Sunday Killin'

**Sierra Oscar** · 01-24-09, 09:31 PM

I un-approved the thread for now, as I think we are safe.

It seems the hacker was employing some sort of a script to brute force accounts with easy email passwords. The thing is, he is only targeting pre-2004 forum accounts. That makes sense, as old Steam accounts often used the email as the login username. The hacker could then match the forum account email address to Steam accounts with the forum account password - if both match up bingo.

Since these forums are relatively new, that should not be an issue as the Steam login username is not the email address anymore.

I just took the thread out of public viewing for the moment, we dont want to give the impression that accounts here may be vulnerable. Alan may choose to post up some announcement tomorrow.

For now, I think our best bet is to just monitor things and keep an eye out for any suspicious activity.

Just some further information, the script that was used targeted the vB Member's List - and when it was disabled they instantly ended the attack.

It makes sense, as the list displays join dates.

**S.T.A.L.K.E.R.** · 01-24-09, 10:15 PM

I have easily over $300 in games in my STEAM account. I'd cry if it was ever jacked

**imported_Target Practice** · 01-25-09, 01:29 AM

Hmmmm, let me get this straight (and bear in mind it's 7.30am and I've not slept yet), so they were brute forcing passwords on the forum, and then, having gained access to the forum account, they use the email address that account is registered to as the login name, and the forum password as the steam password?

If that's the case, then the problem here is that the Steam username is often proudly on display here anyway, so it doesn't need the email address, and anyone stupid enough to have the same password for the forum as their steam account would be royally fucked.

**AzH** · 01-25-09, 04:27 AM

no. Because passwords are not stored anywhere on the forums in a readable format. They are stored in the mysql database using a complex encryption system. I can't see what your password is by viewing the database. As long as you keep it pretty random you're safe.

**Sierra Oscar** · 01-25-09, 08:03 AM

Originally Posted by AzH

no. Because passwords are not stored anywhere on the forums in a readable format. They are stored in the mysql database using a complex encryption system. I can't see what your password is by viewing the database. As long as you keep it pretty random you're safe.

Yep correct - they only got peoples account who used silly passwords such as "password" or "1234".

Whoever was doing the dirty was just trying with a set of simple common password sets.

**AzH** · 01-25-09, 08:11 AM

The latest version of vB (the one we're using) has a nifty password strength feature. I run it once a month. It searches the database and generates an email to anyone who uses something like 'password' or their user name as their password. The email tells them they have a new password and it is a random sequence of numbers.

**Sierra Oscar** · 01-25-09, 08:24 AM

Originally Posted by AzH

The latest version of vB (the one we're using) has a nifty password strength feature. I run it once a month. It searches the database and generates an email to anyone who uses something like 'password' or their user name as their password. The email tells them they have a new password and it is a random sequence of numbers.

Oh that sounds excellent, is that only on vB 3.8? Where abouts is it located?

Thats something that would come in very handy on SUF.