YAWn! hacked
•
5 Jan 2008, 03:18
•
News
The popular GUID matching website YAWn! has unfortunately had its database compromised, and as a result everybody is strongly urged to change all of their passwords if they are the same as their YAWn! password, should they have an account there.
Earlier today you may have noticed a couple of strange things on Crossfire, such as the 'Fusengate 08' article disappearing and the 'Cheaters' forum thread being defaced, among various other things. This was caused by a few of our members having the same passwords here as they do on their YAWn! accounts, and inadvertently allowing the individual to login to their Crossfire profiles and disrupt the website.
We have identified who is responsible, and it is some random peon from the recent bust, unsurprisingly. Despite what you may hear elsewhere this person is not affiliated with any cheat website, nC had nothing to do with this. The YAWn! admins have been informed, who have taken necessary steps to ensure that this does not happen again. It should be noted however, that the guilty party still has a copy of the old database and can continue to cause certain people problems if they do not change their passwords.
A general rule of thumb is to never use the same password on different websites, as obvious as that may sound it is surprising how many ignore it. You should also use an alphanumerical password with upper and lower case.
Unfortunately, this has already affected one of our members quite seriously, so we strongly urge you not to take this lightly. This will only affect those who have an account on YAWn!, with the same password to it used elsewhere. Despite that, this is a good oppurtunity for those of you with weak passwords to change them to better ones.
The YAWn! website is still fully functional and should be safe to use, provided any members have changed their passwords.
You can change your passwords here.
YAWn! newspost: http://www.yawn.be/
Otherwise I just have a few that I use depending on what type of site it is I use it on.
STEP 2 XFIRE
STEP 3 WORLD DOMINATION
Nothing like a bit of Biz!
signs of apocalypse.......
Currently it's better to use an SHA-512 hash since that will take quite some time to "crack" with nowadays computers, but just a reminder, NO hashed password is 100% safe, ever.
although i can think of algorithms to make the password 100% unrecoverable unless you get access to more than just the database (source code). Simply by hashing the username (immutable) together with the password or some other data, you can't retrieve the password anymore without substantially more effort (unless u know the algorithm). Another example, if you do the hash twice, you end up needing to brute force a 32 character string that can't be found in any dictionary, rather than the 5-10 chars for the average password.
Anyway, point taken: wasn't plain text.
Also, no password is safe would be the correct way to say it. No matter what, there is always a way.
Takes some minutes actually.
Won't give out the site, but it's the same that the hacker used.
eX5_Ad2#zPlE
and try to bruteforce that, you will do so for rest of your life with these modern computers.
nvm, doubt he was. proxy ftw
removed?
(before you saw the list)
and you can still see the guys that have been removed the apology thread
at least i never used that word
thats a yawn entry
NOT
rule: haxers can only attach at unserused webpages (-databases).
after such a easy hack on the yawn website, I'm not believing any more in red yawns, they are prolly all faked ;)
Red triangles come from PBBans, not YAWn!
1) good password is only needed for bruteforce hacking, they got the passwords from a databasew so no bruteforce recured.
2) Most people have trust in website security so they shouldn't be using 100 different passes.
conclusion:
websites need to be better secured, so atleast kiddo hackers can't get our password.
But I should have never registered on yawn because they have no disclamer, and now I can't get them in front of judge when I lose data.
If they would have a dsclamer where they say not to give ur personal data's to others we could be rich (or not dunno if they actualy have some money), because they gave away our data's just by not being secured enough.
if only users had nonpopular passwords, database with password hashes would be useless for hackers, since they wouldnt have found anything on websites like http://md5.shalla.de/cgi-bin/search.cgi . and if someone obtained your password from a website, where there was no disclaimer you were talking about, and used it to log in to your e.g. e-mail, that isnt rly fault of yawn, since you had the same password on both accounts
You can use an encryption server, so they atleast need to hack a other server where the encryption algoritem is saved.
it's the fault of some users on YAWn! cuz they used uber simple passwords. An MD5 hash (which yawn uses) is simply weak on very simple passwords since there are websites were you can look up MD5 hashes and see if that hash is already cracked to some simple password or not.
so 1 thing that isn't secured the way it should be.
and they shouldn't have used MD5 as verybody knows it's easy to hack.
And if they knew thier site security sucked they should have forced everybody to use a 10 digit password with atleast 2 characters and 2 numbers or smth.
So don't blame the users, blame the crappy coder of the site.
btw is cf using the same way to save password? if yes I need to change to a 50 digit password before I get hacked.
MD5 is not necessarily all that weak. If you have a strong password that doesn't make much sense, then an MD5 brute force crack is quite useless because the result will have no reference to anything that makes sense in the first place. But yes, a stronger hash such as SHA-512 makes it quite a lot harder, but even such strong hashes mean shit on simple passwords.
So yes, in the sense of the coders of a site (or anything that stores passwords) the coder should enforce the use of strong passwords and use the strongest hash method available to him.
As for cf's password encryption. I don't know since I don't code for CF, but my guess would be you are not far of of your own guess.
