kamaradski Posted July 12, 2013 Share Posted July 12, 2013 Hi all, Today a lot of us for sure recieved the same email as me: Security update from BIS. In this email they explain that the database of their forum (and maybe more?) got hacked and stolen. Meaning that now some hacker out there has a full list of names, emails & encrypted passwords of all members from the BIS forum. Many of you will now say, who cares, my password is strong & complicated, and BIS saved them encrypted, so noone can read or use this password. WRONG! With a weak encryption scheme it is even possible to use your password on a other website that uses the same scheme, without ever having to decrypt your password. (likelihood this will happen is small though) So in this news-post i want to bring your attention to the following items: - What you should do - Why I am posting this here too - What normally happens to such lists and how likely it is your password will be hacked What you should do: Obviously change all accounts that had the same password Why I am posting this here too: Ahoy didnt got hacked, so surly i don't need to change anything here right ?? WRONG: With the BIS password some hacker might get access to, lets say your skydrive, where you just happen to have stored a document with the password you used on AW. Or this hacker get enough private details about you to guess your password here is the name of yout cat.... So do change your AW forums password, especially when it is the same as the BIS studio password !!! AND DO IT NOW! Even if it is totally different it will be good to do this every month or so. The following is informational guess-work based on inside knowledge, and the result of watching many DEFCON videos. The below is not 100% how it will go, but the probability that it will go exactly like below scetched scenario is however apperant. The below is a proper example how in a average situation will explain how important it is to change all your passwords that are the same as the stolen one. Also the below is not to make you scared, however change those passwords scotty !!! (Worst case scenario being that the hackers get access to something like paypal or ebay accounts, or even access your cloud where you maybe store your online banking details ?? ) What normally happens to such lists and how likely it is your password will be hacked: Some background information on what normally happens with such lists, where they go and how they get distributed, and finally how likely it is that the encription will be broken, and other people will get your password, and eventually controll over your details and accounts. Who does such hacks ? - Nowadays most hackers that are after such databases are (semi)professional, commercial driven hackers (the worst kind) What will they do now: This BIS-list is now marked as 'zero day' and more often then not will be offered to be sold to: Organized crime like maffia (yes i am serious here), assorted scamming groups, dodgy advertising compagnies (that will sell it on to the competition of BIS, or anyone else with intrest). It is also normal such list to be sold multiple times, and also after changing hands once, to be sold onward to 3th 4th and 5th parties. Price of the list going down every day it gets older and changes hands more often. Then what: So the first one or two weeks or so, this list is owned by many people already, all with commercial intrest. They will have professinal equipment and knowledge to hack the passwords (even when salted etc) and in the first 12 hours roughly 30% of the list will be unencrypted !!!! And remember these people payed money for this information and thus WILL use it to try earn their investment back. Going public: Normally after a week or 2 the first copy of the list will be distributed in the hacker forums (they keep copies of such lists everywhere) And this is where all the amateur and hobbyists will have a go at hacking the list. They might or might not use this information, however are not less dangerous. Since they are the hobbyists they have all the time in the world to play around, and to be creative about what they will do with this information. These are the people that will take the time to find out if your email adress was also used for registering on forums, or facebook, and that will try if the password still works... Probability your password will be eventually hacked: I would say is around 95% sure. So really, go change your passwords..... !!!!! Hoax, Grumpy Rhino and Mach2k5 3 Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now