User Security Compromised, including e-mails and passwords!

[Rumple Foreskin]

But not on this forum, on another one I visit. So don't worry too much.

I don't know what to do though, another forum that I visit was taken down by its hosting company and all that is left is the owners root directories. Deep in these directories is a list that I found that has over 1000 names and passwords for every person who ever registered on that site!

I wasn't sure if the info was valid or not so i went to hotmail and punched in a couple of the email accounts and passwords and sure enough they are all legit! I logged in on all attempts and had complete access to all accounts AND personal information!

Surely something should be done, or someone notified that all that sensitive information is sitting right there for anyone to take. I would be SOOOO pissed if one of those accounts was mine.

I'm not a bad person, but someone who was could easily log into someones email, then look through emails for account registration info... like ebay or something.. then log in there and get credit card info or anything.

What should I do?

 

[Danny]

Oh my, tricky situation.

I'd consider reporting it on a non-emergency police number, I'm sure they'll have a crack team of people who can remove it.

 

[Omnis]

PM me the info.

No, seriously, that's bad. What kind of forum uses/stores email and email passwords though?

 

[Rumple Foreskin]

It was a forum where you could rent private game servers, and I guess they got caught running an illegal WoW server and the site got dropped by the host. All that is left is the admins PHP page, which is left logged in. Anyone can go onto it right now and put up anything they want, or change anything they want.

I thought about calling the police but I don't want to get caught up in any legal situations.

 

[Rumple Foreskin]

Here's what I'm looking at.


http://server6.theimagehosting.com/image.php?img=Untitled.650.jpg&album=0&fullsize=1

 

[Omnis]

Okay, but how can people get into their email accounts unless their forum pass is the same as their email pass?

 

[Rumple Foreskin]

People are using the same password for both accounts. Like I said, I tried 10 different people and ALL had the same password for their forum account AND their email account.

I'm guilty of using the same password for over 30 different sites and accounts too. Im sure a lot of people just use one password instead of trying to remember many different ones for many different sites.

I know I'm not the only one.

 

[Duke]

I'm sure the hosting company has contact information. You should call them or shoot them an email and tell them this is currently open. They may have a problem with the site owner, but they could be open to problems themselves for leaving this info unsecured. They'll probably take it down if you let them know.

 

[Pako]

"oops" might be a slight understatement.

Can you tell if the passwords are encrypted? Find your username, is the password scrambled up? Even in a MySQL DBase, passwords can be encrypted. I would contact the hosting company ASAP.

 

[Omnis]

People are using the same password for both accounts. Like I said, I tried 10 different people and ALL had the same password for their forum account AND their email account.

I'm guilty of using the same password for over 30 different sites and accounts too. Im sure a lot of people just use one password instead of trying to remember many different ones for many different sites.

I know I'm not the only one.

Well this is precisely why you shouldn't do that. At least add a unique prefix to your "standard" password.

 

[Rumple Foreskin]

I never registered. I only visited the forum to read a FAQ that one of the members created.

Now that the forum is down people have jumped over to another one and are having a hay-day with this info.

The hosting company finally took down the info, but it is WAY too late. Full lists have been printed on other forums now. People are having fun exploiting all of this.

Anyone who was registered at Ulti-serv.com better start changing there account passwords now before it's too late.

 

[Sniffs]

*chuckle*
i just went through this a couple months ago.

it's the PHP board format. it's exploitable. we had to switch to the format used by THIS board.

here's my thread https://www.gtplanet.net/forum/showthread.php?t=103092

 

[ferrari_chris]

Unencrypted passwords. Such a basic mistake.

Why oh why!?

 

[laszlo]

How stupid could one be for not encrypting passwords? some people need to learn the art of encryption before they consider opening another site (whomever that site owner maybe).

 

[Blake]

Uh, wow… how can you not encrypt passwords? That is just unbelievable…

 

[Sniffs]

Uh, wow… how can you not encrypt passwords? That is just unbelievable…

again, it's the PHP format. it's easily hackable.

 

[Blake]

again, it's the PHP format. it's easily hackable.

I meant from a developer’s point of view. The passwords weren’t encrypted at all before being written to the database, and that is stunningly bad practice.

 

[ferrari_chris]

again, it's the PHP format. it's easily hackable.

But even is the DB is 'easily hackable', they can't hack the MD5.

 

[Sniffs]

any superhack can hack anything.

there's a movie on it's 25th anniversary about an early hack that sent the world near armageddon, and a "thinking" computer complicated things even more.

no, if there's a program out there, there WILL be someone who figures out how to hack it