# devkitPro Forums temporarily shut down due to database vandalization and leak



## VinsCool (Feb 4, 2019)

Jesus, that's disgusting.
Why out of anything would they attack devkitpro?
That makes no sense at all.


----------



## xXDungeon_CrawlerXx (Feb 4, 2019)

RIP


----------



## Alexander1970 (Feb 4, 2019)

xXDungeon_CrawlerXx said:


> View attachment 157038
> RIP



As sad as it is 


why,why,why make people still don´t make regular backups if they had important data ?!?!?!?


----------



## FAST6191 (Feb 4, 2019)

alexander1970 said:


> As sad as it is
> 
> 
> why,why,why make people still don´t make regular backups if they had important data ?!?!?!?


Given they apparently failed to back up the source code to their project as well...


----------



## RattletraPM (Feb 4, 2019)

VinsCool said:


> Jesus, that's disgusting.
> Why out of anything would they attack devkitpro?
> That makes no sense at all.


No one knows. No motive was given and the passwords weren't in plain text so "information gathering" can be ruled out.
As you said, it doesn't make sense. It only hurts the homebrew scene as a whole.


----------



## Owenge (Feb 4, 2019)

xXDungeon_CrawlerXx said:


> View attachment 157038
> RIP


Press F for respects


----------



## fledge68 (Feb 4, 2019)

the good news its just their forums. the source code and everything else is on github.


----------



## Alexander1970 (Feb 4, 2019)

RattletraPM said:


> It only hurts the homebrew scene as a whole.



That´s the point.Who else had interest than great Companies like maybe Nintendo.........and we know since Resident Evil 2 remake money can change the most ambitious hobby programmer.......

Ok i´ve watching too much X-Files.


----------



## ghjfdtg (Feb 4, 2019)

@Owenge 
Your avatar is the perfect reaction for this

Anyway, that sucks. But having no recent backups is far from good practice.


----------



## VinsCool (Feb 4, 2019)

FAST6191 said:


> Given they apparently failed to back up the source code to their project as well...


I really hope this isn't related to that situation to the point an angry kid decided to wreck the shit out of it.


----------



## FMCore (Feb 4, 2019)

RattletraPM said:


> No one knows. No motive was given and the passwords weren't in plain text so "information gathering" can be ruled out.
> As you said, it doesn't make sense. It only hurts the homebrew scene as a whole.



Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.



VinsCool said:


> Jesus, that's disgusting.
> Why out of anything would they attack devkitpro?
> That makes no sense at all.



Given they were running PHPBB3, this may not have been a personally done attack against the site, PHPBB3 is known to be vulnerable and sites using it have been hit in the past. If the site wasn't running an up-to-date it could've been likely they were vulnerable to one of the many CVEs found at https://www.cvedetails.com/vulnerability-list/vendor_id-1529/Phpbb.html

Course the owner tweeted out one of the logs and the IP in the log came from an ISP in Portugal, so it could've been a personally done attack, but it's hard to say.


----------



## RattletraPM (Feb 4, 2019)

FMCore said:


> Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.


Yeah, I already said that in the OP. What I meant is that it wouldn't be as easy as having the passwords in plaintext so if that were the case then they might've wanted to attack some other website (sure, phpbb3 is vulnerable and all but there are still services storing plaintext passwords out there, either because they don't know the implications or out of laziness - in either case, if that's how much they care about user security you can rest assured they'll also have a crappily designed and easily exploitable website). It's also a forum used mostly by developers, meaning as soon as they hear the news they'll know better than to just sit idly and let their accounts get stolen. Again, maybe this whole situation could've been avoided by using up-to-date software and frequent backups, but from the users' point of view it's a different story.

So whoever decided to do this most likely did it to hurt dkp forums itself and unless I take out my tinfoil hat and start writing a conspiracy which says one of the major software houses did it, I don't know why anyone would do that. Or maybe it was a skiddie just trying to act cool and all. Either way, I hope whoever did it gets caught, fast.


----------



## Trash_Bandatcoot (Feb 4, 2019)

Yep, there goes my password on an account I made yesterday.


