Jump to content

Doomworld has been compromised.


Recommended Posts

2 minutes ago, esselfortium said:

More sensationalist bullshit is the last thing anyone needs right now. Good job even cropping all the relevant information out of the announcement to support your fearmongering.

 

My apologies. Here's the full link: https://www.doomworld.com/announcement/4-doomworld-probably-got-hacked/

Edited by DoomBattleZone

Share this post


Link to post
18 minutes ago, Graf Zahl said:

Which is completely irrelevant. A computer does not think like a Human, for it an 'A' and a '#' are just different numbers: 35 and 65. They have the same complexity.

Maybe they meant is dictionary attack. I think (because I'm not a security expert) it can be trolled with adding non-english vocabulary or doing weird spelling and punning such as "watdehek!?howispossibirudumworldforoomkanbihecked?" "watt deh hacx!? hou iz possibiru dumworld foroom kan bi hacxed?".

Share this post


Link to post
27 minutes ago, Graf Zahl said:

Password guessers cannot afford to make assumptions about passwords - random garbage is so prevalent among passwords in use that this has to be factored in.

If you want to brute-force guess a password against a server that has no protection against such attacks your random garbage won't help you much - a perfectly reasonable sentence of the same length has the same likelihood of getting guessed. That goes even more if the hash is weak and the guesser can run locally.

XKCD 936 isn't rare either, and password guessers can also factor that into account.

 

27 minutes ago, Graf Zahl said:



But when you use reasonable sentences you can make your password twice as long which increases security by several orders of magnitude.

Unless you use bcrypt, like Doomworld allegedly does, which truncates input passwords after 72 bytes, after which your password length won't help you. And it probably won't help if you admit how your password is generated for a site is limited to certain characters (letters, spaces) on that site.

 

But yes, if you know absolutely nothing about the passwords, then they can be effectively the same security-wise (from the attacker's point of view).

 

27 minutes ago, Graf Zahl said:

Which is completely irrelevant. A computer does not think like a Human, for it an 'A' and a '#' are just different numbers: 35 and 65. They have the same complexity.

I'm glad you think so highly of yourself, but if I had to produce four random common words for a password, I'd probably trust words.txt pumped into a Python script much more than whatever words just come to mind.

Edited by DrinkyBird

Share this post


Link to post
19 minutes ago, Dragonfly said:

...what?

The forum the breach was posted in has a cute default avatar for new users :P

Share this post


Link to post

Certainly changing your password is a good idea but the bottom line is even if they break the hash, so long as your password was unique to DW, it's of no use to anyone. What are they going to do, log in and start insulting everyone? It does not give them a lot of power.

 

1 hour ago, ClumsyCryptid said:

Two factor authentication can easily be compromised via a MM attack.

 

MM? Do you mean man in the middle or something else? They might be simple on paper, but actually require targeting of a specific victim so actually executing one successfully requires a combination of foreknowledge of a lot of things and contact with the end user. Possible, particularly if the user is a bit technically naive, but still not exactly easy to pull off in reality in my opinion. So I sincerely doubt such a thing applies in this specific instance.

Share this post


Link to post
13 minutes ago, Andromeda said:

The forum the breach was posted in has a cute default avatar for new users :P

Maybe :p

Share this post


Link to post
10 minutes ago, prower said:

What's worse: this, 9/11, or Doom Eternal?

 

Argh, it's the Ghost of Doomers Past!

Share this post


Link to post
33 minutes ago, Edward850 said:

Is this like a bot or something? Why are you posting a link to doomworld in doomworld at a moderator? None of your actions are making any sense.

 

Good points. I redacted my post. The link has the full details so it can probably stay.

Share this post


Link to post

Ok, so i have involuntarily been signed out from my account twice over the last hour, and i received an email in my mailbox from Doomworld informing me that somebody from a location that isn't mine has attempted to log into my account three time before DW locked down the account. This isn't good, right?

Share this post


Link to post

we going to get a notification like the red banner when its get fixed (or pinned thread)? because i want to change passwords but i read doing now wasnt recommended because problem isnt fixed yet.

 

 

Share this post


Link to post
43 minutes ago, prower said:

What's worse: this, 9/11, or Doom Eternal?

 

I don't know, but whoever did this must be mad at the site. And the site's security must've been super-hard to crack.

 

But whoever did 9/11 might've been mad at the site, too.

 

Wait a minute... this is giving me a clue.

