This is what every users received like 15 minutes ago :

Looks like the password are stored unencrypted in the DB, that sucks :(

EDIT : wrong section, my bad

Mr. Valerio over here has attempted to hack every HD site there is (including some others as well)

This is payback time for all he did to bitmetv and all the other sites. By the way, I would suggest you all to change your passwords as they are stored unencrypted in the database and have been used to login to other sites.

I apologize to all the users and as such I will not touch the torrents. This is not a lesson for you lot.

NOTICE: This is a mass pm, it has been sent to the following classes: Upscale, 720p, 1080i, 1080p, UHD, VIP, Uploader, HDTV Capper

people should leave this site...

Good

damnit!

:lol: that sucks for HD...
should have encrypted the password though...doh

...

And in the mean time it looks like Bit-HDTV got a new login page.

they've had it for couple of days. they completely revamped the site and freeleeched everything for a week

well...HDBits is down for a while now....

im going to bit-hdtv....

Anyone who can give hdbits invite to me? lol

Wonderful, looks like they loaded a backup, i'm missing about 15GB of upload credit. :angry:

Just because someone hacked into the site doesnt always mean the passwords are in plain text. It could be the person who hacked in is just trying to give the site a bad name by saying they have plaintext. I have only seen 2 sites in all my days use plain text passwords. 1 Was a few years ago and 1 somewhat recently.

what site was it somewhat recently...:whistling.......just kidding!

Lost 3GB of upload :(

Just because someone hacked into the site doesnt always mean the passwords are in plain text. It could be the person who hacked in is just trying to give the site a bad name by saying they have plaintext. I have only seen 2 sites in all my days use plain text passwords. 1 Was a few years ago and 1 somewhat recently.

still it would suck if it's true for people that like to use the same password :frusty:

crap, i love that site too

Glad to see they're back on their feet. Obviously DSF knows how to make regular backups *cough* TB *cough*, good job buddy. Man if HDBits went down I don't know what I'd do. It's got to be my favorite torrent site.

yeah, i enjoy it too, i hope they will patched the leak so that something like that don't happen again...

lets lower the hdbits ranking now

the recent site that stores stuff in plaintext is RTS... oh no i blew the whistle. damn me.

Man if HDBits went down I don't know what I'd do. It's got to be my favorite torrent site. +1 After getting use to high quality hd stuff from there, its so much harder to watch SD movies from anywhere else.:pinch:

WTF..i post some funny pics there and i get disabled...i think the person who hacked HDBits is better than the fucking staff there.

LOL...bitches and assholes...

I just deleted my account at that stinky site, should have done it a lot earlier...

LOL :lol:

yea that site sucks

Some members Comments From HDbits Forums

everyone needs to chill out. I watched the 'hack' live.

Basically, someone at bitmetv got on the site used valerio's account, deleted all the ctrlhd, deleted the staff... etc etc... he replied a few times on the forum, made a new poll/news on the page, PM'ed everyone... That's about it.

*****************************

early today did the site go all f*ed up and some hateful message towards Valerio get posted, b/c heres the deal, if my password is in the database unencrypted i would like to know. Maybe i am just crazy, but i swore that there was something about hacking hd sites and the other sites that i may or may not use with the information a mod/admin could get?

truth or bullshit?


e: i also had a mass pm about this, but it's gone???????

********************************************

someone with skill could easily find the passwords even if their encrypted...

they must have had db access, which means they could have pulled off all the 'secret' , username and 'joined' fields (if i remember correctly this is what the passhash is made of though i may be wrong) to create a rainbow table (for each row) and then brute force it against the passhash (which they also obviously got ) to retrieve the actual password... it is time consuming but it is very possible if they really wanted them...

if it was unencrypted then they obviously did not have to do anything. Only the server logs can show what they did, and if their good, there wont even be any logs.

**********************************************************
Yaxyo wrote:

Passwords were md5 hashed or not?

nwo (Moderator):

Yes.
But as this (and a shitload of other) torrent site is based on tbsource, it has certain problems.
One is: md5 hash of passwd = pass in cookie file.

So if some1 were to gain access to the database, he can just grab a hashed password from
a user, change his cookie file, and he's logged in under that username.

