because someone is on their multiple times does not mean they use the same password on each site, or even use weak passwords. Just the shit luck of being signed up to sites with apparently weak security.

Man, gotta love logging into a site for the first time in over 9 years just because of passwords being hacked now.

Re: FFR Hacked.
 

I bought this to the attention of admins months ago, when leakedsource.com indicated that my e-mail showed up in records for flashflashrevolution.com. I didn't go public because I didn't want to panic anyone or alert people that might have bad intentions that the data was loose.

Nobody ever got back to me. I don't know if they didn't receive the info or not, but this is nothing new. The data has been circulating for a long time. Leakedsource has a lot of obscure leaks, so I guess the FFR data dump didn't catch the attention of haveibeenpwned until recently. I let them know about the dataleak on May 24th, according to my e-mail.

According to leaked source, the result was: Flashflashrevolution.com has: 1 result(s) found. This data was leaked on approximately 2015-10-09.

So I'm not certain where haveibeenpwned is pulling Feb 2016 from. Maybe the data was leaked twice?

I use Keepass now and have a separate strong password for everything.

http://keepass.info/

Re: FFR Hacked.
 

Bahahahaha, I think I put in the wrong email address when changing something on here because the email I used for it is fine, but after checking, the one presented on my profile is different and was "pwned".

Double score as I don't use that email for anything else.

Re: FFR Hacked.
 

wow looks like i've been PWNED!

Re: FFR Hacked.
 

Really, what should happen is admins should force a check to see when passwords were last changed and force people logging in to change them, or just reset everyone's password like was done with other sites.

Ideally, e-mailing everyone about the breach would be nice, but it's likely many accounts have been abandoned by now.

Damage control is critical.

Also, holy hell, I think I'm the longest member on this thread so far. Has it really been since 2003? Almost 13 years...

Re: FFR Hacked.
 

Question: Who is this person http://www.flashflashrevolution.com/profile/IwasHacked/
And how did he get those stats, 1 point? idk

Re: FFR Hacked.
 

??? ??? ?? ?? ???

Re: FFR Hacked.
 

Ehh, I'm not worried. It's only on this site and I have a different complex password for everything.

Re: FFR Hacked.
 

Well, we'll see what happens. I expect a front-page notice regarding the situation, and hopefully a forced round of password resets.

Given how long this site has been around, it's a safe bet that many people used the same password here that they used everywhere else. Probably some of the more recent accounts made the same mistake as well.

This is the reality of the digital age. It's not the first breach I've been caught in. It won't be the last. But I'll certainly be keeping an eye on how staff responds.

Re: FFR Hacked.
 

Guess I'll change my password. I use a password unique to FFR, but it was a stupid password that is probably able to be cracked.

Re: FFR Hacked.
 

...still no front page announcement, e-mail, or sticky.

Re: FFR Hacked.
 

I've been asking who I can and Im not getting much an answer, I think at this time the scale of whatever happened it probably still being uncovered to its fullest, I personally suggest you send admins a pivate message expressing your discomfort not knowing how they have and plan to handle your data in the future, I'm doing it. Don't harass or be rude though, that wont get you anywhere but in trouble.

Re: FFR Hacked.
 

what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.

if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.

Re: FFR Hacked.
 

Nobody is asking them to perform a security audit. At the very least though, there should be a news post or automated mail to registered users.

Ideally, like most other sites, passwords should be reset given that the breach is confirmed on two sites, with info that I know is valid.

Look, I joined what... 13 years ago? Back then, me and most other young people probably didn't pratice the best web security. I'm willing to bet that a large number of accounts here use the same password for their registered e-mail, and who knows where else. Facebook, Twitter... it's in the best interest for FFR to be upfront and alert people to what happened.

In fact, I'd argue that it's their moral responsibility.

Re: FFR Hacked.
 

Lol admins pls respond

I guess it just being like "yo bro we got haxked pls change passerino thnx" when you log in would be ok

I mean like, I used an email to register for this in 2007 and I don't even remember what the email is anymore to be honest

Re: FFR Hacked.
 

