Naked Security Naked Security

Hacking forum spills rival’s 321,000 member database

When users of hacking forums turn on each other, expect things to get messy quickly.

When users of hacking forums turn on each other, expect things to get messy quickly.

The latest site to find itself on the receiving end of this phenomenon is Cracked.to which last Friday reportedly found its database of 321,000 members and 749,161 unique email addresses leaked on rival site, RaidForums.

We can say that with confidence because by Monday the compromised accounts had become another statistic on the Have I Been Pwned (HIBP) breach database – the industry’s go-to for news of such incidents.

That dated the breach to 21 July, with the stolen data also including things anyone frequenting a forum of this type would rather not be out in the open such as “IP addresses, passwords, private messages, usernames.”

As Ars Technica points out, this isn’t likely to be as serious a data breach as it would be for a more mainstream website.

IP addresses will likely be anonymised using Tor with account email addresses that probably won’t identify the users behind them – this is a cagey hacking forum after all.

As for password security, according to the site’s breach warning, it appears that months before the breach an admin at Cracked.to realised the danger of using weak hashing:

We have changed the hashing algorithm of passwords from myBB default (MD5) to something more advanced a few months ago, which makes it almost impossible to decrypt your passwords.

Doxing schadenfreude

More of a problem, however, is the leaking of private messages, which might identify at least some users.

The culprit? Apparently, an inside job carried out by an “old person of my trust”, said a current forum admin. Naturally:

There will be consequences for the forum that is responsible for distributing the backup and for the person that leaked it.

On the former point of revenge, they might need to join a queue. In May, data from 112,988 users of rival forum OGusers also appeared on RaidForums.

Security writer Brian Krebs argued that this “comeuppance” would probably prove to be an excellent resource for law enforcement to trawl through for evidence of crimes and perhaps the names behind them.