Emuparadise suffers data breach, 1.1 million accounts affected

Discussion in 'GBAtemp & Scene News' started by Chary, Jun 9, 2019.

  1. AkitoTheHedgy

    AkitoTheHedgy Advanced Member

    Newcomer
    3
    Dec 7, 2018
    United States
    Well I started using Bitwarden.... And almost lost my accounts.
     
  2. sks316

    sks316 Professional Shitposter (also I help sometimes)

    Member
    11
    Nov 28, 2013
    United States
    Windows XP background
    Almost lost your accounts? How? I've had literally no issues with it.
     
  3. AkitoTheHedgy

    AkitoTheHedgy Advanced Member

    Newcomer
    3
    Dec 7, 2018
    United States
    Forgot the master password in 10 minutes. thank GOD Roblox and GBATemp had password recoveries.
    Really don't care about VRV since I started to use it today.
     
  4. sks316

    sks316 Professional Shitposter (also I help sometimes)

    Member
    11
    Nov 28, 2013
    United States
    Windows XP background
    This isn't really something to blame on Bitwarden, but more of yourself for being forgetful. This is also why you make the master password something that's easy to remember, but not too insecure (or just write it down somewhere).
     
    Pipistrele likes this.
  5. AkitoTheHedgy

    AkitoTheHedgy Advanced Member

    Newcomer
    3
    Dec 7, 2018
    United States
    Yeah thats what I just did.
     
  6. Unleanone999

    Unleanone999 GBAtemp Advanced Fan

    Member
    6
    May 15, 2018
    Togo
    Ouch! Talk about kicking someone when they're already down.
     
  7. Pipistrele

    Pipistrele GBAtemp Regular

    Member
    3
    Jan 21, 2019
    Russia
    Then how did you forget it? :D
     
  8. 1MiinMofo

    1MiinMofo Advanced Member

    Newcomer
    1
    Jan 29, 2019
    Canada
    Oh God no! Hackers in Kyrgyzstan now also have my passwords for Suprnova, LokiTorrent, isoHunt, and KickassTorrents!
     
  9. CheeseMan13

    CheeseMan13 Member

    Newcomer
    3
    Nov 15, 2018
    United States
    Damn, now they have access to my 10minutemail throwaway
     
    chaoskagami likes this.
  10. Trash_Bandatcoot

    Trash_Bandatcoot A Nintendo DSi-madman (and yet he doesn’t code)

    Member
    9
    Jul 14, 2018
    Netherlands
    Yes, I have been...
    Pwned.
     
  11. Ericthegreat

    Ericthegreat Not New Member

    Member
    10
    Nov 8, 2008
    United States
    Vana'diel
    FUCKIN PIRITES GIT GOT WHAT THEY DESERE!!!!!!!!!!! -tumbler/nintendolife probably
     
    Last edited by Ericthegreat, Jun 10, 2019
    Subtle Demise likes this.
  12. AkitoTheHedgy

    AkitoTheHedgy Advanced Member

    Newcomer
    3
    Dec 7, 2018
    United States
    F. Hope you can get all your data back. (wait...)
     
  13. gudenau

    gudenau Largely ignored

    Member
    10
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 7, 2010
    United States
    /dev/random
    Still bad practice for them to use that hash.
     
    chaoskagami likes this.
  14. chaoskagami

    chaoskagami G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

    Member
    10
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    Not debating that. Anyone using MD5 in this day and age as a cryptographic hash is a moron. It's about as useful as a CRC32 at this point.
     
  15. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23
    Nov 21, 2005
    United Kingdom
    Why is it bad here though?

    If you are using for HMAC or something real then yeah that is bad if you hope to have something like security against a determined actor.

    For a salted password then it makes little odds from what I can see.

    Am I missing something here?

    General idea behind it all.
    Storing passwords is bad.
    Hashing a password and storing that is better. That way only someone with the password should be able to generate the right hash when the password is entered -- the whole one way and unable to be determined thing.
    As it is possible to generate a hash for every combination of characters up to so many characters, all the words in the dictionary, all the most common passwords, all the common words with the obvious e and 3 substitution (and the rest) and put this in one giant table of a fair few gigabytes you can actually do a reverse lookup to see if you have a matching thing relatively easily for what most people have as passwords.
    To that end if you add a bit of random data to the password and hash both the pass and the random data (a so called salt) these basic hashes no longer work.
    If you use the same salt for every user you can make a new rainbow table for the dictionary+... stuff again with this salt and do the lookup. To that end sites will often try to use unique salts for every user. A popular one being the millisecond that the user joined as it is something they are not going to be able to control and is essentially random.
    The hash involved if it is vaguely cryptographically rated (and for all the flaws and ability to tickle a supercomputer to generate collisions then MD5 still kind of is) then not a lot of odds in it. SHA256 or whatever the kids will be suggesting is not that much more computationally expensive and rainbow tables can still be made. The extra space for the larger hashes and generation time is not so much as to render them not viable for these attack vectors.

    It is still not complete as you can do things like grab the table, find the salt for an admin account and generate a rainbow table for that salt and hash and do an admin takeover but as far as dumping users and having their passwords readily generated it is not going to make a lot of odds here. About as bad as it gets would be if said MD5 was used to force a collision where a collision is less likely on a better method but given the dictionary approach being the main approach used/feared/anticipated I am still not seeing it.
     
  16. chaoskagami

    chaoskagami G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

    Member
    10
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    The problem is that passwords are expected to be run through a cryptographically secure hash, e.g. one with minimal to no collisions, and an algorithm in which recovering the plaintext is not feasible. MD5 fails both; generating collisions is easy, and the relative time it takes to recover the preimage is far, far lower than equivalent hashes like ripemd160 or sha1.

    But to make this more simple - there are several hashing pools that attempt to recover passwords from these types of public breach data sets, and a 14-character preimage of a MD5 can be found in seven minutes by 16 high end GPUs. How much processing power do you think a hashing pool has? Hint: a lot more than 16 high-end GPUs.
     
    Last edited by chaoskagami, Jun 12, 2019
  17. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23
    Nov 21, 2005
    United Kingdom
    So that is the determining admin passwords thing covered but rainbow tables, which are the main thrust of this sort of thing, are about the same expense. I am not advocating for using it, just that in this scenario it does not seem as bad as using it for signing certs, HMAC or things that I would slap the person that used MD5 for.
     
  18. chaoskagami

    chaoskagami G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

    Member
    10
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    No. Those numbers are not rainbow tables, but brute force.
     
    Last edited by chaoskagami, Jun 12, 2019
Loading...