Telecommunications

Poetic justice? Account hijacking forum is itself hacked, exposing details of thousands of users

Poetic justice? Account hijack...
Exposed details include email addresses, hashed passwords, private messages and IP addresses
Exposed details include email addresses, hashed passwords, private messages and IP addresses
View 1 Image
Exposed details include email addresses, hashed passwords, private messages and IP addresses
1/1
Exposed details include email addresses, hashed passwords, private messages and IP addresses
There's letters sealed; and my two schoolfellows,
Whom I will trust as I will adders fanged,
They bear the mandate; they must sweep my way
And marshal me to knavery. Let it work,
For 'tis the sport to have the engineer
Hoist with his own petard; and 't shall go hard
But I will delve one yard below their mines
And blow them at the moon. O, 'tis most sweet

When in one line two crafts directly meet.

These words, spoken by Prince Hamlet in Act 3, Scene 4 of his eponymous play, are the origin of the phrase "hoist with his own petard." Hamlet is fantasizing about the poetic justice of meting revenge upon his father's killer. Of course, poetic justice doesn't quite work like that – especially not for Hamlet who, having just bumped off Polonius, meets his own end in Act 5.

In a twist of the karmic pepper grinder that, while not a matter of life and death, positively dwarfs that of the melancholy Dane in terms of scale, the web forum OGUsers has been hacked, exposing the details and messages of some 113,000 users. The attack is thought to have occurred on May 12.

If, for some, there's a degree of schadenfreude to these events, it's because the forum is frequented by people who try to break into other people's online accounts, in particularly using SIM swap attacks which exploit weaknesses in two-factor authentication messages sent by SMS. Such attacks can allow access to email, social media accounts and online finances. According to Krebs on Security, access details to compromised accounts were sometimes resold on the forum for hundreds or even thousands of dollars.

"LMFAO"

The attack coincided with an apparent outage which the forum administrator explained had deleted months of private messages. It wasn't until May 16 that the full scale of what happened became clear, when the administrator of another forum, RaidForums, made this announcement:

"On the 12th of May 2019 the forum ogusers.com was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao."

The details exposed include email addresses, hashed passwords, private messages and IP addresses. They have been uploaded in full on RaidForums and elsewhere online.

After the attack, OGUsers, um, users took to the forum to report phishing emails targeting their forum accounts. According to Krebs on Security, others took to the forum's Discord channel to complain of a change in behavior that now prevents users from deleting their accounts.

Former Washington Post reporter Brian Krebs, who writes Krebs on Security, speculates that the published data is likely to be of great interest to law enforcement organizations, and may lead to arrests. Hoist indeed.

