Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com) 30
Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
Why protect the hacker's anonymity? (Score:1)
He's a criminal and deserves to be outed. If you steal people's personal information, you deserve the retribution that comes from doing so.
Hypocrisy at its best (Score:1)
So now an IP address can be used to determine a person's location yet people on here whine about how an IP address can't be traced to someone accused of child pornography or stealing music/movies.
Would be nice if you people would make up your minds.
Re: Hypocrisy at its best (Score:1)
A location is not the same as identifying a single person legally as the perpetrator of a crime / action - if we temporarily ignore people who live on their own, who would therefore be the individual most likely to be accessing the Internet within that location).
Re: (Score:2)
Those are interesting things for you to group together.
Why not, "child pornography or going 7 mph over the speed limit"? Or, "child pornography or carrying an ice cream cone in your back pocket"?
You might want to figure out the whole moral equivalency thing. You're doing it wrong.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Those are interesting things for you to group together.
The GP didn't group them, the world did. The two most common cases of IP addresses being falsely equated with an individual identity are overzealous law enforcement going after suspected paedophiles and overzealous lawyers going after alleged copyright infringement.
It's interesting that both groups use the same lie to get what they want.
Re: (Score:2)
iplocation.net gives me four locations for my IP. None of them are correct and the nearest one is 3 miles away from me.
Re: (Score:2)
"People on here" didn't write the article.
IP addresses released have many uses.
Some blocks are almost certainly traceable bevcause they're allocated based on ISP pools for geographic areas. Often, the traceroute of the IP's upstream internet gateway will at least give a city for the individual(s), though even that's a best guess. They are entirely locatable for the ISP/upstream provider assuming you can legally compel them to provide it.
What I assume you mean is that twe say that an individual's IP isn't st
Re: (Score:2)
Person's location: Starbuck's on 7th Street.
Person's name: John Smith.
See how "Starbuck's on 7th Street" and "John Smith" are the exact same text?
Oh, wait.....
Re: (Score:2)
Person's location: Starbuck's on 7th Street.
Person's name: John Smith.
But Starbucks has started banning IPs associated with hacking and child pornography.
I suspect due to your knowledge of the subject, you are a pervert.
Errr....what? Did you even read what I posted?
How does Starbucks ban 192.168.3.192, when it's on their internal network? I mean all 35 people in the coffee shop are going to share a single public IP address. If it's been "associated with hacking and child pornography," as you put it, then Starbucks is going to start banning themselves. That makes no sense.
Re: (Score:2)
Would be nice if you people would make up your minds.
Who are you addressing? Everyone on Slashdot? D'you think it makes sense to do that?
You realise location in this sense is probably geographical? Probably not right down to the exact address?
it seems obvious to them now (Score:2)
Re: (Score:2)
All this collecting and hacking (Score:2)
seems to have become a sporting event - yes, I can do it I am the king.
What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?
Seems weird, guess there are nicer things to do than sticking your mind for hours and days into something like this.
Re: (Score:3)
What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?
Very often people reuse the same passwords and user names over a swath of accounts. Not always, but often enough that knowing a gaming account that should be "throw away" or at least not the same as your Amazon or Banking account... can get a fraudster in the door and clean you out.
Re: (Score:2)
This seems to be a hard problem to solve. On the one hand we want our favourite user names, on the other as much anonymity as possible. We want to avoid compromising one site to allow compromising other sites, but we also want to stop trolls and spammers creating new accounts too easily. We want people to remember their login details so they can use the site, but also use unique and hard to crack passwords.
hashing and salting (Score:2)
Hashing and salting makes your breakfast taste better ... but for you shouldn't use the same salt for every password.
You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library). That makes it much harder to crack all the passwords in the database because the attacker can't make a thing called a rainbow table easily .. which is basically a list of possible passwords hashed with the salt. Oh yeah when they enter the password check that the user do
SHA-1 probably... (Score:2)
You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library).
Yup, a slow and hard to brute force hash would have been good (other example: PBKDF2, Scrypt and the latest competition winner Argon2)
Saddly people are still using SHA-1 as a password hash (a hash function designed purposedly to be fast and simple, which has the advantage of being able to be useful even on small hardware like smart cards - but is easy to brute force on dedicated hardware (GPU, FPGA) as proven by bitcoin's proof-of-work system, and it there a bad solution for *password* hashing)
Public key ba