Twoplustwo emails/passwords hacked. Site down

[Corrigan]

http://www.twoplustwo.com/ForumAlert.php

Two Plus Two Forum Outage

On April 26th at approximately 11:20 AM pacific time, the Two Plus Two Forums were closed as a result of a hacker who has displayed the ability to access e-mail addresses and encrypted passwords. He also indicated the ability to decrypt passwords.

While it is unclear the extent of data to which he gained access, e-mail addresses and passwords on the Two Plus Two forums should be considered compromised. If you have used your 2+2 password on any other site, you are advised to change it.

For your security we are closing the forums until the breach is patched.

We hope to be back up as soon as possible.

[Deal]

Some people get pretty mad when they get censored/banned. Odds they pissed off the eventual hacker with idiotic modding?

[ShawnFanningsLimpDick]

"The ability to decrypt the encrypted passwords". Yeah right. It will transpire that 2+2 storing them in plaintext or doing an XOR on them. Actually all the 2+2 fanbois' heads would explode so they'll keep that supressed.

[PLOL]

Kevmath is the only 2+2 higher up that I trust.

[BeerAndPoker]

I'm sure Mason wants to find this hacker he is in need of someone else to sue.

[BCR]

Druff, I'm not one of those crying for radio shows every day, and tbh, I already have plans, and wouldn't even be listening live myself, but should 2+2 remain down through the evening, I'd tweet at all the 2+2 mods you know, ala Kevmath, etc. and fire up a radio show focusing on latest FTP/Stars saga, any scams, a little entertainment, etc.

I imagine all those guys' twitters will be getting hammered today by kids wondering if their pw on Lock Poker and their $7.47 is safe. There will be a few thousand 2+2 addicted nerds having withdrawals, and you'd probably grab quite a few who had never even heard of the site just by announcing the pilot via popular 2+2 twitters. Just an idea, obv. you may have plans already also.

[Dan Druff]

Druff, I'm not one of those crying for radio shows every day, and tbh, I already have plans, and wouldn't even be listening live myself, but should 2+2 remain down through the evening, I'd tweet at all the 2+2 mods you know, ala Kevmath, etc. and fire up a radio show focusing on latest FTP/Stars saga, any scams, a little entertainment, etc.

I imagine all those guy's twitters will be getting hammered today by kids wondering if their pw on Lock Poker and their $7.47 is safe. There will be a few thousand 2+2 addicted nerds having withdrawals, and you'd probably grab quite a few who had never even heard of the site just by announcing the pilot via popular 2+2 twitters. Just an idea, obv. you may have plans already also.

I just sent out a tweet about this site, inviting people to come here in the absence of 2+2.

I'll see if I can make some time for radio tonight if it's not back up by then.

[Jasep]

Druff, I'm not one of those crying for radio shows every day, and tbh, I already have plans, and wouldn't even be listening live myself, but should 2+2 remain down through the evening, I'd tweet at all the 2+2 mods you know, ala Kevmath, etc. and fire up a radio show focusing on latest FTP/Stars saga, any scams, a little entertainment, etc.

I imagine all those guy's twitters will be getting hammered today by kids wondering if their pw on Lock Poker and their $7.47 is safe. There will be a few thousand 2+2 addicted nerds having withdrawals, and you'd probably grab quite a few who had never even heard of the site just by announcing the pilot via popular 2+2 twitters. Just an idea, obv. you may have plans already also.

I just sent out a tweet about this site, inviting people to come here in the absence of 2+2.

I'll see if I can make some time for radio tonight if it's not back up by then.

Are you yebkniffing me?

[Dan Druff]

I just sent out a tweet about this site, inviting people to come here in the absence of 2+2.

I'll see if I can make some time for radio tonight if it's not back up by then.

Are you yebkniffing me?

Your tonight and my tonight are different, since we are 3 hours apart. I'll respectfully wait until Filthy Limper is over before doing any radio (if I do it at all).

[Jasep]

Are you yebkniffing me?

Your tonight and my tonight are different, since we are 3 hours apart. I'll respectfully wait until Filthy Limper is over before doing any radio (if I do it at all).

[BCR]

FTR, I didn't know your show was tonight Jasep, so I meant no disrespect, even though I get you were talking to Druff, and it was in jest. Maybe that's even better, a joint show by FL/PFA focusing on the FTP/Stars news, and promoting both sites to a rarely available audience should they stay down over there.

edit-looks like it's already resolved with the PST.

[Rollo Tomasi]

Druff, I'm not one of those crying for radio shows every day, and tbh, I already have plans, and wouldn't even be listening live myself, but should 2+2 remain down through the evening, I'd tweet at all the 2+2 mods you know, ala Kevmath, etc. and fire up a radio show focusing on latest FTP/Stars saga, any scams, a little entertainment, etc.

I imagine all those guy's twitters will be getting hammered today by kids wondering if their pw on Lock Poker and their $7.47 is safe. There will be a few thousand 2+2 addicted nerds having withdrawals, and you'd probably grab quite a few who had never even heard of the site just by announcing the pilot via popular 2+2 twitters. Just an idea, obv. you may have plans already also.

