Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bitcoin Privacy The Internet Games Technology

Password Data For About 2.2 Million Users of Currency, Gaming Sites Dumped Online (arstechnica.com) 25

Password data and other personal information belonging to as many as 2.2 million users of two websites -- one a cryptocurrency wallet service and the other a gaming bot provider -- have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service. Ars Technica reports: One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that's among the hardest to crack.

The person posting the 3.72GB Gatehub database said it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes, although GateHub officials said an investigation suggested wallet hashes were not accessed. The EpicBot database, meanwhile, purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data. All of the email addresses he checked were registered to accounts of the two sites. [...] While there were 2.2 million unique addresses in the two dumps, it's possible that corresponding password hashes or other data isn't included with each one.

This discussion has been archived. No new comments can be posted.

Password Data For About 2.2 Million Users of Currency, Gaming Sites Dumped Online

Comments Filter:
  • Hey Rick! (Score:5, Funny)

    by Rick Schumann ( 4662797 ) on Wednesday November 20, 2019 @02:07AM (#59434186) Journal
    Hey Rick, you should use cryptocurrency, it's more anonymous and safer!
    Hey Rick, you should go cashless, it's safer and more convenient!
    Hey Rick, you should pay for everything online, it's safer and more convenient!


    yeah, sure, great idea, absolute genius.
    • Why the ACTUAL FUCK are the trolls and spammers targeting *me* today?
    • > yeah, sure, great idea, absolute genius.

      114 151 146 145 40 151 163 40 163 157 40 155 165 143 150 40 145 141 163 151 145 162 40 167 150 145 156 40 171 157 165 20031 162 145 40 156 165 155 142
  • Dammit (Score:4, Funny)

    by Tablizer ( 95088 ) on Wednesday November 20, 2019 @02:19AM (#59434196) Journal

    also includes two-factor authentication keys

    Now they know the maiden name of my first dog's car.

    • by gweihir ( 88907 )

      also includes two-factor authentication keys

      Now they know the maiden name of my first dog's car.

      They do? You are obviously totally screwed now!

    • also includes two-factor authentication keys

      Now they know the maiden name of my first dog's car.

      Ah, I see they are using the classical WTF pattern "wish-it-was-two-factor authentication".

      • Implementing real 2-factor is too expensive for many of these businesses as it requires real user support (human beings taking the calls) for when it fails (because real users lose one, or forget the other, etc...)

        Outsourcing this task doesnt help either, as even though this can significantly lower cost, it will then be susceptible to, what will inevitably become rampant, social engineering.

        Still further, do you think that RuneScape site has any "employees?" I doubt it. The company is just a bot author
        • Using automated phone message services is fairly cheap for businesses to use. However, it only really works for things you have to use like bank accounts and utilities. If people had to go through the phone code thing for an online game or something, it would get old and it would drive users away.

  • by ledow ( 319597 ) on Wednesday November 20, 2019 @04:08AM (#59434370) Homepage

    Can someone explain to me how entire cryptographic hashes can be stolen of the entire customer base?

    Do these places not make a walled-off authentication server that just supplies either tokens or a yes/no answer, which are the only servers that ever need to contain such details, and access to which should only ever be over such a limited protocol that you're not even capable of seeing the hashes, ever, in any way?

    I get the "someone got into a front-end computer" or even "someone sniffed our users connections" but "someone stole the entire hashed password database" just reeks of someone who's just throwing all the auth into a readable MySQL table of similar and then letting every application just read from that table itself.

    I get that small outfits might well fall foul of it, but anyone handling money, surely not?

    • Ok what happens when you need to backup or migrate the authentication server/data ? There is some exposure there and it is no longer some black box with a limited input output protocol.

      But the real answer is simple, they just don't care about security. From what I've seen at companies what they usually do is cut a lot of corners to build a product as fast as possible, then try to make it better as they go. They tell themselves, 'oh well add that advanced security someday', and it never happens. Out of sight

    • I'd like to know too. I mean unless they didn't use a salted hash. If they used an unsalted hash then they'd be able to crack some of the hashes with a rainbow table.
  • Firstly, you have to give them your email address. I don't think so...

    Secondly, I think it's pretty safe to assume you've been pwned by default - and if you're worrying about it, then maybe you should have thought about it before reusing the same password all over the internet.

  • Is there a list of the pastebins so I can check for anyone from my domain that has been stupid and caught?

Time is the most valuable thing a man can spend. -- Theophrastus

Working...