My retail account was hacked and banned

[Zoey_Urbina]

If a hacker is dead set on cracking into a service and stealing private information then they'll always succeed. Therefore there's a few ways you can protect yourself.

1: Limit the amount of damage they can do by having a unique password for each service.
2: Protect your PC with a anti-virus program and dedicated anti-malware program.
3: Certain routers can have extensive anti-virus and anti-malware built into its software.

Never assume that the service you're using is secure enough, since there's nothing that could be considered secure on the web.

[tigahawk]

Greetings.

My retail account was hacked today. I'm not even going to get into all the mayhem that was caused. Let me tell you it was extensive.

The point being...I froze my account with Blizz in February and haven't been back since. There was two months of time on account and some procedure I was to go through to unfreeze it. Whoever hacked it must have gone through this procedure and then proceeded to do what they did.

If you are like me, you used the same character names here as you did on blizz. Also, I rotated in and out the same types of passwords I use here. Since it's saved, I don't even know what the last password I used on Blizz was.

Something is going on. My email is not hacked. Just my blizz account. My PWs are not guessable and the only other game I play, is this one right here.

I am suggesting you likewise change all of your PWs at this time.

If you have not already... get the Authenticator App on your phone. If you don't have a smart phone - invest $10-20 and get the token.

[schaka]

I doubt this is the administration's fault. Like, in mangoszero username+password are hashed together with sha256. Should passwords actually be stored in plaintext here, they would have had to make a significant change to authorization mechanics.
Not to mention, "hacking" retail accounts isn't exactly very rewarding on a server like this. They could just ask for donations and make way more. However, I believe forum software, especially PHP based, is always prone to exploits and SQL injection.

That and who knows where you got your WoW client from and who may have modified it. (I had mine before, so I don't know, but if there is a torrent, it should probably have an MD5 attached so people can confirm they got the right one)

[Keldan]

Never assume that the service you're using is secure enough, since there's nothing that could be considered secure on the web.

The people of the service might allow non secure things, but, if we give the fact the staff probably don't care and is therefore not involved, this is assuming data can't be properly encrypted. That's plain wrong.

The only problem we are talking here is about humans.
Humans, properly social engineered or phished, will tell you all their little secrets.

[Viper]

1. Password are encrypted, even us don't have access to it.
2. Noone since it's encrypted.

[Aunstic]

Just some reiteration, all MaNGOS releases hash passwords in the PostgreSQL DBs.
Went through the MaNGOS Zero repo on github to find out that the password is basically:

Code: Select all

<? $pass = sha1(strtoupper($username) . ':' . strtoupper($password)); ?>

Pretty sure this forum runs on MyBB or IPBoard which is either md5, sha256, or bcrypt. Not sure.

Either way... md5 is broken and easy to crack, sha1 is easy to crack, sha256 getting somewhat more difficult, and bcrypt is pretty much the best choice here.

As for personal security, use a unique password on all services you register to. Nobody can guarantee whether or not the forum will be hacked although CloudFlare provides an exceptional Web Application Firewall (WAF) as well as DDoS mitigation. If you're not taking proper measures to secure your own machine(s), then you shouldn't think Nostalrius has anything to do with breaching any of your non-unique passwords.

[Mimma]

Just some reiteration, all MaNGOS releases hash passwords in the PostgreSQL DBs.
Went through the MaNGOS Zero repo on github to find out that the password is basically:

Code: Select all

<? $pass = sha1(strtoupper($username) . ':' . strtoupper($password)); ?>

You actually demonstrate the problem: the username and password is here sent unencrypted to the server, and THEN hashed and stored in the database (since PHP is a server side script).

Yes, when stored in the database, then the password is scrambled, but IF (and I do say IF without accusing Nostalrius' staff for doing that) they also stored the username + password combo in a local text file or whaever, then ...

[Aunstic]

You actually demonstrate the problem: the username and password is here sent unencrypted to the server, and THEN hashed and stored in the database (since PHP is a server side script).

Yes, when stored in the database, then the password is scrambled, but IF (and I do say IF without accusing Nostalrius' staff for doing that) they also stored the username + password combo in a local text file or whaever, then ...

1. The server is in C++. I just used PHP variables for it. The $_POST data on the registration page isn't unencrypted when you register since https://en.nostalrius.org is under SSL. Even if it wasn't, I don't see your point. Clientside (javascript) hashing is flawed and is entirely bad practice if you are able to do it serverside.

2. Even if the root admins stored 10k+ username and passwords in plaintext, it is still your fault for not having a unique username and password. You shouldn't trust any service as anyone and everyone can be malicious as well as every service has the chance to be hacked with their database(s) dumped.

I highly doubt the root admins are logging all the accounts and passwords in a log file though. If they did, more reports from retail accounts would be flowing in since people would notice a pattern here: "I registered with the same info I used for retail and something happened to my retail account(s). Nostalrius admins are fishy." This is the first report. It's obviously not on Nostalrius admins.

[shakey]

this makes me worried about all my emails and games

aw man i gotta think this throu.. otherwise i will lose all my password first month..

i wonder how much my Norton will back me up

[Aunstic]

this makes me worried about all my emails and games

aw man i gotta think this throu.. otherwise i will lose all my password first month..

i wonder how much my Norton will back me up

Recommending ClamWin, MalwareBytes, or Avast. As for your passwords, make unique ones and use KeePassX so you never lose unique passwords.

Or if you're like my friends and family over 40 years old, store passwords on a sticky note or index card. Keep this note/card in your wallet/purse.