I just sent out a tweet about this site, inviting people to come here in the absence of 2+2.

I'll see if I can make some time for radio tonight if it's not back up by then.

[tommyt]

Since we are asking Druff question i have one.

Druff....do you prefer original or ......

[PLOL]

RT @2p2Trollcat Any truth to the rumor that @RealKidPoker temp banned 2p2?

[Dan Druff]

Here's NoahSD's blog about it:

http://www.nsdpoker.com/2012/04/two-plus-two-hacked/

The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

I'm still not sure how the hacker got the password salts.

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

I have read on some vBulletin hacking sites that it's possible to deduce the salts and break the hashed passwords, but I wasn't sure if that was actually true. Noah claims that the hashing algorithm (md5) is "completely insecure" against this, which I suppose is possible. I was reading that on some of the hacking sites, as well.

Here are Noah's suggestions (and my commentary after the -- on each one):

- "If you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY" -- I agree.

- "Do not change your password on 2p2." -- I don't agree. Noah claims that the hacker might be able to see your new password, which I agree is possible. However, he also might not. If you change the password to something you don't use anywhere else, you can't be any worse off than not changing it at all.

- "Change the password on the e-mail that you use for 2p2 to something secure." -- I agree. You should google "choosing a secure password" and follow the advice there, to make sure your e-mail password is secure. However, I would be more worried about someone getting into your e-mail directly through the server, or by "social engineering" methods. Most large e-mail providers these days have secured themselves against brute force password attacks.

- "Change your other important passwords similarly." -- I think he's talking about things associated with that specific e-mail address, such as poker accounts. Good advice, but it's better to just change the e-mail address associated with the important stuff.

- "If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box." -- Yup, but I don't know what you can do about it at this point. If you had private conversations there that might end up being shared with the world, either brace for the consequences or pray that it won't be shared anywhere.


Now here's my additional advice:

If you still play online poker, and you have any accounts registered to the same e-mail you used on 2+2, log into your online poker accounts immediately and change the registered e-mail. This is because e-mail itself can be hacked, even if your password is otherwise well-chosen. For example, some people can easily break into any AOL account of their choosing. Yahoo e-mail has also been compromised before, as has e-mail attached to internet service providers.

I would suggest creating a brand new Yahoo or gmail account, give it to no one, and change your e-mail to that account. Obviously don't enter this e-mail address anywhere on 2+2. Nobody will bother hacking it because nobody will know it exists.

If your 2+2 account is registered to a different e-mail than you use for online poker, or if you don't play online poker anymore, I wouldn't worry about this.

(Edited 10:45pm PDT 4/26/2012, in response to criticism posted by NoahSD later in this thread.)

[chinamaniac]

Here's NoahSD's blog about it:

http://www.nsdpoker.com/2012/04/two-plus-two-hacked/

The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

I'm still not sure how the hacker got the password salts.

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

I have read on some vBulletin hacking sites that it's possible to deduce the salts and break the hashed passwords, but I wasn't sure if that was actually true. Noah claims that the hashing algorithm (md5) is "completely insecure" against this, which I suppose is possible. I was reading that on some of the hacking sites, as well.

Here are Noah's suggestions (and my commentary after the -- on each one):

- "If you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY" -- I agree.

- "Do not change your password on 2p2." -- I don't agree. Noah claims that the hacker might be able to see your new password, which I agree is possible. However, he also might not. If you change the password to something you don't use anywhere else, you can't be any worse off than not changing it at all.

- "Change the password on the e-mail that you use for 2p2 to something secure." -- I agree if you either have your e-mail password the same as you have on 2+2, or if your e-mail password is a dictionary word, or something else simple. Otherwise, I feel this is overkill.

- "Change your other important passwords similarly." -- I think he's talking about things associated with that specific e-mail address, such as poker accounts. Good advice, but again, only bother with this if your password is easy or a dictionary word.

- "If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box." -- Yup, but I don't know what you can do about it at this point. If you had private conversations there that might end up being shared with the world, either brace for the consequences or pray that it won't be shared anywhere.


Now here's my additional advice:

If you still play online poker, and you have any accounts registered to the same e-mail you used on 2+2, log into your online poker accounts immediately and change the registered e-mail. This is because e-mail itself can be hacked, even if your password is otherwise well-chosen. For example, some people can easily break into any AOL account of their choosing. Yahoo e-mail has also been compromised before, as has e-mail attached to internet service providers.

I would suggest creating a brand new Yahoo or gmail account, give it to no one, and change your e-mail to that account. Obviously don't enter this e-mail address anywhere on 2+2. Nobody will bother hacking it because nobody will know it exists.

If your 2+2 account is registered to a different e-mail than you use for online poker, or if you don't play online poker anymore, I wouldn't worry about this.

What if your email password is different from your 2+2 password

[Bootsy Collins]

Here's NoahSD's blog about it:

http://www.nsdpoker.com/2012/04/two-plus-two-hacked/



I'm still not sure how the hacker got the password salts.