I keep up with the latest data breaches. I remember the huge leaks. I was part of Dropbox, Adobe, Tumblr, Linkedin, Nihonomaru, FFshrine, MyDigitalLife.info, Hongfire... all notified users and forced password resets.

Granted, most of those are larger companies, but those last few are forums, some smaller then FFR, some larger. The longer it takes to address, the more risk people are at for being affected.

Re: FFR Hacked.
 

Nah I 100% understand your argument.

On the bright side, I wonder if emails would bring people back lol, like oh that game.. I guess I could try it again

To be fair though to the staff, #1 that post isn't gonna write itself, I know it's just a simple thing I guess but it's easier said than done, #2 the staff is working on new site as prawn said earlier (hype, I wish yall staff would talk about new stuff more, get the hype comin)

Not only that, but I completely believe they wouldn't know about it until now.. For example, Google "FFR leak" or whatnot.. Can you explain why all the news articles about it are from like, Sept 6th? Actually on inspection it looks like some of them are auto generated sites pulled from some leak data, which would explain why people only know now..

To me it's a really bold assumption to say "it's been 8 months.." I mean, it's not like it's a matter of going "oh damn I knew I should have checked the logs, would you look at that! Someone ran the download algorithm on the backend hexadecimal to get the intranet to parse" like how would you even begin to know you were breached, you'd have to know how it happened, be looking for it and stuff.. Like shit man this sites written with php, I asked my artificial intelligence prof today if we could use Web languages like php and they were like "you can use any server side language, except php"

Re: FFR Hacked.
 

FFR emails end up in my spam folder. They probably end up in other people's spam folder. An email alert will likely not work.

-o24

Re: FFR Hacked.
 

there's a difference between doing these things that are more resource/time-intensive than what coolgamer is asking for, and doing nothing. social engineering has to happen on both ends if that's what you really want. i see no version of this where you can say staff is handling this well.

Re: FFR Hacked.
 

It's been two days since this thread was made, and there have been a couple staff posts in the thread on the subject. The first we heard about this breach was this thread. Nothing in our logs indicates that it happened, given it was months and months ago. We needed to investigate it, assess what it meant and look at our options. I've got a post just waiting for some others to look at before I can put it out. So please, just a small bit more patience.

Re: FFR Hacked.
 

Thank you for keeping us up to date at least. Trust me, I wasn't trying to sound like a whiner or anything.

Re: FFR Hacked.
 

Hello everybody.

As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

Devonin and the FFR Team

Re: FFR Hacked.
 

it's been a long time since i poked around an ACP as well, but i feel like the forum backend has some option like "prompt password change on next login" for things like this. either that, or it can be enforced through usergroups. the more things you can stick in front of people's faces to get them to take action, the better. what worries me, though, is someone on staff probably looked for that already, and if there's seriously no ACP function to handle this then VB is some staggeringly horrible software

like, it's one thing to say "change your passwords everyone" - which has come up several times now, but only in this thread in the forums - but another to actually require it, at least as a short-term stopgap while devs are at work doing something

Re: FFR Hacked.
 

Multiple people with a far better understanding of how FFR's backend works have strenuously advocated for -not- attempting a forcible password reset for the users. I tend to want to trust their judgment.

In what I'm sure is a shockingly large number of cases, the email address tied to people's accounts is years out of date and non-functional, which would mean your password gets reset, you have no way to get back at it, and you'll have to make a new account just to ask us to reset it manually for you.

Re: FFR Hacked.
 

hmm, okay, i get that. it just seems really counterintuitive to me, is all. certainly counter to my intuition.

Re: FFR Hacked.
 

I can say for sure I haven't been pwnd I looked on leak source and have I been Pwnd and it seems like this email hasn't been hit at all it's clean but my other account Lord S Snake has been but it uses a password that I haven't used in like 7 years lol so it's all good on my end

If I recall this account has been made some time in January 2016

2015-10-09 It's said my other account got compromised and that is before February Obviously so if I can guess what happened the hack didn't happen in February but on 2015-10-09 then the info got released in Feb 2016 that's my guess I'm very confused about this to be honest

Re: FFR Hacked.
 