 

clue.png.081417ec1fc2df11720a4e20cabed906.png

 

Share this post


Link to post
24 minutes ago, Gregor said:

Ok, so i have involuntarily been signed out from my account twice over the last hour, and i received an email in my mailbox from Doomworld informing me that somebody from a location that isn't mine has attempted to log into my account three time before DW locked down the account. This isn't good, right?

Geolocation based authentication is not a system Doomworld has. Do you mean someone failed to guess your password 3 times? That's hardly a problem, that means they don't know your password. Also furthermore, if your account was locked, how are you even posting?

Share this post


Link to post
19 minutes ago, Edward850 said:

Geolocation based authentication is not a system Doomworld has. Do you mean someone failed to guess your password 3 times? That's hardly a problem, that means they don't know your password. Also furthermore, if your account was locked, how are you even posting?

It was locked for 10mins; that's the standard time. I don't know what you mean with Doomworld not having geolocation - i don't wanna spread panic. All i know is that i got an email from Doomworld where they informed me that my account had been unsuccessfully accessed from a location in my country that is not anywhere near my address (i'm not using a VPN), and that DW subsequently timed out the account. They asked me if i recognize the location and so forth. When i went back to Doomworld to check, i found that i was signed out of my account though i could sign back in because the time out had already expired. I had already been signed out of my account by someone or something about 30mins before that, though i hadn't received an email then. I thought at first it might be some kind of repair work going on but the second sign out makes me suspicious, especially in combination with the email.

Edited by Gregor

Share this post


Link to post

To help ease some of the panic people might be feeling, I have a little past experience in this very thing: Some time in 2017, my old forum experienced a very similar hack where usernames and passwords were supposedly lifted. My old forum even used the exact same forum software, so we had a similar if not the same level of password encryption. We even managed to find the hacker's Twitter account where we surmised from their tweets that-much like Kinsie implied from an earlier post-the hacker did it not out of malice but for the sheer hell of it to simply prove their own hacking skills to themself. After the hack-which changed the homepage to an obnoxious music video for a little-was restored; nobody reported any subsequent hacking by way of account breaches for the rest of the forum's lifespan. We all changed our passwords to be on the safe side and nothing happened further.

 

As for the leaked database being posted elsewhere, no doubt that has shocked a fair few of you and I don't blame the panic, that's normal. We've all heard the horror stories that happen with victims of identity theft. The important thing to consider is that the encryption tech this forum uses has protected your passwords from being immediately exposed. I'm not going to pretend I understand how the encryption data stuff works intimately, but fortunately our community is filled with technowizards like Edward, Graf and such who we can turn to for answers to help us understand. In the meantime, the best thing we can all do as users is to simply change our passwords. While some can argue that the encryption means your old password isn't immediately exposed, that doesn't necessarily mean it'll be impenetrable forever. If you used a unique password for Doomworld and have not made it your password for literally anywhere else, you'll be fine. Incidentally, by changing our passwords, wouldn't that render the leaked database inherently useless? [Anyone can correct me on that, it's just a theory on my part.] It's best to be on the safe side. I change all my unique passwords annually and, while I've been on sites that have been breached in the past with the exact same level of things leaked, I've never had anything important compromised. I'd already changed my DW password several hours ago before writing this post.

 

While this hacker went one step further than my old forum's hacker did by posting the leaked database on some dumb hacker site on the clearnet of all places, my old forum was much like Doomworld: A hobby discussion board completely dearth of useful information for thieves. Doomworld is simply a forum where we talk about and make Doom content. This isn't a giant crypto wallet website or something along them lines. There's really nothing of monetary value worth stealing here and any enterprising cybercriminal is going to easily recognise it as a big nothing-burger and not bat an eyelid. Unless someone here was silly enough to write their banking details in their About tab of their profile page, I'm confident we're all going to be fine.

 

Change your passwords and keep them unique.

Share this post


Link to post
2 hours ago, Murdoch said:

MM? Do you mean man in the middle or something else?


At first I was thinking that MM Attack stands for Memento Mori Attack. heh

Share this post


Link to post

This is a real shame. I'm a very new member of this community and so far I had the best experience. Hope this incident does not ruin this.
 

Share this post


Link to post
1 minute ago, 7Mahonin said:

I almost shot clue glue all over my computer. 

Oh dear god, FUCK that episode and fuck the stupid repetitiveness of masturbation innuendo. good lord.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...