Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com) 30

Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
This discussion has been archived. No new comments can be posted.

Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum

Comments Filter:
  • by Anonymous Coward

    He's a criminal and deserves to be outed. If you steal people's personal information, you deserve the retribution that comes from doing so.

  • IP addresses (which can often determine the user's location),

    So now an IP address can be used to determine a person's location yet people on here whine about how an IP address can't be traced to someone accused of child pornography or stealing music/movies.

    Would be nice if you people would make up your minds.
    • by Anonymous Coward

      A location is not the same as identifying a single person legally as the perpetrator of a crime / action - if we temporarily ignore people who live on their own, who would therefore be the individual most likely to be accessing the Internet within that location).

    • child pornography or stealing music/movies

      Those are interesting things for you to group together.

      Why not, "child pornography or going 7 mph over the speed limit"? Or, "child pornography or carrying an ice cream cone in your back pocket"?

      You might want to figure out the whole moral equivalency thing. You're doing it wrong.

      • I would say the IP address along with the other information provided (Since usernames, emails, and passwords can contain very important information like DOB, Nickname, and name) helps you narrow down to a specific person. Just an IP cannot really tell you a user, but an IP with other information can.
        • I know a lot of people that allow the browser to remember their passwords so that when i walk up to the system and go to a webpage I become them?
          • Of course not, but I'm saying if your login account is Jon.Doe1975@gmail.com with an IP in Generic Small Town, Kentucky. There's a good chance the account owner is most likely the 40 something year old guy named John Doe that lives in that town. That doesn't mean the person using it was that person, but generally that is the case. Not something that holds up in court, but is useful for social engineering.
      • by AmiMoJo ( 196126 )

        Those are interesting things for you to group together.

        The GP didn't group them, the world did. The two most common cases of IP addresses being falsely equated with an individual identity are overzealous law enforcement going after suspected paedophiles and overzealous lawyers going after alleged copyright infringement.

        It's interesting that both groups use the same lie to get what they want.

    • iplocation.net gives me four locations for my IP. None of them are correct and the nearest one is 3 miles away from me.

    • by ADRA ( 37398 )

      "People on here" didn't write the article.

      IP addresses released have many uses.
      Some blocks are almost certainly traceable bevcause they're allocated based on ISP pools for geographic areas. Often, the traceroute of the IP's upstream internet gateway will at least give a city for the individual(s), though even that's a best guess. They are entirely locatable for the ISP/upstream provider assuming you can legally compel them to provide it.

      What I assume you mean is that twe say that an individual's IP isn't st

    • Person's location: Starbuck's on 7th Street.
      Person's name: John Smith.

      See how "Starbuck's on 7th Street" and "John Smith" are the exact same text?

      Oh, wait.....

    • by Maritz ( 1829006 )

      Would be nice if you people would make up your minds.

      Who are you addressing? Everyone on Slashdot? D'you think it makes sense to do that?

      You realise location in this sense is probably geographical? Probably not right down to the exact address?

  • They should have locked the server in a bathroom closet. That way if they get hacked there are no consequences.
    • Yeah, but the taxpayers would have to pay billions of dollars to fund the resulting 3-year witch hunt.
  • seems to have become a sporting event - yes, I can do it I am the king.

    What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?

    Seems weird, guess there are nicer things to do than sticking your mind for hours and days into something like this.

    • What's a person gonna do with a million of data records - maybe sell it or is it just a proof of "concept"?

      Very often people reuse the same passwords and user names over a swath of accounts. Not always, but often enough that knowing a gaming account that should be "throw away" or at least not the same as your Amazon or Banking account... can get a fraudster in the door and clean you out.

      • by AmiMoJo ( 196126 )

        This seems to be a hard problem to solve. On the one hand we want our favourite user names, on the other as much anonymity as possible. We want to avoid compromising one site to allow compromising other sites, but we also want to stop trolls and spammers creating new accounts too easily. We want people to remember their login details so they can use the site, but also use unique and hard to crack passwords.

  • Hashing and salting makes your breakfast taste better ... but for you shouldn't use the same salt for every password.

    You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library). That makes it much harder to crack all the passwords in the database because the attacker can't make a thing called a rainbow table easily .. which is basically a list of possible passwords hashed with the salt. Oh yeah when they enter the password check that the user do

    • You have to use a UNIQUE SALT for every password and then have a WORK FACTOR of some large number (use the bcrypt library).

      Yup, a slow and hard to brute force hash would have been good (other example: PBKDF2, Scrypt and the latest competition winner Argon2)

      Saddly people are still using SHA-1 as a password hash (a hash function designed purposedly to be fast and simple, which has the advantage of being able to be useful even on small hardware like smart cards - but is easy to brute force on dedicated hardware (GPU, FPGA) as proven by bitcoin's proof-of-work system, and it there a bad solution for *password* hashing)

      Public key ba

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...