45 million creds leak from popular .com forums

Soldato
Joined
1 May 2003
Posts
11,071
Some 45 million logins for 939 popular sites including motorcycle.com, autoguide.com, and mothering.com have been stolen.

The method of attack and actor responsible is unknown, although many of the sites ran a vastly outdated and hackable versions of vBulletin.

Usernames, email addresses, IP information, and passwords are breached.

"Most of the records (over 40 million) were just MD5 with salting and this is insufficient."

Popular passwords included the regular shockers, along with a scattering of seemingly randomised strong codes. The second most popular password was '18atcskd2w' used by 91,103 accounts, with '3rjs1la7qe' coming in fourth spot used by 74,806 accounts.

More information can be found here - https://www.leakedsource.com/blog/verticalscope

The mind boggles how owners of these sites can use such weak hashes and not patch system vulnerabilities :rolleyes: :(

I'm sure OcUK don't make these huge mistakes ;)
 
Soldato
Joined
25 Nov 2004
Posts
4,788
Location
Hertfordshire
Popular passwords included the regular shockers, along with a scattering of seemingly randomised strong codes. The second most popular password was '18atcskd2w' used by 91,103 accounts, with '3rjs1la7qe' coming in fourth spot used by 74,806 accounts.

That's a little odd - why would those random character strings be reused so frequently?

Password generator being used by a lot of people maybe and stored in some sort of password manager?

edit: beaten :(
 
Hitman
Soldato
Joined
25 Feb 2004
Posts
2,836
They probably manually patch the security updates to vB which they probably feel is easier to do than actually update it. :rolleyes:
 
Soldato
Joined
10 Jul 2010
Posts
6,277
This is why I use random passwords now and allow Firefox to save them. None of my passwords are the same, are as long as possible and contain symbols if they are allowed.

Some sites don't allow very long passwords or don't allow symbols within the password. Somewhat inaptly, Virgin Media only allow 10 character passwords without characters. :(
 
Soldato
Joined
31 Jul 2006
Posts
10,276
Location
Belgium land of chocolate
This is why I use random passwords now and allow Firefox to save them. None of my passwords are the same, are as long as possible and contain symbols if they are allowed.

Some sites don't allow very long passwords or don't allow symbols within the password. Somewhat inaptly, Virgin Media only allow 10 character passwords without characters. :(

What happens when you need access to a site from another PC, phone etc that isn't running FF?
 
Soldato
OP
Joined
1 May 2003
Posts
11,071
This situation seems to be happening more and more, can't people just leave other peoples stuff alone haha!

Everyone makes it easy for them, not patching systems and using weak/ outdated ciphers, is just as bad as users re-using non-complex passwords on different sites; they're all asking for trouble.
 
Last edited:
Soldato
Joined
18 Mar 2006
Posts
4,148
Location
Liverpool
What happens when you need access to a site from another PC, phone etc that isn't running FF?

Can use password manager software. I keep all my passwords in a vault that's synced across Dropbox. The Dropbox itself has a ridiculous password and 2FA.
The password file itself is then secured using a 24 character password, which is less random, but still unique to me, and one I can remember pretty easily.
I have the app for the password manager on my iPhone, iPad, Macbook & PC, so I can access my passwords from anywhere if I need to, and it plugs in with most browsers and software.
 
Man of Honour
Joined
13 Oct 2006
Posts
90,821
probably spam accounts set up by bots

Sounds like the most likely reason - its possible with weak password systems that more than one string will match a common hashed password some of which will be random strings like those popular ones depending on how the passwords were reverse decrypted.
 
Soldato
Joined
22 Feb 2014
Posts
2,658
some sites generate a password for you when you request a password reset and they DONT force you to change it when you log back in, that could explain why some passwords are all the same if the site isn't generating a random password (or as random as people thought it was)
 
Back
Top Bottom