----------



## linuxares (Feb 4, 2019)

It doesn't necessary be an attack against homebrew but someone might done it just because of the lulz. Heck I don't even know if they used a metasploit or something like that.


----------



## newo (Feb 4, 2019)

well that sucks although it was not a busy forum.  gotta upgrade those old bb boards or write something custom.


----------



## FAST6191 (Feb 4, 2019)

newo said:


> gotta upgrade those old bb boards or write something custom.


Write something custom? Because that always works so well.


----------



## FMCore (Feb 4, 2019)

FAST6191 said:


> Write something custom? Because that always works so well.



Woah lad, there's no need for hostility and sarcasm.

Sometimes writing custom solutions are better if you have the time and money.

But in this case, they didn't really have that option.

But again, there's no need to be hostile/sarcastic.


----------



## ghjfdtg (Feb 4, 2019)

He is right though. It's similar to crypto where you need to absolutely know what you are doing. Otherwise don't touch it.


----------



## FAST6191 (Feb 4, 2019)

FMCore said:


> Woah lad, there's no need for hostility and sarcasm.
> 
> Sometimes writing custom solutions are better if you have the time and money.
> 
> ...



Sarcasm is the language of my people. I don't know that I would have viewed that as hostile either. Might just about rank as a curt response to a very odd statement but that is as far as I would take that.

Still, writing custom works for ultra simple stuff (here I am, this is what I sell sort of thing) which could spare you the overhead of something greater is not a bad plan, when you have to eat your own dog food, when you have some restriction like must be sourced within [country] or when you truly need something custom that existing APIs will not handle. If you have to do something vaguely complex and probably out of your wheelhouse (the crossover of compiler writers and php programmers, much less web security capable ones, being rather small) then custom stuff is where we see the feature free or, probably actually and, bonehead mistakes made.


----------



## Foxi4 (Feb 4, 2019)

Interesting coincidence, that's all I have to say. Will change my password for sure.


----------



## DayVeeBoi (Feb 4, 2019)

Foxi4 said:


> Interesting coincidence, that's all I have to say. Will change my password for sure.


I guess I'm outta the loop as of late. Is there any discussion anywhere regarding the incident that is fueling this speculation?


----------



## FAST6191 (Feb 4, 2019)

DayVeeBoi said:


> I guess I'm outta the loop as of late. Is there any discussion anywhere regarding the incident that is fueling this speculation?


Not sure if Foxi4 is referring to a different incident but https://gbatemp.net/threads/collection-of-old-devkitpro-versions.526377/
The new devkitpro site/source repos removed all the old versions they had stored.
Fair enough. Their site so if they want to do that then so be it.
Various community members then mirrored versions they had collected.
DKP then DMCAs a whole bunch of them (causing a fair bit of trouble for some people as they were on shared hosts) and go around demanding things be taken down.
Various justifications are given for this (several in that link), apparently though they had lost the source to components of the older versions and thus by distributing the installer in their eyes amounted to a distribution of open source code where the licence demands that people have the code for it all made available. This is considered dubious by quite a few as many of said same agreements have provisions for lost source, but so far that is where we are at. When pressed on "what about legacy code made with older incompatible versions?" the answers were more or less "Tough shit, update the code or hack the program, we will help you if you come on our forums/where we are at". "All that effort for a minor variable tweak?" got replies in the affirmative too.
It is also unknown why they feel so compelled to play policeman in this case -- if indeed it is third party components without source, and that they care, it is presumably those third parties that would be aggrieved, not them.

I don't think anybody around here would have decided to take things out as a result -- far more likely the update levels did not match the levels the automated bots go around with, or maybe actually a zero day or something bled through from some other frontend.


----------



## osaka35 (Feb 4, 2019)

infrequent backups and not staying current seem like poor management. I'm a stickler for such things, though I'd imagine it's considered somewhat insulting to users to not keep a tight ship.

Curious why this was done as well. I wonder if they were after someone or something specific, just wanted to take a dive and look around, or revenge for some slight.


----------



## DayVeeBoi (Feb 4, 2019)

@FAST6191 Thanks for the thorough explanation. I am surprised I had not heard anything at all about this. Thanks also, for the link to the discussion, what a rabbit hole.


