Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security Communications Network The Internet

Hack On 8 Adult Websites Exposes Oodles of Intimate User Data (arstechnica.com) 68

An anonymous reader quotes a report from Ars Technica: A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it's not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn't know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn't had time to examine a copy of the database that he received on Friday night. Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.
The affected sites "offer a variety of pictures that members say show their spouses," reports Ars. "It's not clear that all of the affected spouses gave their consent to have their intimate images made available online."
This discussion has been archived. No new comments can be posted.

Hack On 8 Adult Websites Exposes Oodles of Intimate User Data

Comments Filter:
  • >> user passwords protected by a four-decade-old cryptographic scheme

    Did he just say "MD5"? I thought we're only at 36 years...
    • by EvilSS ( 557649 )
      No, you said MD5. If you RTFA you would see they were talking about an older, even more insecure algo.
      • >> If you RTFA

        On SlashDot? You must be new here. Summary or it didn't happen.
      • I asked my wife if she wanted me to buy our dog some Algo and she said, "No. Algo get it"

        The Internet was invented by Algo.

        Don't mod me d o w n ... Bruce ...

    • Did he just say "MD5"? I thought we're only at 36 years...

      md5 is not so good, but not that bad.

    • Did he just say "MD5"? I thought we're only at 36 years...

      I believe it's 56 bit DES.

    • by Anonymous Coward

      For those of you who didn't RTFA:

      Known as Descrypt, the hash function was created in 1979 and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash. It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by 2018 standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.

      “The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago,” Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahash, told Ars. “It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.”

      By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords. And while the 25 iterations requires about 26 more time to crack than a password protected by the MD5 algorithm, the use of GPU-based hardware makes it easy and fast to recover the underlying plaintext, Gosney said. Manuals, such as this one, make clear Descrypt should no longer be used.

      The manual that shows how horrendous this scheme is is this one: https://passlib.readthedocs.io/en/1.6.5/lib/passlib.hash.des_crypt.html

      • "By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords."

        No, it makes it completely impossible to use strong passwords.

        Password strength is due in part to the address space, and an 8 character password has far less address space than, say, a 30 character password.

        All other things being equal, an 8 character password is always going to be easier to crack than a 30 character password.

  • by forkfail ( 228161 ) on Monday October 22, 2018 @08:21AM (#57516741)

    "A recovered 98MB file underscores the risks of trusting personal info to strangers."

    Well, perhaps.

    Or maybe it should read:

    "A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

    • by robsku ( 1381635 ) <robsukedaisukeNO@SPAMgmail.com> on Monday October 22, 2018 @08:35AM (#57516795) Homepage

      Both are correct.

    • Re: (Score:3, Insightful)

      by pgmrdlm ( 1642279 )
      What a tight ass. Jesus, don't let that prude thinking of yours chase away everyone that might even have thoughts of a sex with another person. Even if they are not married or with a significant other. God forbid that sex would cross a persons' mind.
      • by PPH ( 736903 )

        everyone that might even have thoughts of a sex with another person

        I think about that several times an hour. On a slow day.

        The thing is: I don't act on thoughts thoughts without prior permission from my wife. And then I don't have an urge to go snapping pictures of the deed. Never mind sharing them with all but a few trusted third parties. And then never using a platform that I have little or no control over.

        In my experience with the polygamous lifestyle, people who don't protect their personal lives are worse than careless. They are actually seeking out tragedy.

        Sex is

      • Given the porosity of the Internet, it's more like fucking in public.

    • Or maybe it should read:

      "A recovered 98MB file underscores the risks of doing things that will destroy your reputation and marriage."

      There's a lot of truth in that.

      I find it easy not to fuck up my marriage with affairs simply by not having affairs. It's so easy not to have an affair, and yet apparently it's beyond the ability of so many people.

  • Since it was only 98 megabytes the pluralization is the correct way to reference the unit.

  • Use a standard measurement so everyone can understand FFS. OK, fine, how many Library of Congresses are there in an oodle?
  • by nospam007 ( 722110 ) * on Monday October 22, 2018 @09:18AM (#57517015)

    Only my bank login is traceable to me, for the rest I use aliases. Even my ISP thinks I'm my cat.

  • by Oswald McWeany ( 2428506 ) on Monday October 22, 2018 @09:18AM (#57517019)

    If you have an acocunt for one of those sites... why on earth would you use your real e-mail address?

    Why do you need a user name?
    This is what burner e-mail addresses were created for anyway.

    • Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...
      • by DeBaas ( 470886 )

        Yeah, Mr Fake (fake@fake.com) ought to be really worried his wife is going to find out...

        wait until he finds out his wife has been faking it for years too!

  • Because that would be outrageous.
  • by nukenerd ( 172703 ) on Monday October 22, 2018 @10:55AM (#57517591)

    What idiot would give their real name and their normal e-mail address on a web-site like that?

  • Started doing this years ago.

    Personal email and banking passwords are a phrase.

    Forum, Adobe, special software sign on passwords are something simple and always different. I've had to change this password often over the past 10 years. My banking and personal email ones no so much.

  • Megabytes? (Score:5, Funny)

    by jythie ( 914043 ) on Monday October 22, 2018 @11:30AM (#57517861)
    Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.
    • Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

      Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

      • by mjwx ( 966435 )

        Am I the only one amused that a piece is actually talking in gasped horror at 'megabytes' of data exposed? It just isn't a scale that you hear used much in outrage much anymore.

        Yep. 89 megabytes is maybe two cat pictures and a Microsoft Word document with the "Hello" in it.

        I get the joke... But an 89 mb csv file holds quite a bit of data.

        If this guy is a half decent "hacker", even a half decent script kiddie, he wont be using Word (which I agree has become a bloated piece of crap, I mean an even more bloated, bigger piece of crap).

  • it's just Darwin's law

Never test for an error condition you don't know how to handle. -- Steinbach

Working...