OMG, HDBits has been hacked

[Bfietta]

on my way

[TheDoc]

lets lower the hdbits ranking now

the recent site that stores stuff in plaintext is RTS... oh no i blew the whistle. damn me.

Hope u burns in Hell and
RTS stuff must do something about that

[TheFoX]

Standard TB source will always hash the password using secrets as the salt, so the default storage of passwords is MD5 (excepting the very early TB source snapshots which used plaintext, but they are way past their sell by dates, and should not be used).

For a modern tracker to store passwords as plaintext requires the site operator to modify the takelogin and takesignup to store a plaintext password (and do the comparison on login) into the 'users' table (a column already exists called 'oldpassword').

In other words, this is not an accident, but intentional. The only reason that anyone would store passwords in plaintext is so that they can discern your passwords. The only reason for this is so that they can harvest your accounts at other trackers.

A number of individuals, such as Jait, have shown that TB derived scripts have numerous vulnerabilities, and they have also shown how to seal these holes. There is an entire thread on TBDev addressing all manner of exploits, including the stealing of the passhash (which can be made secure through the cookie mechanism, contrary to popular belief).

The simple point I am making is that there is enough information at TBDev to secure any source, and the simple fact remains that too many site operators are either too complacent to think it will happen to them, or too damn stupid to even run their own site. Anyone who thinks they don't need to scrutinise their code from time to time is asking for trouble. New vulnerabilities are discovered all the time, and new measures to deter these attacks are being created all the time.

The web waits for no man.

[kaffeine]

man... this is so messed up. and knowing that the storage of the user base in plain text had to be done intentionally.... it's very disappointing

i would suggest to stay away from the invites section for some time, as there could be many stolen accounts giveaways (as we have already seen) and invites giveaways form this stolen accounts.

[DV8type]

For a modern tracker to store passwords as plaintext requires the site operator to modify the takelogin and takesignup to store a plaintext password (and do the comparison on login) into the 'users' table (a column already exists called 'oldpassword').

In other words, this is not an accident, but intentional. The only reason that anyone would store passwords in plaintext is so that they can discern your passwords. The only reason for this is so that they can harvest your accounts at other trackers.


The simple point I am making is that there is enough information at TBDev to secure any source, and the simple fact remains that too many site operators are either too complacent to think it will happen to them, or too damn stupid to even run their own site.

The web waits for no man.

So sad but true

[Sylar666]

Are these nasty rats developing this good old habit of just hacking around? There has to be done something. Thanx for the info.

Is it HDbits or Bit-HDTV ? Which one was hacked, for God's sake? I thought it was Bit-HDTV. Or both have been screwed up?

Bit-HDTV was recently hacked, HDBits was hacked a while ago

[KFlint]

i just hope that HDBits is safer now...

[terrorize]

STOP REQUESTING THE.txt FILE!!!!
DO NOT PM ME ANYMORE!!!!

[jokzor]

unencrypted passwords..?
fucking loosers

[unethikal]

I first noticed the hack when a leecher was uploading to me after I was at 100% and I was seeding. Didnt think nothing of it at first. Three hours later I was still downloading bad data from the same leecher while seeding. I immediately blocked the IP address and informed staff.For the next two days the hacker was trying to gain access to my PC, to no avail. I changed my IP address and haven't seen him since. This dickwad needs to be hung from his testicles and lowered into a pail of $&^&#*@%!.