Explore GameReplays...

GameReplays User Accounts Breached - Please Read

Reply to this topic Start new topic
# 1AgmLauncher May 29 2012, 10:47 AM
From Jon "AgmLauncher" LeMaitre, co-owner and general manager of GameReplays.

As of May 28th, the GameReplays member database was breached, and approximately 5000 emails and encrypted passwords were leaked. On May 27th, an Anonymous affiliated hacker by the name of _ecECus_ sent the following email (in Spanish, mind you ...):


The Following Enquiry to GameReplays WAS submitted on 27 May 2012 7:42

Name: _ecECus_
Email: ececus27@hotmail.com

Que tal, el motivo de este contacto con ustedes es para informarles que tienen una importante vulnerabilidad de SQL en su pagina, afortunada o desafortunadamente me tope con esta falla en su pagina.. como han de saber se puede ver toda la información de los usuarios Registrados así como TODA! su base de datos.. ("gamerp_gamerp"), iP's, etc.. no creo que eso agrade a los suscriptores.
Mi ideología no se apega a hacer el mal usando mis conocimientos, al contrario les informo que tienen ese error para que no caigan en manos de lamers y la información de cada usuario registrado quede al descubierto.. espero que pronto arreglen ese fallo..

We Are Anonymous
We Are Legion
We Don't Forgive
We Don't Forget
Expect Us!

Un Cordial Saludo.. un agradecimiento en su pagina no estaría nada mal.. wink.gif



Roughly translated, he says he found a vulnerability with GR's database, but that his intentions were not for evil. He simply wanted to alert us of the problem so that we might have a chance to fix it, before anyone does anything malicious. He also kindly asked for some credit to be given for discovering the issue. Ok, fair enough! Sounds great right?

Fast forward about 24 hours later, and what shows up on the internet? A dump of about 10,000 GR accounts, released by who? _ecECus_; the same guy who claimed his intentions were not evil. Given that he sent the email in Spanish, and I was out celebrating Memorial Day weekend, I had no chance to address his email and thank him for alerting us to the issue. Because I was not able to respond to an email (written in a language I don't know), within 24 hours, he decided to go ahead and give himself credit for the hack. (update: and then do it again later today).

So to recap:

1. On the 27th I get an email, in Spanish, alerting me of a vulnerability.
2. The email claims that he is simply giving us a friendly tip and means no harm.
3. The email divulges absolutely no details that would actually help us determine where the vulnerability is, or how to exploit it for ourselves in order to protect against it.
4. This person wants credit for "helping" us.
5. On the 28th, he goes and releases personal information from GR's database on the web.
6. On the 29th (today), he does it again, still no useful information that would actually help us fix this vulnerability.

Further, GameReplays only has about 35 hours/week of development time available to it to create new features that the community wants and needs. I personally commit 15 hours per week on top of my regular 45 hours/week job. The other 20 hours is generously contributed by the rest of our coding staff (namely subroutine, -null-, Forlong, and Kustodian).

At present we are using that very limited coding bandwidth to develop a new framework that will help us create new features more quickly and easily. The framework is done and ready for development, but since _ecECus_ has decided to hack GameReplays and make his results public, we are forced to stop development of features like the VoD system, tournament system, and many others, just to figure out where this security vulnerability is.

Ironically, GameReplays fully appreciates the efforts of Anonymous in their role of helping to keep governments and corporations honest. Various acts from the US government such as PROTECT-IP and many others, are a direct threat to the existence of GameReplays. Anonymous has been helping to expose the corrupt links between corporate lobbying and various governments which threaten the very nature of the web. Sadly, there are people like _ecECus_ who give Anonymous and other hackers a bad reputation, since his goal isn't to help, but rather, to be immature and stroke his own ego.

As such, we invite anyone who *ACTUALLY* wants to help, to hack GameReplays and give us details about where our vulnerabilities are. Rather than making them public, they can be sent to us through our Contact form, or we will even create a special forum where security vulnerabilities can be discussed. Unfortunately, because we have such limited development resources, we cannot do this alone. Therefore anyone who helps us will be given due credit.

We would like to apologize and let our members know that no truly sensitive information was stolen, but the emails of about 10,000 members have been exposed. We will be sending out PMs and emails notifying those who have been compromised. Once this vulnerability has been fixed, we will re-salt everyone's passwords and take extra steps to make sure everyone's accounts are more secure in the future.