This has now been changed: pass in cookie file is now different than md5 hashed password in database.


as you can see most of the comments is about that someone from bitmetv hacked hdbits as a revenege for some incident before

some claim that the passes were unencrypted while one of the mods said that it is encrypted but the TB source had major problems

The public announcement says that everything is ok and advise members to change passes but not much details

I hope the guys at HDBits recover quickly ,it's one of the best HD Trackers out there and it was sad to see them got hacked

Valerio wrote:

Credits are still there on the faq page.
I don't use sites like that because most of the 'mods' are made by noobs .... and are almost always the things that are exploited to do things like this (case and point, he used a page that was a mod that either came with brokenstones (brokenstones being tbsource + some mods made by noobs) or dsf added).
I actually made the site more secure last night (should've done this ages ago really). You now can't get on someones account without actually knowing the password. You can sql inject al you like (i really hope there arn't any more, but you never know) but it won't help you create a cookie. I added ages ago a thing to make sure you can only attempt to login 5 times .. so no chance of brute forcing passwords either.



Good job Valerio. You really managed to secure the site I see LOL

You my friend is the n00b cause your site was 0wned YET AGAIN. Oh and by the way, you should check your ssh logs and change your root password. Oh and the salting you added sucks http://hdbits.org/pic/smilies/tongue.gif


NOTICE: This is a mass pm, it has been sent to everyoneMASS email just sent out at HDBits

ouch again!

lots of posts to read here .
could someone tell me please who or what the tracker is hacking hdbits and why ? :)

HDbits is ok now..
2007-08-01 - we were hacked 6 hours ago, everything should be OK now, we advice everyone to change password

bad news for HD.. for me it is interesting..

Lost 20GBs uploaded.... :angry:

Passwords are broken atm, you can get it reset if you like .. but they'll be altered to what they were last night before long :frusty:

Passwords are broken atm, you can get it reset if you like .. but they'll be altered to what they were last night before long :frusty:

damn :frusty::frusty::frusty:

Sites down for me

Site is down for maintenance, please check back again later...
#HDBits @ irc.p2p-network.net

What's the pass to irc? :\

i can't login and recover pass doesn't work it says my email isn't in the database any idea?!?!

HDbits is the best HD site out there for those that bitch about it why don't you give your account to others that want to be members!

Is it HDbits or Bit-HDTV ? Which one was hacked, for God's sake? I thought it was Bit-HDTV. Or both have been screwed up?

damn damn damn :frusty:

Sylar the HDbits tracker was hacked about 2weeks ago. Not now.
Yesterday there was a leak of the passwds of BitHDTV but all passwds were reset because of that.

"terrorize" I think you were probably disabled because you haven't used enough your account. All other users have no problems.

i fixed it its workin now
thx anyway

--

Is it HDbits or Bit-HDTV ? Which one was hacked, for God's sake? I thought it was Bit-HDTV. Or both have been screwed up?

Bit-HDTV was recently hacked, HDBits was hacked a while ago
:pinch:

[quote=terrorize;2203826]i fixed it its workin now
thx anyway
btw this is their .txt file:


why would you post that file here are you nuts? edit your post i don't think everyone here needs to see this.

okok if thats what you want :)

the passwds have all been automatically reset by the system now goblin.
However, these data could be used on other trackers to steal same passwds of same usernames...

the passwds have all been automatically reset by the system now goblin.
However, these data could be used on other trackers to steal same passwds of same usernames...

+1 mate

my Bit-HDTV account is stolen :(

anyone got their irc server and channel name?

# - connect to irc.p2p-network.net
# - join our channel #BiT-HDTV

on my way

lets lower the hdbits ranking now

the recent site that stores stuff in plaintext is RTS... oh no i blew the whistle. damn me.

Hope u burns in Hell and
RTS stuff must do something about that

Standard TB source will always hash the password using secrets as the salt, so the default storage of passwords is MD5 (excepting the very early TB source snapshots which used plaintext, but they are way past their sell by dates, and should not be used).

For a modern tracker to store passwords as plaintext requires the site operator to modify the takelogin and takesignup to store a plaintext password (and do the comparison on login) into the 'users' table (a column already exists called 'oldpassword').

In other words, this is not an accident, but intentional. The only reason that anyone would store passwords in plaintext is so that they can discern your passwords. The only reason for this is so that they can harvest your accounts at other trackers.

