OMG, HDBits has been hacked

This is what every users received like 15 minutes ago :

Looks like the password are stored unencrypted in the DB, that sucks :(

EDIT : wrong section, my bad

Mr. Valerio over here has attempted to hack every HD site there is (including some others as well)

This is payback time for all he did to bitmetv and all the other sites. By the way, I would suggest you all to change your passwords as they are stored unencrypted in the database and have been used to login to other sites.

I apologize to all the users and as such I will not touch the torrents. This is not a lesson for you lot.

NOTICE: This is a mass pm, it has been sent to the following classes: Upscale, 720p, 1080i, 1080p, UHD, VIP, Uploader, HDTV Capper

people should leave this site...

Good

damnit!

:lol: that sucks for HD...
should have encrypted the password though...doh

...

Quote:

---

Originally Posted by TranceLover

And in the mean time it looks like Bit-HDTV got a new login page.

---

they've had it for couple of days. they completely revamped the site and freeleeched everything for a week

well...HDBits is down for a while now....

im going to bit-hdtv....

Anyone who can give hdbits invite to me? lol

Wonderful, looks like they loaded a backup, i'm missing about 15GB of upload credit. :angry:

Just because someone hacked into the site doesnt always mean the passwords are in plain text. It could be the person who hacked in is just trying to give the site a bad name by saying they have plaintext. I have only seen 2 sites in all my days use plain text passwords. 1 Was a few years ago and 1 somewhat recently.

what site was it somewhat recently...:whistling.......just kidding!

Lost 3GB of upload :(

Quote:

---

Originally Posted by Melvinmeow

Just because someone hacked into the site doesnt always mean the passwords are in plain text. It could be the person who hacked in is just trying to give the site a bad name by saying they have plaintext. I have only seen 2 sites in all my days use plain text passwords. 1 Was a few years ago and 1 somewhat recently.

---

still it would suck if it's true for people that like to use the same password :frusty:

crap, i love that site too

Glad to see they're back on their feet. Obviously DSF knows how to make regular backups *cough* TB *cough*, good job buddy. Man if HDBits went down I don't know what I'd do. It's got to be my favorite torrent site.

yeah, i enjoy it too, i hope they will patched the leak so that something like that don't happen again...

lets lower the hdbits ranking now

the recent site that stores stuff in plaintext is RTS... oh no i blew the whistle. damn me.

Quote:

---

Originally Posted by necromantic

Man if HDBits went down I don't know what I'd do. It's got to be my favorite torrent site.

---

+1 After getting use to high quality hd stuff from there, its so much harder to watch SD movies from anywhere else.:pinch:

WTF..i post some funny pics there and i get disabled...i think the person who hacked HDBits is better than the fucking staff there.

LOL...bitches and assholes...

I just deleted my account at that stinky site, should have done it a lot earlier...

LOL :lol:

yea that site sucks

Some members Comments From HDbits Forums

everyone needs to chill out. I watched the 'hack' live.

Basically, someone at bitmetv got on the site used valerio's account, deleted all the ctrlhd, deleted the staff... etc etc... he replied a few times on the forum, made a new poll/news on the page, PM'ed everyone... That's about it.

*****************************

early today did the site go all f*ed up and some hateful message towards Valerio get posted, b/c heres the deal, if my password is in the database unencrypted i would like to know. Maybe i am just crazy, but i swore that there was something about hacking hd sites and the other sites that i may or may not use with the information a mod/admin could get?

truth or bullshit?


e: i also had a mass pm about this, but it's gone???????

********************************************

someone with skill could easily find the passwords even if their encrypted...

they must have had db access, which means they could have pulled off all the 'secret' , username and 'joined' fields (if i remember correctly this is what the passhash is made of though i may be wrong) to create a rainbow table (for each row) and then brute force it against the passhash (which they also obviously got ) to retrieve the actual password... it is time consuming but it is very possible if they really wanted them...

if it was unencrypted then they obviously did not have to do anything. Only the server logs can show what they did, and if their good, there wont even be any logs.

**********************************************************
Yaxyo wrote:

Passwords were md5 hashed or not?

nwo (Moderator):

Yes.
But as this (and a shitload of other) torrent site is based on tbsource, it has certain problems.
One is: md5 hash of passwd = pass in cookie file.

So if some1 were to gain access to the database, he can just grab a hashed password from
a user, change his cookie file, and he's logged in under that username.

This has now been changed: pass in cookie file is now different than md5 hashed password in database.


as you can see most of the comments is about that someone from bitmetv hacked hdbits as a revenege for some incident before

some claim that the passes were unencrypted while one of the mods said that it is encrypted but the TB source had major problems

The public announcement says that everything is ok and advise members to change passes but not much details

I hope the guys at HDBits recover quickly ,it's one of the best HD Trackers out there and it was sad to see them got hacked

Quote:

---

Valerio wrote:

Credits are still there on the faq page.
I don't use sites like that because most of the 'mods' are made by noobs .... and are almost always the things that are exploited to do things like this (case and point, he used a page that was a mod that either came with brokenstones (brokenstones being tbsource + some mods made by noobs) or dsf added).
I actually made the site more secure last night (should've done this ages ago really). You now can't get on someones account without actually knowing the password. You can sql inject al you like (i really hope there arn't any more, but you never know) but it won't help you create a cookie. I added ages ago a thing to make sure you can only attempt to login 5 times .. so no chance of brute forcing passwords either.



Good job Valerio. You really managed to secure the site I see LOL

You my friend is the n00b cause your site was 0wned YET AGAIN. Oh and by the way, you should check your ssh logs and change your root password. Oh and the salting you added sucks http://hdbits.org/pic/smilies/tongue.gif


NOTICE: This is a mass pm, it has been sent to everyone

---

MASS email just sent out at HDBits

ouch again!

lots of posts to read here .
could someone tell me please who or what the tracker is hacking hdbits and why ? :)

HDbits is ok now..
2007-08-01 - we were hacked 6 hours ago, everything should be OK now, we advice everyone to change password

bad news for HD.. for me it is interesting..

Lost 20GBs uploaded.... :angry:

Quote:

---

Passwords are broken atm, you can get it reset if you like .. but they'll be altered to what they were last night before long

---

:frusty:

Quote:

---

Originally Posted by T23

Quote:

---

Passwords are broken atm, you can get it reset if you like .. but they'll be altered to what they were last night before long

---

:frusty:

---

damn :frusty::frusty::frusty:

Sites down for me

Site is down for maintenance, please check back again later...
#HDBits @ irc.p2p-network.net

What's the pass to irc? :\

i can't login and recover pass doesn't work it says my email isn't in the database any idea?!?!

HDbits is the best HD site out there for those that bitch about it why don't you give your account to others that want to be members!

Is it HDbits or Bit-HDTV ? Which one was hacked, for God's sake? I thought it was Bit-HDTV. Or both have been screwed up?

damn damn damn :frusty: