Data Security Breach 2 - Please Update Your Passwords

AllenCaspe9510 · 2019-07-22 09:33:06

My Email is fake, do i still need to change my password?

Nebula · 2019-07-22 09:34:50

AllenCaspe9510 wrote:

My Email is fake, do i still need to change my password?

Then you need to contact EE Staff to change your email to an actual one

capasha · 2019-07-22 09:52:28

Not only accounts got leaked. There is a new reporting document too. 114846 of lines from the report document.
I hate when these get leaked because you can't be anonymous when reporting other people.

peace · 2019-07-22 10:26:22

ok so i com eback to a down game gg check if my acc was affecte dnope bu ri p phina

Snowester · 2019-07-22 11:19:05

minam wrote:

How are the passwords stored on EE?
Is it just on a plain text file?
Just curious.

FYI, passwords are stored by PlayerIO and they're hashed so nobody can read them. However few people were speculating that it was something to do with the main site.

Gosha

Andymakeer · 2019-07-22 11:29:38

aw **** here we go again...

Blackmask · 2019-07-22 11:38:29

cool

Filip2005 · 2019-07-22 12:23:19

Good point not to play EE:U, thank you Xenonetix.

Ironic edit: Xenonetix owes us money.

AllenCaspe9510 · 2019-07-22 12:26:40

If my gems are gone again, I'm gonna riot

Charlie59876EE

Filip2005 · 2019-07-22 12:39:54

AllenCaspe9510 wrote:

If my gems are gone again, I'm gonna riot

You don't need gems at this moment of time, futile.

peace · 2019-07-22 13:24:47

updatin pass once again but how? if i can tlogout of ee lol

Anatoly · 2019-07-22 16:20:48

minam wrote:

How are the passwords stored on EE?
Is it just on a plain text file?
Just curious.

If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...

Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.

capasha · 2019-07-22 16:42:45

Anatoly wrote:

If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...

Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.

Looks like you know everything about hashing a password. You can still get the password from a hash if you use dictionary list with rules or such.
Or just bruteforcing it with rules. How else do you think the password database at HIBP have been leaked with normal passwords? Yes cracking.

Even if the password is strong, it still could be cracked. In the old days did I and other use CPU power to crack hashes. Then a bit later did it come GPU cracking.
If you have many GPU's it will increase the speed of cracking hashes really fast. The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.

peace · 2019-07-22 18:48:17

passwords should not be able to be leake din anyway not wiht a dictonary not wiht anythign at all simple this is not for EE only tho

TapPineapple · 2019-07-22 19:44:18

that moment when your account got hacked...

Charlie59876EE

Anatoly · 2019-07-22 19:47:08

Staff, any comments?

Maybe instead if claiming to have fixed the holes, its time for you to reveal all cards.
Maybe im wrong and it would be wrong to make ee open source, but honestly, EEs security just cannot be made worser.

Add atilla, remod gosha, take over the security of the forums.
What i see - false hopes. Poor Patrons who actually lost their money for nothing.

You are in a situation where you cannot claim it’s not your fault. its not playerio, currently, its YOUR fault.
Wheres EEU progress? Soem videos where someone says what he did? Better than nothing, but actually nothing.

Now you, xenonetix, “dont tell me what i should have done, tell me what i can do”
I told you earlier to do something, cant remember when, but im sure you responded: Where? I told you, you ignored, now im in fact telling you what you should uabe done if you dont listen the what you should do part. remod phinarose (or who was the girl who was demodded?

Im hopeless about this game. the death timer has started, its not changeable.

had fun with you, ee is dead)

Charlie59876EE

Anatoly · 2019-07-22 19:51:56

capasha wrote:

Anatoly wrote:
If we look at the forums case', Diff thought me that passwords are not stored, they are hashed. You can only ...

Edit: Oh ****, my internet broke up and contents of this post were lost, basically here is what I explained shorten:
- Passwords are and should be hashed: You can get the hash from the password, but not the password from the hash.
- Passwords are stored in another table (read about sql e.g. to understand what I mean with table) isolated from all other data.
Looks like you know everything about hashing a password. You can still get the password from a hash if you use dictionary list with rules or such.
Or just bruteforcing it with rules. How else do you think the password database at HIBP have been leaked with normal passwords? Yes cracking.
Even if the password is strong, it still could be cracked. In the old days did I and other use CPU power to crack hashes. Then a bit later did it come GPU cracking.
If you have many GPU's it will increase the speed of cracking hashes really fast. The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.

Good point. I also agree that there is no perfect security, but we need to mention that EE’s one is special.

I mean, you can crack one account with that, not hundreds.
Also interesting to see, ee leaks passwords only in a period of time, how that?

Tomahawk · 2019-07-22 19:58:54

Merged the post above this one with the main thread.

Different55 · 2019-07-22 21:37:53

Anatoly wrote:

take over the security of the forums.

Sorry, what?

mrjawapa · 2019-07-22 21:52:09

Different55 wrote:

Anatoly wrote:
take over the security of the forums.
Sorry, what?

Lmao yeah let's give xeno authority over the forums. I'd like to have my forum info leaked too.

Norwee, Slabdrill

den3107 · 2019-07-22 22:44:42

mrjawapa wrote:

Different55 wrote:
Anatoly wrote:
take over the security of the forums.
Sorry, what?
Lmao yeah let's give xeno authority over the forums. I'd like to have my forum info leaked too.

Think he means copying the security the forums uses. Having said that, security generally doesn't work in a copy-pasta manner since well... You have frameworks that either did it for you, or you have to work around to get it fixed.

Anatoly wrote:

capasha wrote:
The best thing is salted hashes, but most time does even the salt leak and we are back to crack the passwords really fast.
I mean, you can crack one account with that, not hundreds.

He talks about that whenever hashed passwords are lost, that the salts are generally leaked too, essentially giving them the same crack duration as an unsalted one.
Having said that, it's not that hard to crack unsalted SHA256 hashes (one of the most common used method, although methods like bcrypt are rising).
With that, an attacker can generally crack a hash in under 10 seconds. Well, within a day he'll probably have all EE accounts cracked (unless I'm gravely underestimating the amount of accounts EE has).
+ I'm fairly certain EE doesn't salt their stuff... There're honestly way to many companies that don't salt their hashes, even bigger companies (think Yahoo didn't up until 2016).

Anatoly wrote:

Also interesting to see, ee leaks passwords only in a period of time, how that?

This is likely a part where either packets are intercepted, or something like log files have been retrieved.
Likely they have no access to the actual database, but somehow somewhere they're able to get the information of everybody that logs in during their attack. I believe that's much like how the previous attack functioned too (although likely using a different exploit).

Processor · 2019-07-23 02:08:57

Hacker got access to a staff' playerio account.
PlayerIO hashes the passwords, however, they are stored in plaintext in your browser (as long as you tick "stay logged in").
With access to the account, hackers could export the Reports table.
Its not so easy with account passwords...

Three possibilities:
1. Hackers replaced the site contents (paths: changed DNS records / changed site contents / changed SWF file (<- most likely scenario))
2. Hackers found an XSS exploit in the flash (very unlikely)
3. The staff log your password in a database themselves (maybe to migrate users to EEU), the hacker just had to export this database

LukeM claimed that the only person having access to the game swf is Xenonetix. However, the leak specifically thanks LukeM for making the hack possible.
Both 1. and 3. leave traces, so we can rule out Scenario #2 by checking the source code. Can someone do that please?

Possible fixes:
- Never store passwords in plaintext
- Never get hacked as staff by using secure passwords

I got a peek at the used passwords by Xenonetix and bytearray and both were terrible passwords that could have been easily guessed.
While these passwords were likely not the same ones used on PlayerIO, they show you the general approach staff takes with security.

Luke told me it is too much work to replace the system with a session token based one, as the flash game is getting replaced anyway.

Slabdrill, Joeyjoey65, Charlie59876EE, Notcarksss

KingN24 · 2019-07-23 04:39:04

woohoo im compromised. im screwed.

XxAtillaxX · 2019-07-23 05:14:58

Processor wrote:

Three possibilities:
1. Hackers replaced the site contents (paths: changed DNS records / changed site contents / changed SWF file (<- most likely scenario))
2. Hackers found an XSS exploit in the flash (very unlikely)
3. The staff log your password in a database themselves (maybe to migrate users to EEU), the hacker just had to export this database
LukeM claimed that the only person having access to the game swf is Xenonetix. However, the leak specifically thanks LukeM for making the hack possible.

I know a bit more about Player.IO security after having audited it for Yahoo, and there's a little more worth noting.

