back to article Password reset: 45 million creds leak from popular .com forums

Some 45 million logins for 939 popular sites including motorcycle.com, autoguide.com, and mothering.com have been stolen. The method of attack and actor responsible is unknown, although many of the sites ran a vastly outdated and hackable versions of vBulletin. Usernames, email addresses, IP information, and passwords are …

  1. RIBrsiq
    WTF?

    "The second most popular password was '18atcskd2w' used by 91,103 accounts, with '3rjs1la7qe' coming in fourth spot used by 74,806 accounts".

    Eh...? How did that happen, then? I know that the answer to this question is what I personally am most interested in.

    Edit: Interesting theories in the video linked.

    1. Anonymous Coward
      Terminator

      I think it is supposed to be evidence of malware having compromised those accounts, but I could be wrong.

      If not that, then it is clear evidence that the Borg are infiltrating the internet.

      1. edge_e

        Looks to me like the password hasn't actually been recovered

        1. Richard 12 Silver badge

          Looks like hash collisions to me

          So enough to get into anywhere using the same salt and MD5, but not anywhere else.

      2. B0rg
        Terminator

        If they insist on using MD5 then Resistance is Futile. You will be assimilated (by LeakedSource)

    2. dan1980

      Both of those are 10-digit passwords with only numbers and lower-case letters. Which is interesting, seeing as it's 'random' but not the usual mixture of upper and lower, etc . . .

      I wonder if it is possible that these are a result of an insufficiently random password reset tool?

      Or a site (or several using the same auth back-end) having examples of strong passwords that people just copied.

      1. Anonymous Coward
        Anonymous Coward

        Randomness

        I wonder if it is possible that these are a result of an insufficiently random password reset tool?

        Which is more random:

        sojdlg123aljg

        or

        sojDlg123aljg

      2. Phil O'Sophical Silver badge

        I wonder if it is possible that these are a result of an insufficiently random password reset tool?

        That, or maybe it hashes to the same unsalted MD5 as "password", but being alphabetically earlier show up first in the list?

        1. Boothy

          They look to be the same format as the 40bit password generator in KeePass 2.

          Examples:

          c39c43258c

          fdb89808bb

          2510e92dce

          etc.

          Perhaps there is a password generating tool out there that just isn't very good, or someone has pre-generated a few passwords, and have hardcoded them into something? (Malware etc).

          1. Rimpel

            keepass

            Not exactly - the built in password generator you refer to is called 'Hex Key - 40-Bit' as per your examples. However the passwords in the article include non-hex letters. So similar, but not the same.

    3. Bob Dole (tm)

      I'd bet money that the majority of those are from accounts created by one of the following:

      - bots designed to infiltrate and post ads; or,

      - admins inflating registered user account numbers

  2. AlexS
    Holmes

    "It is allowing users to search if they are affected, but victims have to pay money to learn what sites of the hundreds contain their breached records."

    Legit ransomware this time?

  3. Mystic Megabyte Silver badge
    WTF?

    what?

    "popular sites including motorcycle.com, autoguide.com, and mothering.com"

    None of which I have ever heard of! Presumably they are USian.

    1. CustardGannet

      Re: what?

      If they were Mercan, surely the last one would be motherf***ing.com ?

  4. PrivateCitizen

    complex

    Are they system generated passwords issued to new users and then never changed (or the user accounts were simply fake and never used)?

    Are they MD5 collisions?

    1. Anonymous Coward
      Anonymous Coward

      Re: complex

      Being a moderator on a large popular forum, i'd suggest spambots are the most likely answer.

  5. Alumoi
    WTF?

    Dang

    I didn't even know I had an account with some of the sites, but my throw-away emails are showing in the search.

  6. PrivateCitizen

    Automated Registrations - Bots

    Ok, I am now leaning towards this being more a case of the forums managed here are just drowned in bot registrations.

    A quick search for yagjecc826 (as an example) points to lots of password dumps with user names like:

    brigiduuihleinu

    valerydrighettid

    christelfcostinef

    Further checks associate these passwords / usernames with gmail accounts such as:

    brig.idu.uihlen44@gmail.com

    e.lz.a.h.w.an.g.32@gmail.com

    li.nn.i.ed.0s6@gmail.com

    d.el.ain.a.a.ho.60@gmail.com

    l.y.n.n.sr9.8@gmail.com

    cl.ai.r.eti.m.3.sa.i@gmail.com

    This strongly points towards the forums being swamped with bazillions of bot-users.