Source: Krebs on Security

6 comments
fb36
Internet clearly has a huge security problem, currently, caused by hackers & ransomware & malware! It is also clear (@ least to me) that, the problem is keep getting worse & worse! What can be done to solve Internet security problem? Here are some ideas: 1) Switch all computer software to higher security programming languages! (Instead of using programming languages (like C/C++) in which all tiny bugs act as secret backdoors for hackers & ransomware & malware!) 2) Switch all OS software (like Windows & MacOS & Linux) to work similar to smartphone OS (like Android & iOS)! (Android & iOS work like interpreters that can easily catch any illegal code execution attempts!) 3) Increase severity of punishments for hackers & ransomware/malware writers! 4) Do not allow anonymous access to Internet! IMHO, preventing anonymous access to Internet is the most important! IMHO, hackers & ransomware/malware writers do not have much to fear from law enforcement, currently, because tracing back hacker/ransomware/malware attacks to their source is pretty much impossible! & that is because of allowing/enabling anonymous access to Internet! What needs to be done: As the first step: Globally ban VPN services (& Tor etc) which enable anonymous usage of Internet! As the final step: Globally, make it mandatory, to access/login Internet, using (biometric) ID & password etc. & make sure (by global law), all Internet activities/actions/operations can be always traced back to its source computers & people!
ChairmanLMAO
lets ban typing! fb36 for pres 2020! lo
aksdad
Poetic "justice" would be seeing the hacked hackers carted off to jail. Here's hoping. And thank you fb36 for your suggestions. We'll, um, ponder that. If you ban VPNs then how do people in oppressive countries with firewalls and surveillance of personal internet usage (ahem, China) access content forbidden by their overlords?
Douglas E Knapp
Wow is this ever an interesting post! Propaganda pure, well written but dumb at the same time. Some pro posted this to "guide" others. "Internet clearly has a huge security problem, currently, caused by hackers & ransomware & malware! It is also clear (@ least to me) that, the problem is keep getting worse & worse!" It is not getting worse. These problems are mostly due to MS writing bad code along with others doing things just as stupid. Hackers are just the people taking advantage of the stupidity. They are not the cause. Also most hackers are government employees, IE remote spies. 1) Switch all computer software to higher security programming languages! (Instead of using programming languages (like C/C++) in which all tiny bugs act as secret backdoors for hackers & ransomware & malware!) This might really help but it is like suggesting that we the world stitch from English to Finnish. 2) Switch all OS software (like Windows & MacOS & Linux) to work similar to smartphone OS (like Android & iOS)! (Android & iOS work like interpreters that can easily catch any illegal code execution attempts!) Now here we have the inside to this person's lack of knowledge (ignorance) about OS systems. Linux is VERY secure and even used by the NSA and CIA. Android is just wall paper over Linux (it IS linux). 3) Increase severity of punishments for hackers & ransomware/malware writers! Yes, this will work. How do you pose to punish a hacker working out of China and attacking a US computer? The ONLY people this will work on are the voters and the kids that are too dumb to know better yet. "4) Do not allow anonymous access to Internet! IMHO, preventing anonymous access to Internet is the most important! IMHO, hackers & ransomware/malware writers do not have much to fear from law enforcement, currently, because tracing back hacker/ransomware/malware attacks to their source is pretty much impossible! & that is because of allowing/enabling anonymous access to Internet!" #4$ and here is the STINGER!!! Take away personal privacy. (after having scared you at the beginning of the post) This is a real boon for making money but it does not help make the internet safe. What it will do is make it easier for Cloud based companies to make more money and force you to use their products. "What needs to be done: As the first step: Globally ban VPN services (& Tor etc) which enable anonymous usage of Internet!" This VPN is what gives you privacy on the internet and it also lets you watch/view other countries websites. For example I use VPN because I live in Germany but come from the US. You CAN'T view Netflix in english in Germany and you can't go to the US netflix site from Germany, thus VPN fakes that I am in the US thus I can pay with my US bank and watch my US Netflix. This upsets the advertisers and also the contracts of the film companies that don't want US films to be plaid in Germany. If you don't want Google and FB to track you then you MUST use a VPN! Naturally they want to stop VPNs. "As the final step: Globally, make it mandatory, to access/login Internet, using (biometric) ID & password etc. & make sure (by global law), all Internet activities/actions/operations can be always traced back to its source computers & people!" The final press. Push for one world government, total stopping of privacy or privacy rights. Don't let them do this to you! Fight for your rights to privacy. Learn to be secure online by learning how to use Linux and VPN. PS none of these hackers would have a problem losing their info to this hack, if they had been using VPN and practicing safe internet surfing with privacy.
Daishi
They stored hashed passwords in MD5 which is an extraordinarily weak and outdated method of hashing. People are talking about extreme measured to prevent this sort of thing when the measures they had in place couldn't even be considered mediocre. Hopefully nobody on that forum was dumb enough to use a password that mattered. Just using best practice available today for storing user credentials hashes can be stored very securely. Some of these are defined in the NIST 800-63 (Digital Identity Guidelines). There are a couple talks given by the document authors at places like Black Hat covering the changes/recommendations if the document is too dry. Almost nobody is actually following good practice but when they do hashes are very secure against being reversed. Maybe if people would stop pushing for mythical solutions and just force people to use existing best practice there would be more traction at adopting them. Even PCI is behind and needs to update.
Trylon
@fb36 Sorry, but you quickly lost all credibility with your second suggestion. Google "android malware 2019" if you still think Android is at all secure.