----------



## Ev1l0rd (Feb 4, 2019)

I just can't help but wonder... "Why".

dKPs site doesn't have anything special on it, the passwords are salted, so REing them is nigh impossible.

Still, that's basically a large portion of the Switch scene gone since the last backup was in 2017. :/


----------



## DayVeeBoi (Feb 4, 2019)

Ev1l0rd said:


> I just can't help but wonder... "Why".
> 
> dKPs site doesn't have anything special on it, the passwords are salted, so REing them is nigh impossible.
> 
> Still, that's basically a large portion of the Switch scene gone since the last backup was in 2017. :/


It should mostly be the forums and possibly older tools as the newer versions are hosted on GitHub.


----------



## Ev1l0rd (Feb 4, 2019)

DayVeeBoi said:


> It should mostly be the forums and possibly older tools as the newer versions are hosted on GitHub.


I'm aware. My Pacman repos didn't break or anything. It's just awful to see all discussion from the past two years being gone.


----------



## Foxi4 (Feb 4, 2019)

DayVeeBoi said:


> @FAST6191 Thanks for the thorough explanation. I am surprised I had not heard anything at all about this. Thanks also, for the link to the discussion, what a rabbit hole.


This debacle has been going on for many years. No developer wants their software's legacy versions to be circulated for obvious reasons, and I empathise with that, but in the case of devkitPro many developers don't have an alternative. I just found the timing to be curious - I'm not saying that it's necessarily self-inflicted, but revenge wouldn't be out of the question. Who knows, we'll probably never find out - chances are it was just some random exploiting a vulnerable forum.


----------



## ichichfly (Feb 4, 2019)

Ev1l0rd said:


> I just can't help but wonder... "Why".
> 
> dKPs site doesn't have anything special on it, the passwords are salted, so REing them is nigh impossible.
> 
> Still, that's basically a large portion of the Switch scene gone since the last backup was in 2017. :/



they can still brut force the passwords (using wordbooks or markov chains etc.) the speed for phpass is around 150 MHashes/s per Unit.

So if you reused the password from devkitpro anywhere else you should change it.


----------



## Dr.Hacknik (Feb 4, 2019)

"But why?" 

Why would you attack Devkitpro? _Did Wintermute make someone upset or what?_


----------



## Ev1l0rd (Feb 4, 2019)

Dr.Hacknik said:


> "But why?"
> 
> Why would you attack Devkitpro? _Did Wintermute make someone upset or what?_


While WM isn't the easiest to get along with, there's little to indicate anything that would warrant something like this.


----------



## tech3475 (Feb 4, 2019)

Dr.Hacknik said:


> "But why?"
> 
> Why would you attack Devkitpro? _Did Wintermute make someone upset or what?_



A vulnerable website + user data. 

That's more than enough for some e.g. **** and giggles, sell the data, phishing scams, etc.


----------



## LowEndC (Feb 4, 2019)

alexander1970 said:


> That´s the point.Who else had interest than great Companies like maybe Nintendo.........and we know since Resident Evil 2 remake money can change the most ambitious hobby programmer.......
> 
> Ok i´ve watching too much X-Files.



no, i had the same thought,
but then again, maybe i watch too much Alex Jones lmao
my thoughts were either a hired goon from a big company, i.e. Nintendon't, another company with the same interests/business, or, a white knight video game collector who hates everyone because his game room cost him 50k and here we are shopping for free.


----------



## Deleted_413010 (Feb 4, 2019)

Something like this happend with another forum. The forum also ran phpbb. *THAT *forum i had actually signed up on and millions were registered and it was active...it even had addresses and all that.

The forum belonged to the game Town of Salem. Search it up if you haven't heard about it.

Anyways...the point of this reply is that i'm saying it might be a problem with phpbb itself. Maybe hackers are targeting phpbb to tell the site owners that it's insecure and to move to another forum platform.


