Heartbleed fun at AATG

Edit: removed the links.

If you have an account here older than 2 years it has been compromised.

If you have the same password you use for AATG attached to either your username or email address on any other site, change them now.

Better change your passwords, chaps!

~dirtbox

Ugh, thanks for letting us know.

I wouldn't bother changing them just yet though, just change the passwords on any other sites that are the same.

This site's database apparently stores them all in plain text and can be brute forced at any time for a fresh new list of current passwords until Hairy puts some sort of encryption in place.

Well, I picked a good day to remember AATG exists...

Glad I don't use that password elsewhere!

Whatever you say, ceilingtom!

Thanks for the heads-up!!

Had to change a few passwords, but nothing too worrying!

odd, can't see my email on there. Which is a defunct lineone.net addy :)

btw, in the interim should we all change our passwords to Russian boys love cock?

Hah, you wish you guys were still interesting enough to spy on.

In reality, I do tend to wander into here once a month or so, when bored. First time in quite a while there's been anything going on, and it's a security leak. Wheeeeeeeee.

Ignore the pastebin, it's just a gmail scrape and doesn't contain anything sensitive.

If your account is older than 2 years, it's on the russian site.

Yo.

First things first, the site passwords are not saved in plain text in the database. They're hashed and salted but it appears the encryption was broken.

I'm not entirely sure what I can do about this to be honest. What I can tell you is that the site's database and hosting have all changed since this happened with new usernames and password applied to the hosting and database.

Obviously you should all change your passwords. If anyone else has any other suggestions on how I can better protect against this then I'm all ears.

Well you can start by sending out a group email, BCCing everyone's email attached to their aatg account, explaining the situation and suggesting they change any password that is attached to that username or email that is the same as AATG's.

Changing their AATG password is pointless now, it's everything else that is vulnerable.

And you need to change your encryption to SCRAM-SHA-1 or something that includes the username along with the password before the MD5crypt hash.

I'm pretty sure I emailed all users when I first got wind of this a couple of years ago, actually. It's one of the things that prompted me to change hosts in the first place. Although I've just had a look in my sent mail folder and can't see any evidence of it.

If I can't find evidence to confirm I did do this once already then I'll do it again.

I didn't hear anything about that.

You knew about this for 2 years?

ed: just checked my email, you didn't let me know and I've searched the site and there's no thread about it. Also no mention on EG.

I don't know what to make of this.

I will look into that as it's not something I've come across before.

I'm also going to have to try and decipher Shivoa's code as he's the one that wrote the login/registration script in the first place.

Sounding like a stuck record here, but I just need to clarify - are you saying you knew about this for 2 years but didn't tell anyone else that was effected?

It's odd that neither of my accounts emails seem to be in the pastebin output. Perhaps it's intercepting login cookies on the server, and then viewing the profile using that cookie to get the email (and undoing the obvious email obfuscation therein), and since I've barely been on the internet these past few weeks mine's not been scooped (until today, oops).

But no offense, it seems a little unlikely that some of those old-timers were regularly visiting here, or am I wrong?

On the other hand, perhaps the passwords were cracked by brute force. I've not checked the russian forum thread, so I don't know what they claim they've got. But my password here should be realatively easily brute forced, provided they found my username somewhere (if they were logging in via the web front end, user id gets you nowhere, it's user name you need). If they were brute-forcing via the http server, it should be relatively easy to spot in your logs though.

Those seem the most obvious vectors to me that fit the fact they don't seem to have found my email address: sniffing session cookies by something installed either on the server or close to it (but that wouldn't give them passwords), or brute-forcing the web interface (but that would be in the logs). Or, thinking about it, if they got close enough to sniff cookies, they could be close enough to watch for form submits containing people's passwords in the clear, though again, I doubt all those people are actually logging on (rather than relying on non-expiring cookies) to get onto aatg all that regularly.

Ignore the pastebin. In fact I'm going to remove both links from the OP now.

Why? It show(ed) (some of) what they know.

Can you quote the salient claims from the russian forum? I'd like to know what they reckon they can do - that would help inform Hairy on what to tighten up specifically.

Edit: To be clear, removing the links is the right thing to do.

The pastebin was just a list of gmail addresses scraped from the list that was on the other site, the similarity ended there.

oh dear

Hello everybody peeps. Have checked my two accounts here and both use email accounts that are no longer in use/have been deleted. The passwords also are no longer in use so all good. I hope. Hope you're all well!

I'm saying I caught wind of this ages ago and immediately changed internet hosts, database servers, usernames and passwords and I'm pretty certain I sent an email to all email address in the AATG database advising people to change their passwords.

It's old news, it's just that for whatever reason, some of you guys got wind of it today. But obviously if people have concerns and fears then it would be remiss of me not to address them.

So how come not one person knew anything about it until I stumbled across that thread, which I should add is one of many across many hacker boards.

What usernames and passwords did you change?

I spoke to Shivoa to double check (seeing as he's the guy who wrote the back end for the login) and he hadn't heard anything either.

Who did you tell?

All we could find was one random mention that you were changing hosts.

I changed usernames and password for site FTP, databases and control panel login.

I didn't mention it on here because I didn't know, and still don't know, the full extent of the problem, and wanted to avoid creating any un-necessary concern. If it's just a list of email addresses, which is all I've ever seen, then it's not as bad as it could be.

Obviously none of it is ideal, and obviously I want to do everything in my power to address the issue. But I can do nothing about what's out there.

I can manually change everyone's passwords and force everyone to change it...

I didn't speak to Shivoa about it because I didn't think it was right to trouble him about code he wrote 8 years ago and probably has little recollection of.

We can have an inquisition later, but for now can you just clarify if my password to this site is posted on a Russian forum? And if so, can you tell me what password it is Hairy? I've changed it in the last two years so have no way of knowing, and I can't work out how to see what my password is on the site.

Well.

There is a list of some 2-300 of your users on various low life sites of everyone's account details, the passwords may be hashed and salted, but the encryption can, and has been brute forced by anyone with the patience or knowhow and if only a couple of those people use the same password for their all purpose email then they are boned.

Every single email address on your list of users needs to be told immediately, and I hope you have all your disclaimers and T&Cs in place and legally correct, because if anyone has lost anything, then you're likely liable for damages.