Mother Of All Breaches

[Obsidian]

According to this article, there was a recent data breach that has potentially exposed billions of records across a significant number of websites across the internet. As you may be able to infer from this post, Doomworld is among the websites listed.

 

 

In the wake of this breach, changing your DW password is highly recommended to protect your account from potential hijacking. Be sure to check the linked article to see if any other websites you frequent may been affected.

[Shepardus]

The article says that most of the data is compiled from past breaches, so the Doomworld data is likely that from the 2022 breach. Can't say for sure though. If you're using a password manager (which you should) changing your password and using different passwords for different sites shouldn't be much trouble anyway, so may as well.

[DNSKILL5]

Can’t wait for all the airline travel spam posts to return!

[rita remton]

i once read a post from an admin/mod that hackers could not possibly get user passwords because in doomworld the passwords are in "hash", therefore the passwords are safe? i don't know what "hash" means though in such context (for clarification, the only "hash" i know are "hash browns", "#" sign and "hash tags").

Edited January 27 by rita remton

[SilverMiner]

45 minutes ago, rita remton said:

i don't know what "hash" means though in such context

There is a function, to which a password is feeded and the func's output is hash.

The hash is stored.

The user's input is hashed and the result is compared to what's in the database.

If they equal - success, not - fail

[DavidN]

1 hour ago, rita remton said:

i once read a post from an admin/mod that hackers could not possibly get user passwords because in doomworld the passwords are in "hash", therefore the passwords are safe? i don't know what "hash" means though in such context (for clarification, the only "hash" i know are "hash browns", "#" sign and "hash tags").

 

Tom Scott explains it really well! A hash is the result of a function that's performed on your password before it's stored - unlike encryption, the transformation is one-way so you can't retrieve the original password by looking at the hash. So an attacker might not know your password, but there are some other vulnerabilities described in the video.

 

 

[Hebonky]

Well that sucks! welp, time for a new password!

 

I also think doing a phone verification or a code from something like google authenticator can help minimize damage.

[TheMagicMushroomMan]

I bet you it was that fucker 4chan again.

[SleepyVelvet]

Tachyeres pteneres

 

It still doesn't hurt to change your password though if you're up to the effort.

[esselfortium]

FYI, this is apparently the same Doomworld breach from 2022, not a new one.

[fraggle]

On 1/27/2024 at 11:10 AM, rita remton said:

i once read a post from an admin/mod that hackers could not possibly get user passwords because in doomworld the passwords are in "hash", therefore the passwords are safe? i don't know what "hash" means though in such context (for clarification, the only "hash" i know are "hash browns", "#" sign and "hash tags").

The brief summary is that any competently-run websites do not store passwords, only a big random number that is generated using your password (called a hash). It's why you always have "password reset" rather than something like a "show me the password I forgot" option - the website is literally incapable of telling you what your password is. If the hashes are leaked, an attacker can try running millions of guesses against them to see if they can discover any passwords. But it's slow and requires a lot of computing power. If you use a weak password it's easier to crack.

[Rudolph]

I tried searching for my current Doomworld password on Have I Been Pwned, but nothing came out of it. Does that mean I am in the clear?

[Kinsie]

23 hours ago, Rudolph said:

I tried searching for my current Doomworld password on Have I Been Pwned, but nothing came out of it. Does that mean I am in the clear?

As previously mentioned, the data that was leaked (over a year ago!) was encrypted hashes that'd probably require state-sponsored amounts of computing power to crack. You should be fine, but if changing your password makes you feel better, then go ahead.

[Biodegradable]

These giant password/data leak/breaches are becoming insanely common at this point. I change all my passwords for my most frequently used accounts/visited sites annually now because I don't trust the integrity of the security of any major website these days.

Edited January 31 by Biodegradable

[DoomPlayer00]

Joke's on the hackers, I changed my password from 123Password to 321Password. That'll show 'em!

[DiceByte]

19 hours ago, DoomPlayer00 said:

Joke's on the hackers, I changed my password from 123Password to 321Password. That'll show 'em!

Jokes on you, now we know your new password! And we have already done horrible things using your account! :3

[ClumsyCryptid]

On websites where I don't care about the account get assigned my most pwned password.

[Dark Pulse]

Looks like I changed my password right after the breach, so if it's still the same data, even if someone got my password out of it, it'd be functionally worthless to them.

[DoomGater]

I was going to change my password to "P3n1s" but system says, my password is to short.

Edited February 13 by DoomGater

[JoeyKelastiof]

So if you recently registered on the forum, you don't need to change the password?

[Murdoch]

2 hours ago, JoeyKelastiof said:

So if you recently registered on the forum, you don't need to change the password?

 

Correct, but given that the stolen data was password hashes, not passwords, it's very improbable it's of use to anybody.

[JoeyKelastiof]

Alright, thank you!