----------



## Foxi4 (Feb 4, 2019)

TheTechWiz25 said:


> Something like this happend with another forum. The forum also ran phpbb. *THAT *forum i had actually signed up on and millions were registered and it was active...it even had addresses and all that.
> 
> The forum belonged to the game Town of Salem. Search it up if you haven't heard about it.
> 
> Anyways...the point of this reply is that i'm saying it might be a problem with phpbb itself. Maybe hackers are targeting phpbb to tell the site owners that it's insecure and to move to another forum platform.


PHPBB, as much as the creators try to maintain it, is grossly out of date, it's an old style BB system. It has been for a long time, so I wouldn't be surprised if this was an internal vulnerability. I find it hard to believe that the devkitPro team didn't do their due diligence, that's highly unlikely, they're some of the most skilled people on the scene.


----------



## midstor (Feb 4, 2019)

This is why you take backups, regularly have your site audited etc... really?


----------



## the_randomizer (Feb 5, 2019)

Yes, it sucks that this happened, but why in the blue blazes of hell did they think to not backup their data, you know, frequently?


----------



## zoogie (Feb 5, 2019)

<-- *_Nervously looks at what phpbb forums he's registered to_* wololo, cough



the_randomizer said:


> Yes, it sucks that this happened, but why in the blue blazes of hell did they think to not backup their data, you know, frequently?


Especially when you suffer from depression, anxiety, ADD & PTSD and you're trying to do a load of stuff in the face of constant criticism & snark.— Dave Murphy ● (@davejmurphy) February 4, 2019


----------



## DiscostewSM (Feb 5, 2019)

While I can't change my password to something I can remember, I was able to reset it to a random string.


----------



## the_randomizer (Feb 5, 2019)

Never mind, forget what I said.  Even so, backups are common sense, no? It couldn't have been that hard to hire extra staff or have people do it for free?


----------



## Mythical (Feb 5, 2019)

the_randomizer said:


> Never mind, forget what I said.  Even so, backups are common sense, no? It couldn't have been that hard to hire extra staff or have people do it for free?


Nice edit


----------



## the_randomizer (Feb 5, 2019)

MythicalData said:


> Nice edit



Whatever my point still stands. Don't assume it won't be hacked and make backups.


----------



## Mythical (Feb 5, 2019)

the_randomizer said:


> Whatever my point still stands. Don't assume it won't be hacked and make backups.


It was never about your point being valid. You asked a question and someone answered. Then you changed your own reply with an edit. I just thought it was funny because you said never mind forget what I said then went to declare your point valid anyways in the same post


----------



## the_randomizer (Feb 5, 2019)

MythicalData said:


> It was never about your point being valid. You asked a question and someone answered. Then you changed your own reply with an edit. I just thought it was funny because you said never mind forget what I said then went to declare your point valid anyways in the same post



Whatever you say.


----------



## Kioku_Dreams (Feb 5, 2019)

zoogie said:


> <-- *_Nervously looks at what phpbb forums he's registered to_* wololo, cough
> 
> 
> https://twitter.com/davejmurphy/status/1092309304978432000


Life sucks. As someone who suffers from depression and ADD, some things are hard to do. However, if you choose to maintain and operate a site like this, you have to know your limits. If you're incapable, hand it off to someone who can. Again, life sucks.


----------



## Ericthegreat (Feb 5, 2019)

QUOTE="VinsCool, post: 8499767, member: 343260"]Jesus, that's disgusting.
Why out of anything would they attack devkitpro?
That makes no sense at all.[/QUOTE]
Probably a angry dev.


----------



## Captain_N (Feb 5, 2019)

A backup from 2017? gees. Why not use something like acronis always on backup. The shit makes no stop backups...


----------



## Ericthegreat (Feb 5, 2019)

Captain_N said:


> A backup from 2017? gees. Why not use something like acronis always on backup. The shit makes no stop backups...


Eh sometimes you just get lazy after running a site or a app for a long time, I've made a few small games that no longer work due to needing to update a few small things, but you know, I'll do it tomorrow.


----------



## Captain_N (Feb 5, 2019)

Ericthegreat said:


> Eh sometimes you just get lazy after running a site or a app for a long time, I've made a few small games that no longer work due to needing to update a few small things, but you know, I'll do it tomorrow.



