Hacker site’s incriminating database published online by rival group

myBB. Cracked.to describes itself as a forum that provides “cracking tutorials, tools, combolists, marketplace and many more stuff!” Raidforums, meanwhile, offers forums on many of the same topics.

Ars reviewed a 2.11 gigabyte file published by Raidforums and found it contained nearly 397,000 private messages, many that aired the kinds of details most hackers strenuously avoid disclosing.

The details included the usernames, email addresses, and IP addresses of people looking to buy, sell, or support software or services for cracking accounts for popular video game .

“Freshly cracked accounts with skins captured,” reads the subject of one message. “How to change email on cracked accounts,” the subject of another says. Other users advertise services for exploiting CVE-2019-20250, a critical vulnerability in the WinRAR file-compression program, which was being actively exploited earlier this year to install a host of nasty malware on vulnerable computers.

It’s likely that many of the people accessing Cracked.to did so from IP addresses anonymized by Tor or some other means. They probably used email addresses and user names that were also similarly anonymized, or at least pseudo-anonymized. Still, all it takes for law enforcement or rival hackers to pounce is to slip up just once and use the wrong IP address. The database posted on Friday should put all of those people on notice.

The dump also serves as a cautionary tale to website administrators everywhere that databases can and will be compromised. It’s still not clear how the database was obtained. Raidforums owner, developer, and host “Omnipotent” told Ars it was through an “exploit,” but Omnipotent provided no details beyond that. If true, that would likely mean myBB or another piece of software used by the site was hacked. Ars couldn’t rule out the possibility an administrator password was obtained, or some other means.

A top administrator at Cracked.to, meanwhile, claimed in July that “an old person of my trust has forum backups that contains the database and folder files.” A few months earlier, the Cracked.to admin said, the site had converted from the very weak default myBB password-hashing scheme to something much stronger. In light of the breach, the site required users to change their passwords.

It turns out that was a major coup that prevented the breach from being much worse. The new scheme used the industrial-strength bcrypt hashing function with a work factor of 12. That makes it impossible to guess the vast majority of hashes without spending prohibitively large amounts of time and money. Weak passwords could still be cracked, but beyond that, the hashes aren’t of much use. Had Cracked.to continued to use the old scheme, cracking the majority of hashes within a matter of days or weeks would have been trivial.

In an interview, the Cracked.to administrator said he regretted the leak, particularly those involving private messages.

“With no doubt, private messages being leaked in plaintext is the worst thing about the whole database breach,” the administrator, who uses the handle floraiN, said in an encrypted chat with Ars. “However as a forum owner you can’t really control what people are dealing with in DMs unless you look them up directly in the database.”

He said the IP address of specific private messages was encoded, but that the dump included the IPs of each user’s first and most recent visit. floraiN said those details could still be used to track some users down. The admin, meanwhile, is vowing not to take the breach lying down.

“There will be consequences for the forum that is responsible for distributing the backup and for the person that leaked it,” floraiN said in an update posted on Friday.

Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.
Email[email protected]//Twitter@dangoodin001

You must login or create an account to comment.

Channel Ars Technica

Related Stories

Sponsored Stories

Powered by

Today on Ars

CNMN Collection
WIRED Media Group
© 2019 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 5/25/18) and Privacy Policy and Cookie Statement (updated 5/25/18) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices

[ufc-fb-comments url="http://www.newyorkmetropolitan.com/tech/hacker-sites-incriminating-database-published-online-by-rival-group"]

Latest Articles

Related Articles