A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are 1 IP addresses that connected to the sites, 2 user passwords protected by a four-decade-old cryptographic scheme, 3 names, and 4 1.
Robert Angelini, the owner of wifelovers. Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning.
A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites. And as you can see, we are starting to encourage our users to change all the passwords everywhere. Besides wifelovers. The sites offer a variety of pictures that members say show their spouses.
It's not clear that all of the affected spouses gave their consent to have their intimate images made available online. That earlier breach made public the intimate details of 36 million account holders. Within weeks, affected users were receiving emails from unknown people threatening to notify spouses of the infidelities unless the users paid hefty ransoms.
Reports of at least two member suicides soon surfaced. In many respects, the most recent breach is more limited than the hack of Ashley Madison. And even if all 1. Still, a quick examination of the exposed database demonstrated to me the potential damage it could inflict.
Users who posted to the site were allowed to publicly link their accounts to one email address while associating a different, private email address to their accounts. Ars worked with Hunt to confirm the breach and track down and notify the owner of the sites so he could take them down. Normally, Have I Been Pwned makes exposed email addresses available through a publicly available search engine. As was the case with the Ashley Madison disclosure, affected email addresses will be kept private.
Also concerning is the exposed password data, which is protected by a hashing algorithm so weak and obsolete that it took password cracking expert Jens Steube just seven minutes to recognize the hashing scheme and decipher a given hash.
Known as Descrypt, the hash function was created in and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash.
It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.
By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords. And while the 25 iterations requires about 26 more time to crack than a password protected by the MD5 algorithm , the use of GPU-based hardware makes it easy and fast to recover the underlying plaintext, Gosney said. Manuals, such as this one , make clear Descrypt should no longer be used. The exposed hashes threaten users who may have used the same passwords to protect other accounts. Have I Been Pwned has disclosed the breach here.
People who want to know if their personal information was leaked should first register with the breach-notification service now. The hack underscores the risks and potential legal liability that comes from allowing personal data to accumulate over decades without regularly updating the software used to secure it.
Angelini, the owner of the hacked sites, said in an email that, over the past two years, he has been involved in a dispute with a family member. Angelini, meanwhile, held out the sites as little more than hobbyist projects.
I am telling you this so you know we are not in this to make a ton of money. The message board has been operating for 20 years; we try hard to operate in a legal and safe environment. At this moment, I am overwhelmed that this happened. Thank you. You must login or create an account to comment. Internet Archive. Email dan. Channel Ars Technica.