Thats why i mentioned acronis always on backup. Its automatic. Does everything for you...


----------



## Ericthegreat (Feb 5, 2019)

Captain_N said:


> Thats why i mentioned acronis always on backup. Its automatic. Does everything for you...


For what price? Where is it backed up? How do you know the owner has the hard drives to support many backups?


----------



## Captain_N (Feb 5, 2019)

Ericthegreat said:


> For what price? Where is it backed up? How do you know the owner has the hard drives to support many backups?



I dont know what their setup is or how much space their hoster allows. I can only make assumptions based on commonly hosted sites and forums.  The data can be dumped over a vpn, or ftp to their home pc. Their database cant be that large compressed, lets say 1 gig. Hard drives are hella cheap. 6 tb is about $130. As for the price well they can just torrent it or buy a copy. I suppose the backups can be copied to google drive as well to save home internet bandwidth restrictions. I cant see their database being 15 gigs..
Even 100 gigs is nothing now a days.


----------



## punipuno (Feb 5, 2019)

What a shame I was thinking of making a game


----------



## ELY_M (Feb 5, 2019)

shame on people who want to destroy things.....  I was on their forums few days ago looking for SDL2 info.


----------



## Joom (Feb 5, 2019)

Captain_N said:


> Thats why i mentioned acronis always on backup. Its automatic. Does everything for you...


Or, just set up a cron and rsync. Takes two minutes.


----------



## moneychild (Feb 5, 2019)

I believe Nintendo did it!
They can’t stop us from hacking their console so they took “other measures”
Lol


----------



## DayVeeBoi (Feb 5, 2019)

Ev1l0rd said:


> I'm aware. My Pacman repos didn't break or anything. It's just awful to see all discussion from the past two years being gone.


I apologize, I did not mean to imply that it was _just_ forum discussion etc., on reading my reply again I can see why it may have seemed that way.
I was just in a hurry earlier and banged off a quick reply before I left. I am aware that many problems have been solved with a quick search of the right resource.


----------



## Ev1l0rd (Feb 5, 2019)

Memoir said:


> Life sucks. As someone who suffers from depression and ADD, some things are hard to do. However, if you choose to maintain and operate a site like this, you have to know your limits. If you're incapable, hand it off to someone who can. Again, life sucks.


You severely underestimate the amount of work WM and the entire devKitPro team does to provide homebrew tools. Let me put it very simple: without devKitPro, homebrew on the Nintendo 3DS wouldn't exist. Without devKitPro, homebrew on the Switch would be reliant on libtransistor, a library made by RS that never ended up anywhere.

They know what they do and they provide _a lot_. It's understandable that backups aren't the immediate highest priority, given how they're maintaining several toolchains for Homebrew (Switch, 3DS, Wii, GBA, GameCube and the Gamepark G32), which takes up a lot of time, which isn't helped by the fact that a number of the "quick and easy" libraries (most famous is sf2d, but there's tons of them out there) end up with a lot of developers that blame devKitPro for the external library issues.

That results in a very heavy burden on devKitPro. So while it's awful that dKP doesn't have a recent backup, it's not something I'm entirely suprised by, given how backing up their forums isn't directly high priority compared to the other tools they provide.



Captain_N said:


> A backup from 2017? gees. Why not use something like acronis always on backup. The shit makes no stop backups...


They're unlikely to use that, Acronis is proprietary software. 

I'd personally advise something like restic or borg (restic is better if you're just needing something locally backed up to prevent you from shooting yourself in the foot, borg is better if you need multiple external locations). They provide automated incremental backups that are encrypted and can be send to an external location. Automating is just a matter of setting up a crontab on the server. It's also easily possible to put them on a "time machine" esque schedule where only recent backups are kept and older ones are consilidated.

Both are highly recommend tools.


