Hacker Site’s Incriminating Database Published Online By Rivals

August 13, 2019 TH Author headline,hacker,privacy,database,data loss,cyberwar

Hackers from Raidforums recently breached the site of rival hacking forum Cracked.to and spilled data for more than 321,000 of its members. The hackers did so while some of their victims were discussing cracking Fortnite accounts, selling software exploits, and engaging in other potentially illegal activities.

In all, the dump posted on Friday to Raidforums.com exposed 749,161 unique email addresses, breach-notification service HaveIBeenPwned reported. The published data also included users’ IP addresses, usernames, private messages, and passwords stored as bcrypt hashes. The database was generated by website forum application myBB. Cracked.to describes itself as a forum that provides “cracking tutorials, tools, combolists, marketplace and many more stuff!” Raidforums, meanwhile, offers forums on many of the same topics.

Ars reviewed a 2.11 gigabyte file published by Raidforums and found it contained nearly 397,000 private messages, many that aired the kinds of details most hackers strenuously avoid disclosing. The details included the usernames, email addresses, and IP addresses of people seeking to buy, sell, or support software or services for cracking accounts for popular video game Fortnite.

“Freshly cracked Fortnite accounts with skins captured,” reads the subject of one message. “How to change email on cracked Fortnite accounts,” the subject of another says. Other users advertise services for exploiting CVE-2019-20250, a critical vulnerability in the WinRAR file-compression program, which was being actively exploited earlier this year to install a host of nasty malware on vulnerable computers.

It’s likely that many of the people accessing Cracked.to did so from IP addresses anonymized by Tor or some other means. They probably used email addresses and user names that were also similarly anonymized, or at least pseudo-anonymized. Still, all it takes for law enforcement or rival hackers to pounce is to slip up just once and use the wrong IP address. The database posted on Friday should put all of those people on notice.

The dump also serves as a cautionary tale to website administrators everywhere that databases can and will be compromised. It’s still not clear how the database was obtained. Raidforums owner, developer, and host “Omnipotent” told Ars it was through an “exploit,” but Omnipotent provided no details beyond that. If true, that would likely mean myBB or another piece of software used by the site was hacked. Ars couldn’t rule out the possibility an administrator password was obtained, or some other means.

A top administrator at Cracked.to, meanwhile, claimed in July that “an old person of my trust has forum backups that contains the database and folder files.” A few months earlier, the Cracked.to admin said, the site had converted from the very weak default myBB password-hashing scheme to something much stronger. In light of the breach, the site required users to change their passwords.

It turns out that was a major coup that prevented the breach from being much worse. The new scheme used the industrial-strength bcrypt hashing function with a work factor of 12. That makes it impossible to guess the vast majority of hashes without spending prohibitively large amounts of time and money. Weak passwords could still be cracked, but beyond that, the hashes aren’t of much use. Had Cracked.to continued to use the old scheme, cracking the majority of hashes within a matter of days or weeks would have been trivial.

In an interview, the Cracked.to administrator said he regretted the leak, particularly those involving private messages.

“With no doubt, private messages being leaked in plaintext is the worst thing about the whole database breach,” the administrator, who uses the handle floraiN, said in an encrypted chat with Ars. “However as a forum owner you can’t really control what people are dealing with in DMs unless you look them up directly in the database.”

He said the IP address of specific private messages was encoded, but that the dump included the IPs of each user’s first and most recent visit. floraiN said those details could still be used to track some users down. The admin, meanwhile, is vowing not to take the breach lying down.

“There will be consequences for the forum that is responsible for distributing the backup and for the person that leaked it,” floraiN said in an update posted on Friday.