From Jon "AgmLauncher" LeMaitre, co-owner and general manager of GameReplays.

As of May 28th, the GameReplays member database was breached, and approximately 5000 emails and encrypted passwords were leaked. On May 27th, an Anonymous affiliated hacker by the name of _ecECus_ sent the following email (in Spanish, mind you ...):



Roughly translated, he says he found a vulnerability with GR's database, but that his intentions were not for evil. He simply wanted to alert us of the problem so that we might have a chance to fix it, before anyone does anything malicious. He also kindly asked for some credit to be given for discovering the issue. Ok, fair enough! Sounds great right?

Fast forward about 24 hours later, and what shows up on the internet? A dump of about 10,000 GR accounts, released by who? _ecECus_; the same guy who claimed his intentions were not evil. Given that he sent the email in Spanish, and I was out celebrating Memorial Day weekend, I had no chance to address his email and thank him for alerting us to the issue. Because I was not able to respond to an email (written in a language I don't know), within 24 hours, he decided to go ahead and give himself credit for the hack. (update: and then do it again later today).

So to recap:

1. On the 27th I get an email, in Spanish, alerting me of a vulnerability.
2. The email claims that he is simply giving us a friendly tip and means no harm.
3. The email divulges absolutely no details that would actually help us determine where the vulnerability is, or how to exploit it for ourselves in order to protect against it.
4. This person wants credit for "helping" us.
5. On the 28th, he goes and releases personal information from GR's database on the web.
6. On the 29th (today), he does it again, still no useful information that would actually help us fix this vulnerability.

Further, GameReplays only has about 35 hours/week of development time available to it to create new features that the community wants and needs. I personally commit 15 hours per week on top of my regular 45 hours/week job. The other 20 hours is generously contributed by the rest of our coding staff (namely subroutine, -null-, Forlong, and Kustodian).

At present we are using that very limited coding bandwidth to develop a new framework that will help us create new features more quickly and easily. The framework is done and ready for development, but since _ecECus_ has decided to hack GameReplays and make his results public, we are forced to stop development of features like the VoD system, tournament system, and many others, just to figure out where this security vulnerability is.

Ironically, GameReplays fully appreciates the efforts of Anonymous in their role of helping to keep governments and corporations honest. Various acts from the US government such as PROTECT-IP and many others, are a direct threat to the existence of GameReplays. Anonymous has been helping to expose the corrupt links between corporate lobbying and various governments which threaten the very nature of the web. Sadly, there are people like _ecECus_ who give Anonymous and other hackers a bad reputation, since his goal isn't to help, but rather, to be immature and stroke his own ego.

As such, we invite anyone who *ACTUALLY* wants to help, to hack GameReplays and give us details about where our vulnerabilities are. Rather than making them public, they can be sent to us through our Contact form, or we will even create a special forum where security vulnerabilities can be discussed. Unfortunately, because we have such limited development resources, we cannot do this alone. Therefore anyone who helps us will be given due credit.

We would like to apologize and let our members know that no truly sensitive information was stolen, but the emails of about 10,000 members have been exposed. We will be sending out PMs and emails notifying those who have been compromised. Once this vulnerability has been fixed, we will re-salt everyone's passwords and take extra steps to make sure everyone's accounts are more secure in the future.


Sincerely,

Jon LeMaitre
Co-Owner and General Manager
GameReplays.org

So is there a list somewhere I can check to see if I'm on it? I've had to change my password so many times this year it has stopped being funny :|

It is sad that these "hackers" use the excuse of trying to help out by finding security holes in software, but their true motivation is to seek attention like a 8 year old child. It is incidences like this that show why hacker groups that live outside the law are not our friends.

Yeah, because this sole incident can be used as a basis for generalized discrimination.

@Noodlesocks; I don't think you need to worry. By the looks of it it's highly unlikely that you were on the leaked list. If you're don't take my word for it though (who would ), just wait patiently:

Oh dear... some scrub got my nick, password and my e mail address on GR. Gods im in trouble... oh wait - im not. Nice try though.

This isnt exactly disturbing but if that guy breaks into someones bank account - it could be a problem (to say the least).

LOL It's Rengo because the guy wrote in spanish.

joke joke XD

That's not true of all hackers. Many hackers do actually provide seriously invaluable information to companies to help secure their info. However this particular hacker is indeed just seeking attention, and gives helpful hackers a bad name.

Basis? The basis is that they operate outside the law. Not that I don't appreciate their efforts in keeping the net as it is, I do understand that they're no "warriors of justice" either. At the end of the day, every anonymous (and by this I don't mean Anonymous) hacker in the net is an individual, and not bound by any sort of moral code. They do what they WANT to do.



I've always found this the other way around: helpful hackers have improved the overall reputation malicious ones have given them.

why hack gamereplays -.- its not like gr goes against freedom and such

real anonymous wouldnt do that

I've contacted GR with details regarding the hack, as well as how to fix it.
Although I don't know exactly which method the hacker used, the two things I noticed was outdated forum software and having the version number of the forum in the footer. Those two things combined is like yelling "Please hack me, I am just waiting!"

Problems arise when people use the same password for everything.

Strangely enough whilst i was playing Dota2 on the GR teamspeak server i got a poke from a guy called Slayer¦Alex claiming that my personal details we're stolen and he wanted to report the mistake. I spoke to him purely in a chat window not wanting to let him into my passworded teamspeak channel, and he would not answer my question about who he was or why he is called my Alias (Gameslayer) and my real first name (Alex) which i don't even have on GR. After some purely one way discussion in which he asked me a lot of questions that i did not respond to he tried to get me to give him an admins skype details (which i don't have). Whilst i doubt it's the same guy (he was speaking german) it is very troubling since he now knows my first name. Fat lot of good that'll do him though since i never put my last name on

Could there have been more than 1 hacker?

This post has been edited by Gameslayer989: May 29 2012, 16:06 PM

hahaha if this was the real anonymous game replays.org want have A spam box off 10000000000 emails
and the servers want be down for a long long time plus anonymous don't have such time for this and
they fight for freedom over the net Org.replays is free and sweet and plus who cares .
all there can do is spam ur email.
unless you'r unsmart and used a email that you have a card on .
i have a sing up for sites email and Card email is for pay pl
only >3
plus cant you found hes Ip and go smash him up

Did they just get peoples emails or other information like names ect aswell?

Emails and password.

well, no matter what it takes to get GameReplays.org back form the hackers i will be willing to do anything for my sponsor.