CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Shroomery & Growery - Passwords & Info RELEASED Options
 
CosmicLion
#1 Posted : 12/24/2012 6:26:24 PM

DMT-Nexus member

Senior Member

Posts: 689
Joined: 22-Feb-2009
Last visit: 19-Nov-2024
Location: Oaxaca
Hey everyone... here is a re-post of an update from Ythan at the Shroomery & Growery.

If you have any accounts at either of those two places, you should change your passwords ASAP and change the password of any account that shared that same password.

The Shroomery/Growery database was hacked and information was sent about useres login, passwords, PM's, personal email addresses and more...

http://www.shroomery.org...php/Number/17416556/an/7

Quote:
Hello members of the Shroomery and Growery! Please read this important security announcement.

Recently, someone named 0xidium approached me, and reported that it was possible to retrieve a copy of our database. Although our site itself is believed to be secure, I have an account on a different site which is vulnerable. This allowed people to retrieve the list of users and passwords in plaintext. To my embarassment, I disregarded basic security practices, and re-used my password on certain sensitive parts of the Shroomery and Growery. This problem has existed at least since August, and possibly much longer.

We are extremely lucky to have been alerted to this problem when we were. Unfortunately, due to our limited retention of log files for privacy purposes, there is no way to determine who might have discovered and exploited this issue in the past. It is with great contrition and embarassment that we wish to inform you the following information could possibly have been leaked to untrusted third parties:

E-mail addresses associated with your account
Unencrypted private messages
Posts in restricted or private forums and journals
IP addresses associated with your posts
Image uploads, including those which were not made public
The SHA-256 hash of your password


The last item is especially important. Although an SHA-256 hash is believed to be one-way (meaning you cannot deduce the actual password from the hash), this is not always the case in practice. If someone has a large dictionary and a fast computer, they can try millions of passwords every second, and eventually find a hash that matches. If your password is a common word, or combination of words and numbers, or a geometric pattern on the keyboard, or leetspeak, it can potentially be retrieved with a dictionary-based attack by someone who has our database. If you use the same password on other sites, especially e-mail, banking, or social networking, please make sure to change it on those sites immediately!

We wish to be clear that, except for the individual who alerted us to this problem, there is no indication anyone has actually made use of this exploit. We are simply offering full disclosure and recommending an abundance of caution.

Going forward, we are implementing new security policies to prevent the re-use of passwords, and require multiple types of authentication for sensitive admin scripts. We have switched to bcrypt hashing with per-user salts for passwords, which will help prevent dictionary-based attacks in the future. The site is more secure now than it ever has been, and we will continue to work to protect our members to the best of our ability. We hope you will forgive us for this recent failure.

For security purposes, you were required to change your password. You cannot re-use the same password you had before. I know that's annoying, but it's important. If you really really want, you can change it back again later, but I don't recommend it. Please make up something new, and only use it for this site. If you have any questions, please post in this thread.
-Eternally Romping the Astral Savannahlands-
 

Good quality Syrian rue (Peganum harmala) for an incredible price!
 
Valura
#2 Posted : 12/24/2012 6:34:41 PM

DMT-Nexus member


Posts: 104
Joined: 10-Oct-2012
Last visit: 24-Aug-2024
The only password security was SHA256? What a joke, that's so incredibly weak. I didn't post there personally, but it isn't too much to ask to at least put some effort in security in the future.
 
staresatwalls
#3 Posted : 12/31/2012 11:15:29 PM

DMT-Nexus member


Posts: 363
Joined: 31-Mar-2011
Last visit: 13-Jun-2017
damn
‎"Trust in your own wetware; your psyche and your body will be reunited." -Gracie and Zarkov

in plants we trust
 
SeekerOfTruths
#4 Posted : 12/31/2012 11:23:47 PM

DMT-Nexus member


Posts: 130
Joined: 07-May-2012
Last visit: 29-Jul-2020
Valura wrote:
The only password security was SHA256? What a joke, that's so incredibly weak. I didn't post there personally, but it isn't too much to ask to at least put some effort in security in the future.


SHA-256 hashes really aren't weak, unless you've discovered something that the NSA would love to know. If your password is > 10 chars the idea of a rainbow table an/or cracking with GPU's is slim, thats just for one password in the list.

And you'd be horrified if you knew the number of very big companies, and sites that simply don't even encrypt anything. Pure plain text...
 
a1pha
#5 Posted : 12/31/2012 11:29:40 PM


Moderator | Skills: Master hacker!

Posts: 3830
Joined: 12-Feb-2009
Last visit: 08-Feb-2024
Valura wrote:
The only password security was SHA256? What a joke, that's so incredibly weak.

It is?

This site uses AES-128 with SHA1 encryption (as do many banks) and it seems to be doing OK. Granted, I'm sure The Traveler salts password hashes (a few times) but maybe you can explain some of the security flaws in SHA2? As said above, the NSA would hire you on the spot.
"Facts do not cease to exist because they are ignored." -A.Huxley
 
 
Users browsing this forum
Guest (2)

DMT-Nexus theme created by The Traveler
This page was generated in 0.029 seconds.