----------



## Kioku_Dreams (Feb 5, 2019)

O


moneychild said:


> I believe Nintendo did it!
> They can’t stop us from hacking their console so they took “other measures”
> Lol


Oof. The Ninty ninjas strike again


----------



## Foxi4 (Feb 5, 2019)

zoogie said:


> <-- *_Nervously looks at what phpbb forums he's registered to_* wololo, cough
> 
> 
> https://twitter.com/davejmurphy/status/1092309304978432000


Ultimately it's an excuse. Backups can be automated and don't require much attention from a site admin, but they are an important duty. We're talking about a database full of login details, passwords and e-mails - maintaining it entails a certain degree of responsibility. He hasn't backed up the site since 2017, that's two years and no backup whatsoever. If he was in a bad headspace, he should've hired someone who wasn't, even if only for the purpose of protecting his community from unexpected data loss. There was no need to look for excuses, it's a clear slip-up. He should take this as a learning experience and improve in the future, making mistakes is what makes us human.


----------



## Ev1l0rd (Feb 8, 2019)

https://devkitpro.org/viewtopic.php?f=13&t=8846

They're back.

Remember, keep your passwords long and strong!

We have managed to recover the forum database and re-enable the forums. More information at https://t.co/LRbKISsYDkApologies for not getting email out sooner.— devkitPro (@devkitPro) February 8, 2019


----------



## RattletraPM (Feb 8, 2019)

Ev1l0rd said:


> https://devkitpro.org/viewtopic.php?f=13&t=8846
> 
> They're back.
> 
> ...


I had updated the OP not too long ago but I didn't think about posting something here ^^"

Anyways, now that the DKP forums are back up, keep in mind you will need to reset your password before you can log in if you have an account there.

WinterMute also said the attacker was able to get his account's password from the database leak even if it was salted & hashed because it was a weak one, which he also used on other accounts that later got compromised. So again, if you didn't change your passwords at first, you should definitely do it now.


----------



## RattletraPM (Feb 9, 2019)

Here's another update, however this time it's bad news.

The stolen database has been posted publicly on Pastebin and Anonfiles. This makes a bad situation even worse as, while the passwords are hashed & salted, they are still succeptible to attack (as already said) and now _anyone_ can try to get a hold of them.

Again, if you haven't changed your passwords, do so now.


----------



## Ev1l0rd (Feb 9, 2019)

The stolen database has turned up in dumps on https://t.co/AUxJoDAHev and anonfiles. Please change your passwords and spread the word.https://t.co/LBjDNYgMKr— devkitPro (@devkitPro) February 9, 2019


@RattletraPM source for that btw


----------



## jme2712 (Apr 7, 2019)

looks like something is going on again. smh


----------



## FMCore (Apr 7, 2019)

> Regrouping due to cyberbullying & general lack of support.
> 
> Messages of support and offers of assistance to [email protected]


----------



## WhoAmI? (May 28, 2019)

FMCore said:


> Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.



PHPBB3 stores passwords in such a manner that they are immune to a rainbow table attack. They can only be brute-forced. Here is a few examples of a PHPBB3 hashed password:


```
$H$9zC1mTWR6oXe.wtvnDtIUVix3xHtyu/
$H$9AsL1nf35AOHW0vMlwYtOyKTzbb4NK.
$H$9fZsKRl/DJsg3xu380hJzUulhG5Nkv1
$H$9MUoBGW7ptUqLD8U1wpofrLdXokqmK1
$H$9mZqBUTmT9X5cU.05PiKwS27GXPijZ.
$H$9SxxbQqEBI5B9zq7sfXknXrN5cTHlZ.
$H$9w5.kGES7DcwDMEZX13u7p7lHGimfx/
$H$9gsSWElJHEa0Z7AZB1/TtI7qa0gKfn/
$H$9N877HOHCbmFgWLnmlsCV/IjCMfyKU/
$H$9WEV/xatRmMsljKmXUjrtt1gSuNRcu1
```

Already knowing the salt isn't going to mean they can use a rainbow table attack. The hashing algorithm is designed to prevent such thing, and so does salting. Rainbow table attacks are purely used to get the plain-text of already known hash values AFAIK.

Simply passing those hashes to a program such as hashcat and using a wordlist is all an attacker needs to do. Maybe add a few rules or use a mask attack to brute-force some of the harder passwords, etc. A modern high-end gaming rig can easily brute-force those hashes without the need of rainbow tables.


----------