He couldn't have done it in 1 night if they used a nice encryption. And he'll need to decrypt every single password then. Lets see if he has my password in 2012 ;)
Take the dictionairy and MD5 (or any hash method for all I care) them and store them in a database. Voila, a lookup table for simple passwords.
using the standard php md5 hashes is just plain stupidity, atleast for website with a large userbase.
oh and you so owned that guy omg! spazm!
Besides, hashes are only a way to make it harder. There is no 100% security due to hashes.
md5 anyone?
When someone accuses you of deleting your comment some sort of admin has done the job. Keep going!
atleast I've a other pass for my 2 email accounts :D
btw what profit is to have yawn account? :D
Kewl today i logged in cuz i heard about this shit.
You dont have to enter it to use http://yawn.be, and the yawn-client remembers it for you... so there is really no need for the password to be easy to remember...
(in case of a format, get a new auto generated password and just C/P it into the client again...)
Therefore Crossfire offers a reward of USD 1000,-- to anybody who will provide addition information that leads to the one(s) responsible for the incident.
Any information is kept strictly confidential.
wasn't
nixcoders
meh :/
plz... can't you do better? yawn made et a worse game, no point in fakenicking, and everyone was a cheater because they had a red triangle? that's just shit :/
if it was someone from the recent bust, then ofcourse it has something to do with nC... wtf are u talking?
But with todays technology it's easy to crack a md5hash.
Alex, Assassin Hax, Austin, b!lly, binkie, bugg3r, Dante, Dogsss, durdur, Flawless, Foxy, Frozen, haqshot^, HolyWarZ, Jmpin_jimmy, L4B1N4C, lexi40, Luke21, matttu, motherhacker, muppetalert, mystic, naz, Nimbus2506, Noway!, Pansemuckl, Phil, Poison77, polokezwart, purix, ridl3r, Sgt.Rusty666, substanz, superb, unaimed, ZeroCool, []SpooN.
:o
Propaganda? IMHO that's the reality. After so great and vicious busts (or name them as you wish), when like few of them got actually banned, I also tought that there will be tons of new nC customers who will suddenly become popular in CF just because of high skills... This fusengate stuff should be happening quietly.. working closely with yawn, CB, PB and others who could make any decisions in this case)
I mean - popularizing things of which you ain't sure you can't get rid of is pretty much dumb in any way.
And that's what i call propaganda, they only show a very small part of the bust, which suits their purpose and use it in their way. they don't even mention all the other ones who got busted (take nevari, ufoleet or some others as an example).
i don't consider "being hacked" twice (!) a perfect commercial. This shows that they just can't guarantee the anonymity of their paying customers. It's not really the place where i would feel safe when i wanted to buy a bot. And everyone knew about nC before this bust too.
Since you mention jaymod-users etc... well these guys usually don't even know crossfire, most of these guys on the list are competitive players, no matter if they're in high+ clans or random med+ guys.
Ofcourse there is a big chance that they won't even be banned @cb, still they are branded as cheaters and if ppl are not completely retarded they will not play with them anymore, which means there's a big chance these guys will have to get a new nick (but then i ask myself again, who trusts a medhigh-skiller without ANY history and a 3-day-old yawn (e.g. ph6xy/myst6x before... ppl who played with them and knowing who they are or not questioning their history actually deserve to be punished too tbh).
about doing-it-quietly.. unfortunately, the collected information is not proof enough for clanbase, so crossfire is the only league which will ban caught players
oh noez :<
The goddamn hacker IS NOT from nC, how hard is it to understand?
I know who he is, and it ain't anyone from nC-crew, but simply just a nC-customer, that didn't want himself shown in FusenGate.
And the hacker didn't hack CF, just yawn and got the pw to an admin.
Please stfu with your childish attitude: "OMG crossfire dont hide that it was nc lol".
The hacker did several law-breaks, and I've used hours together with Gods from Crossfire and with Snuble to find out who it is, and I can promise that it isn't anyone from netCoders.
And it's quite idiotic by netCoders to say that this news is a lie. Because it isn't, goddamn.
nC-customer = random nub that bought cheat
Oh, wait...
customer - registered user who bought hax
normal user - registered user who did not buy hax
:D
The person that did this didn't do it because of the fusengate, not even because of nC at all.
Actually he hacket yawn.be before the FusenGate.
Go figure.
I think that we (those who wasted our time here for more over 3 years) deserve to know who did that, am I right?
The person who accessed the YAWn! database is not representing nC, he is merely a customer there.
Besides, if it's just a customer there - why don't you reveal him? Still afraid of being hacked again?
What diffrence would it make to you getting his nickname?
Would you hack him back? :\
Let them handle it themselves, I'm sure in time you'll know anyway.
The difference would be that that I'd atleast know who did that, not keeping suspicious any of you here. Also that would make me feel that CF do care of it's regular visitors and would inform what's happening and so on.. ;<
Anyway, no one forced you to use Crossfire, you can't demand information, can you?
Crossfire did not delete FusenGate because the bust were to small etc, then they would delete the ip-match.htm aswell maybe?
This case is quite serious, still idiots like you care to believe it's a setup by Crossfire to excuse the FusenGate-delete.
That's just something nC is saying to gain trust again, so that they can make more money.
They make it look like only 2 persons got busted, and that it's safe to buy at netCoders.
I wouldn't have bought a cheat on nC after two FusenGates.
Seriously, are you really that stupid?
me too