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

I have read on some vBulletin hacking sites that it's possible to deduce the salts and break the hashed passwords, but I wasn't sure if that was actually true. Noah claims that the hashing algorithm (md5) is "completely insecure" against this, which I suppose is possible. I was reading that on some of the hacking sites, as well.

Here are Noah's suggestions (and my commentary after the -- on each one):

- "If you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY" -- I agree.

- "Do not change your password on 2p2." -- I don't agree. Noah claims that the hacker might be able to see your new password, which I agree is possible. However, he also might not. If you change the password to something you don't use anywhere else, you can't be any worse off than not changing it at all.

- "Change the password on the e-mail that you use for 2p2 to something secure." -- I agree if you either have your e-mail password the same as you have on 2+2, or if your e-mail password is a dictionary word, or something else simple. Otherwise, I feel this is overkill.

- "Change your other important passwords similarly." -- I think he's talking about things associated with that specific e-mail address, such as poker accounts. Good advice, but again, only bother with this if your password is easy or a dictionary word.

- "If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box." -- Yup, but I don't know what you can do about it at this point. If you had private conversations there that might end up being shared with the world, either brace for the consequences or pray that it won't be shared anywhere.


Now here's my additional advice:

If you still play online poker, and you have any accounts registered to the same e-mail you used on 2+2, log into your online poker accounts immediately and change the registered e-mail. This is because e-mail itself can be hacked, even if your password is otherwise well-chosen. For example, some people can easily break into any AOL account of their choosing. Yahoo e-mail has also been compromised before, as has e-mail attached to internet service providers.

I would suggest creating a brand new Yahoo or gmail account, give it to no one, and change your e-mail to that account. Obviously don't enter this e-mail address anywhere on 2+2. Nobody will bother hacking it because nobody will know it exists.

If your 2+2 account is registered to a different e-mail than you use for online poker, or if you don't play online poker anymore, I wouldn't worry about this.

What if your email password is different from your 2+2 password

Do it anyway. It is still vulnerable.

[Dan Druff]

Here's NoahSD's blog about it:

http://www.nsdpoker.com/2012/04/two-plus-two-hacked/



I'm still not sure how the hacker got the password salts.

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

I have read on some vBulletin hacking sites that it's possible to deduce the salts and break the hashed passwords, but I wasn't sure if that was actually true. Noah claims that the hashing algorithm (md5) is "completely insecure" against this, which I suppose is possible. I was reading that on some of the hacking sites, as well.

Here are Noah's suggestions (and my commentary after the -- on each one):

- "If you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY" -- I agree.

- "Do not change your password on 2p2." -- I don't agree. Noah claims that the hacker might be able to see your new password, which I agree is possible. However, he also might not. If you change the password to something you don't use anywhere else, you can't be any worse off than not changing it at all.

- "Change the password on the e-mail that you use for 2p2 to something secure." -- I agree if you either have your e-mail password the same as you have on 2+2, or if your e-mail password is a dictionary word, or something else simple. Otherwise, I feel this is overkill.

- "Change your other important passwords similarly." -- I think he's talking about things associated with that specific e-mail address, such as poker accounts. Good advice, but again, only bother with this if your password is easy or a dictionary word.

- "If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box." -- Yup, but I don't know what you can do about it at this point. If you had private conversations there that might end up being shared with the world, either brace for the consequences or pray that it won't be shared anywhere.


Now here's my additional advice:

If you still play online poker, and you have any accounts registered to the same e-mail you used on 2+2, log into your online poker accounts immediately and change the registered e-mail. This is because e-mail itself can be hacked, even if your password is otherwise well-chosen. For example, some people can easily break into any AOL account of their choosing. Yahoo e-mail has also been compromised before, as has e-mail attached to internet service providers.

I would suggest creating a brand new Yahoo or gmail account, give it to no one, and change your e-mail to that account. Obviously don't enter this e-mail address anywhere on 2+2. Nobody will bother hacking it because nobody will know it exists.

If your 2+2 account is registered to a different e-mail than you use for online poker, or if you don't play online poker anymore, I wouldn't worry about this.

What if your email password is different from your 2+2 password

If your e-mail password is different from your 2+2 password, and if it's not a dictionary word or something else easy to guess (like "p@ssword"), I wouldn't worry about that part of it.

However, given that e-mail can be hacked without having your password at all, I would change the e-mail associated with the poker sites (not the password, but the e-mail address itself) if it's the same one as your 2+2 account.

[Bootsy Collins]

This reminds of when the Playstation Network was down for quite some time last year. If I was the IT guy at 2 + 2 I would do a full backup of everything. Wipe out the drives and reinstall everything from scratch and reinstall/migrate everything over. I would also make it a requirement to change the password after the first logon like a new user to a company who is logging into his computer for the first time.

[Dan Druff]

This reminds of when the Playstation Network was down for quite some time last year. If I was the IT guy at 2 + 2 I would do a full backup of everything. Wipe out the drives and reinstall everything from scratch and reinstall/migrate everything over. I would also make it a requirement to change the password after the first logon like a new user to a company who is logging into his computer for the first time.

They can't do this if the hacker already has their old passwords.

They will have to associate it with their e-mail, to where you click a link sent to your e-mail and change your password from there.