A number of individuals, such as Jait, have shown that TB derived scripts have numerous vulnerabilities, and they have also shown how to seal these holes. There is an entire thread on TBDev addressing all manner of exploits, including the stealing of the passhash (which can be made secure through the cookie mechanism, contrary to popular belief).

The simple point I am making is that there is enough information at TBDev to secure any source, and the simple fact remains that too many site operators are either too complacent to think it will happen to them, or too damn stupid to even run their own site. Anyone who thinks they don't need to scrutinise their code from time to time is asking for trouble. New vulnerabilities are discovered all the time, and new measures to deter these attacks are being created all the time.

The web waits for no man.

man... this is so messed up. and knowing that the storage of the user base in plain text had to be done intentionally.... it's very disappointing :no:

i would suggest to stay away from the invites section for some time, as there could be many stolen accounts giveaways (as we have already seen) and invites giveaways form this stolen accounts.

For a modern tracker to store passwords as plaintext requires the site operator to modify the takelogin and takesignup to store a plaintext password (and do the comparison on login) into the 'users' table (a column already exists called 'oldpassword').

In other words, this is not an accident, but intentional. The only reason that anyone would store passwords in plaintext is so that they can discern your passwords. The only reason for this is so that they can harvest your accounts at other trackers.


The simple point I am making is that there is enough information at TBDev to secure any source, and the simple fact remains that too many site operators are either too complacent to think it will happen to them, or too damn stupid to even run their own site.

The web waits for no man.

So sad but true
:O

Are these nasty rats developing this good old habit of just hacking around? There has to be done something. Thanx for the info.


Is it HDbits or Bit-HDTV ? Which one was hacked, for God's sake? I thought it was Bit-HDTV. Or both have been screwed up?

Bit-HDTV was recently hacked, HDBits was hacked a while ago
:pinch:

i just hope that HDBits is safer now...

STOP REQUESTING THE.txt FILE!!!!
DO NOT PM ME ANYMORE!!!!

unencrypted passwords..?
fucking loosers

I first noticed the hack when a leecher was uploading to me after I was at 100% and I was seeding. Didnt think nothing of it at first. Three hours later I was still downloading bad data from the same leecher while seeding. I immediately blocked the IP address and informed staff.For the next two days the hacker was trying to gain access to my PC, to no avail. I changed my IP address and haven't seen him since. This dickwad needs to be hung from his testicles and lowered into a pail of $&^&#*@%!.

...fucking loosers
Yes, they definitely need tightening.

...fucking loosers
Yes, they definitely need tightening.

lol
i didnt think things could get any looser.....i wouldnt touch that site w/ a ten foot pole

hi dv8type :)
so at this point which trackers are safe and unsafe?
and where did you get the idea you wouldn't touch it w/a ten foot pole

Yes, they definitely need tightening.

lol
i didnt think things could get any looser.....i wouldnt touch that site w/ a ten foot pole

LMAO

Me either.
I dont really see why ANY site would feel the need to store passwords in plain text. What would be the login behind doing so unless they had intentions of seeing peoples passwords and using them on other sites for the same users they have on theirs.

lol
i didnt think things could get any looser.....i wouldnt touch that site w/ a ten foot pole

LMAO

Me either.
I dont really see why ANY site would feel the need to store passwords in plain text. What would be the login behind doing so unless they had intentions of seeing peoples passwords and using them on other sites for the same users they have on theirs.

Melvin & DV8Type <3

hi dv8type :)
so at this point which trackers are safe and unsafe?


There are a few more established trackers out there that have active coders and a proven track record when it comes to privacy.

@Melvin: Seriously....either they have an inept coder who just patches TBdev (and does a bad job of that) or the intent was malicious from within.

Hi

I have tried several times to reset my password but only get the first email, never the 2nd one with the new password-please can someone kindly give me the email addy for the administrator at BIT-HDTV please ?

Thanks

Ok...so i was on vacation and when i returned i realise that i lost access to my mail, and many torrent sites...that's when i found this topic.

i don't know if it happened to any other of u people, but what can i do now? nothing?

i lost hdbits, sct, oink, scn, and of course my mail...who did this? who is this guy ?? how can i gain back access to m accounts and mail?

hope this doesn't happen to any of u guys :(

Cangaceiro, send me a PM and Ill try and help you get back up on your feet.