What are the names of those other FFR accounts?

Re: FFR Hacked.
 

I said "Lord S Snake" has been compromised it's my old account that I do not use any more for personal reasons this one I am using now hasn't been

Re: FFR Hacked.
 

what people think FFR does:




what FFR actually does:

Re: FFR Hacked.
 

I don't think anybody uses a different e-mail for every site they go to, so what measures do I take when my general e-mail account has been breached on 2 occasions? (my username hasn't for some reason)

Re: FFR Hacked.
 

Well it's 2016 things like this do not surprise me tbh that's why it's best to use a different password for everything important

Re: FFR Hacked.
 

Others knowing your email address doesn't do them much good if they don't also know the password. Having a strong -different- password for your email account than you do for the places where you provide that email account is the best way to keep that secure.

Plus so many places just happily display your email plaintext as part of user profiles etc that having emails grabbed in a breach barely means anything beyond showing them where to try attacking next with your password if they get your password.

That's why using unique passwords for each place is so important (and why password managers exist so you can wrangle having 20 or 30 different passwords)

Re: FFR Hacked.
 

Hate to necro an old post, but this is now relevant. I recently received this. This conveniently validates that this leak occurred and someone got their hands on the data and is wiling to act on it and lastly that the data was either stored in plaintext or that it was not properly salted/hashed as they obviously decrypted it. Notice they "sent from" Saik (my name up to the number, likely poor parsing) and attached my password for FFR at the time.

http://saik0.com/imgs/FFR_hack.JPG (Non-US people might not be able to see this image, sorry)

This *WAS* my password to this site some years ago and is no longer. It was a throwaway password for services that weren't that important to me(mostly just played for fun and didn't care about statistics of plays... I have probably 2 or three other accounts that were older with lost statistics). They are trying to extort people based on lies... So just another day on the internet. If you were part of this data breech and you get one of these, validate your passwords have been changed (any that were similar to the one leaked) and then don't worry. Shit like this is false, they don't have a "pixel" nor do they have a video of you. People who do this sort of stuff generally aren't skilled enough to manage to do things like that.

The Email address itself is spoofed, and you're unable to reply to it which is a shame, cause I love trolling people who try this stuff. The email header suggests that the route it came from originates in Russia, but with proxies and stuff these days that means virtually nothing. The full route is

(apparent origin) Russia > Belgium > Kansas, USA > Japan (Yahoo SMTP servers)

Re: FFR Hacked.
 

no worries, this is like one of the best reasons to necro

i endorse password change advice anytime

Re: FFR Hacked.
 

man these arrows are so erotic. i just cant take it anymore!!!!

Re: FFR Hacked.
 

why not upload the image to like imgur, I'm missin out here in Canada

Re: FFR Hacked.
 

Because while it's an old password, it's still personally identifiable and there might be an account somewhere I own that is still using that password or some guessable permutation that I haven't found/changed since like 12 years ago... If I host it on my own web-server I can control it (like I am already) and even remove it.

I like owning my own data...

But since this is a more international site than most of the places I visit, here you go. https://imgur.com/a/jtmXUVL

For the covered information in the imgur url is "Saik" "Gunfire" and "E"
I covered the E so that people don't accidentally give that address some funds.

Re: FFR Hacked.
 

Whoa :0

Re: FFR Hacked.
 

I'd know that was fake immediately if it were sent to me cuz I do not have good taste

Re: FFR Hacked.
 

this is like the episode of black mirror where that [redacted] pees his pants

Re: FFR Hacked.
 

Do things like that even work? Who doesn't masturbate, let's be honest
I wish something like that would happen to me to keep my life a bit more interesting.
How cool would that be? few years down the road ...

Me - "Yeah, some dude hacked my webcam and took a video of me masturbating and told me if I didn't pay $5000 he was gonna leak it to everybody I know"
Friend - "Wow, so did you pay it?"
Me - "HELL NA, EVERYBODY SAW MY PP BRUH HAHAHA"

Re: FFR Hacked.
 

What if you dont have a webcam hooked up, then what?