    1. Stuart 22

      Re: Automated Registrations - Bots

      "This strongly points towards the forums being swamped with bazillions of bot-users."

      This is really good news. Stopping these spammers by IP/Email/Username is getting really hard when we could just ban these passwords if it is the one credential they are not morphing!

      Well until they cotton on.

  7. Anonymous Coward
    Anonymous Coward

    Hi, it's 18atcskd2w here...

    Who's taking my name in vain?

    1. bharq
      FAIL

      Re: Hi, it's 18atcskd2w here...

      You dummy!

      You know you should never use your name as a password...

      1. AndrueC Silver badge
        Joke

        Re: Hi, it's 18atcskd2w here...

        ..especially when it doesn't contain any symbols.

        1. John Brown (no body) Silver badge
          Coat

          Re: Hi, it's 18atcskd2w here...

          Ah, yes, that would Prince 18atcskd2w here then?

  8. Anonymous Coward
    Anonymous Coward

    Reported this to AG publically on one of their forums they run with UK coverage yesterday and their whole attitude seems completely meh and are blaming it on a 3rd party plugin. I'm not that bothered I'm in the dump because I don't reuse passwords so meh myself.

    They've half heartedly started to run through a password reset proceedure today and they've managed to reset mine and not tell me the new credentials. That's one way to shut up exposure!

    What gets me the most is this breach happened in feb 2016, and yet now only after public prompting are they even telling people to reset their passwords. And they are not even advising people to reset them elsewhere. Lackluster response so far...

    1. Anonymous Coward
      Anonymous Coward

      Seems you ran out of commas for your post

      Here are a few extra that I had lying around:

      ,,,,,,,,,,,,,

  9. Nunyabiznes Silver badge

    One of the forums I'm active on was breached. The company (Verticle Scope if you are interested) controls multiple forums (they went on a buying splurge starting a few years ago) and they have not contacted any of their forum users with the breach news (and they've known for quite awhile now) and they are not resolving the base issue of poorly secured registration db's. Fail.

  10. Alistair Silver badge
    Windows

    hmmmm

    Advertising company perhaps:

    Owns many fora.

    has large data breach

    Data breach reveals numerous (password collision/hash collision etc) indications of massive bot invasion.

    a) company seems not concerned about data breach

    b) company seems not concerned about bot invasion.

    No. Not me cynical. never.

  11. Aodhhan

    Probably...

    Due to the number, this has to do with an application poorly written to provide a 10 digit password which is semi-complex, for either initial registration or password reset.

    I'd go with the latter, if the programmer was lazy. Instead of putting in a random generator to come up with something complex to add it to the database, send out an email, etc. He used a wordlist of around 20-30 preset passwords, which probably rotated.

    This is why you have an independent person check out code before release!

  12. mike white 1

    Statement On one of the affected forums

    I'm a member of CBRXX.com which is a VerticalScope Forum and the following was posted there by "Admin" last night

    +++++++

    Hey Team,

    Over the 2 weeks we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

    1) We are asking everyone to change their passwords (and will force a onetime reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

    2) Your passwords will expire on a 180 day basis. When you login on the 181st day, you will have to change it. You guys and girls all have the highest level of access in our communities and this will help protect your accounts.

    All other users on the community will have 365 day expirations. We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

    We are testing and rolling out the changes slowly to ensure that they do not cause unforeseen issues with current plug-ins and products on the site, we will let you all know the day before it goes live.

    I also ask that you help us with ensuring all users are being heard and we are answering everyone’s questions. We will be posting an announcement up to the community shortly and want to keep all chatter about this issue and any potential security issues in one place. If you see a user talking about this topic in a section outside of the announcement, please either move the post, or remove it and direct the user to the original thread. We greatly appreciate your help in this. If you have any questions please post them below.

    Thanks all,

    Helena Barclay

    Community Management

    http://www.cbrxx.com/site-help-suggestions-comments/29182-attention-security-issue.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019