Player.IO does infact hash passwords, and it does convert to lowercase prior to hashing, which rules out any ridiculous compromise of Player.IO (especially there were 800 out of the 1,000,000+ accounts shared, majority of which were active within the last few days) and Henrik is a very security focused person, unlike the majority of the staff in Everybody Edits.
Player.IO does not always store timestamps for changed files in GameFS as far as I'm aware; see the FTP upload option. I believe this remains true, although it could have changed since. I haven't looked into it.
Player.IO does store CSRF tokens in the URL of admin dashboard, so if someone were to be using TeamViewer or any remote screen sharing software with someone else who had been compromised and revealed that URL to them, it is possible that they could have had been tricked into visiting a page with XSS and that token to execute an attack. Yahoo refused to add cross domain headers to prevent doing this when I reported it, since apparently it's a fringe case but it's likely still possible in very targeted scenarios.

Nonetheless, my personal security-minded opinion is that it's overwhelmingly likely the case that one of the staff members have been compromised in some way shape or form and these attacks are being intentionally obscure and random as to disguise the fact that they've discovered a way to backdoor one or several of the developers. I would strongly advise the staff members to audit their personal security, which is the most reliable and weakest link, rather than diddling their thumbs and simply waiting for the drama to die down.

St1ckS4m(EE), Joeyjoey65, SirJosh3917

Anatoly · 2019-07-23 05:27:22

Different55 wrote:

Anatoly wrote:
take over the security of the forums.
Sorry, what?

i mean the way forums handle passwords is safer thenthe games way

Official Everybody Edits Forums

#26 2019-07-22 09:33:06

Re: Data Security Breach 2 - Please Update Your Passwords

#27 2019-07-22 09:34:50

Re: Data Security Breach 2 - Please Update Your Passwords

#28 2019-07-22 09:52:28

Re: Data Security Breach 2 - Please Update Your Passwords

#29 2019-07-22 10:26:22

Re: Data Security Breach 2 - Please Update Your Passwords

#30 2019-07-22 11:19:05

Re: Data Security Breach 2 - Please Update Your Passwords

#31 2019-07-22 11:29:38

Re: Data Security Breach 2 - Please Update Your Passwords

#32 2019-07-22 11:38:29

Re: Data Security Breach 2 - Please Update Your Passwords

#33 2019-07-22 12:23:19, last edited by Filip2005 (2019-07-22 12:49:01)

Re: Data Security Breach 2 - Please Update Your Passwords

#34 2019-07-22 12:26:40

Re: Data Security Breach 2 - Please Update Your Passwords

#35 2019-07-22 12:39:54

Re: Data Security Breach 2 - Please Update Your Passwords

#36 2019-07-22 13:24:47

Re: Data Security Breach 2 - Please Update Your Passwords

#37 2019-07-22 16:20:48, last edited by Anatoly (2019-07-22 16:23:00)

Re: Data Security Breach 2 - Please Update Your Passwords

#38 2019-07-22 16:42:45

Re: Data Security Breach 2 - Please Update Your Passwords

#39 2019-07-22 18:48:17

Re: Data Security Breach 2 - Please Update Your Passwords

#40 2019-07-22 19:44:18

Re: Data Security Breach 2 - Please Update Your Passwords

#41 2019-07-22 19:47:08

Re: Data Security Breach 2 - Please Update Your Passwords

#42 2019-07-22 19:51:56

Re: Data Security Breach 2 - Please Update Your Passwords

#43 2019-07-22 19:58:54, last edited by Tomahawk (2019-07-22 22:44:20)

Re: Data Security Breach 2 - Please Update Your Passwords

#44 2019-07-22 21:37:53

Re: Data Security Breach 2 - Please Update Your Passwords

#45 2019-07-22 21:52:09

Re: Data Security Breach 2 - Please Update Your Passwords

#46 2019-07-22 22:44:42

Re: Data Security Breach 2 - Please Update Your Passwords

#47 2019-07-23 02:08:57, last edited by Processor (2019-07-23 02:41:49)

Re: Data Security Breach 2 - Please Update Your Passwords

#48 2019-07-23 04:39:04

Re: Data Security Breach 2 - Please Update Your Passwords

#49 2019-07-23 05:14:58, last edited by XxAtillaxX (2019-07-23 05:15:55)

Re: Data Security Breach 2 - Please Update Your Passwords

#50 2019-07-23 05:27:22

Re: Data Security Breach 2 - Please Update Your Passwords

Board footer