Sincerely,

Jon LeMaitre
Co-Owner and General Manager
GameReplays.org

Posts: 39,345

Clan: CrAzY

Game: 8bit Armies, Hordes and Invaders


+
# 2Maru May 29 2012, 11:26 AM
IPB Image

Posts: 16,342

Clan: New Generation

Game: Battle for Middle Earth 2


+
# 3Tomber May 29 2012, 11:54 AM
IPB Image

Posts: 6,781

Game: None


+
# 4Darkjolly May 29 2012, 13:02 PM
IPB Image

Posts: 4


+
# 5Noodlesocks May 29 2012, 13:26 PM
So is there a list somewhere I can check to see if I'm on it? I've had to change my password so many times this year it has stopped being funny :|

Posts: 565

Game: 8bit Armies, Hordes and Invaders


+
# 6Weasle May 29 2012, 13:46 PM
It is sad that these "hackers" use the excuse of trying to help out by finding security holes in software, but their true motivation is to seek attention like a 8 year old child. It is incidences like this that show why hacker groups that live outside the law are not our friends.

Posts: 263

Game: Company of Heroes


+
# 7Engi May 29 2012, 14:07 PM
QUOTE(Weasle @ May 29 2012, 23:46 PM) *

It is sad that these "hackers" use the excuse of trying to help out by finding security holes in software, but their true motivation is to seek attention like a 8 year old child. It is incidences like this that show why hacker groups that live outside the law are not our friends.
Yeah, because this sole incident can be used as a basis for generalized discrimination.

Posts: 15,136

Game: None


+
# 8´'`Divine´'`Ravenheart´'` May 29 2012, 14:08 PM
@Noodlesocks; I don't think you need to worry. By the looks of it it's highly unlikely that you were on the leaked list. If you're don't take my word for it though (who would tongue.gif), just wait patiently:

QUOTE(AgmLauncher @ May 29 2012, 13:47 PM) *

We would like to apologize and let our members know that no truly sensitive information was stolen, but the emails of about 10,000 members have been exposed. We will be sending out PMs and emails notifying those who have been compromised. Once this vulnerability has been fixed, we will re-salt everyone's passwords and take extra steps to make sure everyone's accounts are more secure in the future.

Posts: 14,337

Clan: Death and Destiny

Game: None


+
# 92FAST4YA May 29 2012, 14:11 PM
Oh dear... some scrub got my nick, password and my e mail address on GR. Gods im in trouble... oh wait - im not. Nice try though.

This isnt exactly disturbing but if that guy breaks into someones bank account - it could be a problem (to say the least).

Posts: 1,870

Game: Company of Heroes


+
# 10Hamster May 29 2012, 14:12 PM
LOL It's Rengo because the guy wrote in spanish.

joke joke XD

Posts: 1,304

Game: CNC Zero Hour


+
# 11AgmLauncher May 29 2012, 14:22 PM
QUOTE(Weasle @ May 29 2012, 09:46 AM) *

It is sad that these "hackers" use the excuse of trying to help out by finding security holes in software, but their true motivation is to seek attention like a 8 year old child. It is incidences like this that show why hacker groups that live outside the law are not our friends.


That's not true of all hackers. Many hackers do actually provide seriously invaluable information to companies to help secure their info. However this particular hacker is indeed just seeking attention, and gives helpful hackers a bad name.

Posts: 39,345

Clan: CrAzY

Game: 8bit Armies, Hordes and Invaders


+
# 12´'`Divine´'`Ravenheart´'` May 29 2012, 14:33 PM
QUOTE(engie @ May 29 2012, 17:07 PM) *

Yeah, because this sole incident can be used as a basis for generalized discrimination.


Basis? The basis is that they operate outside the law. Not that I don't appreciate their efforts in keeping the net as it is, I do understand that they're no "warriors of justice" either. At the end of the day, every anonymous (and by this I don't mean Anonymous) hacker in the net is an individual, and not bound by any sort of moral code. They do what they WANT to do.

QUOTE(AgmLauncher @ May 29 2012, 17:22 PM) *

That's not true of all hackers. Many hackers do actually provide seriously invaluable information to companies to help secure their info. However this particular hacker is indeed just seeking attention, and gives helpful hackers a bad name.


I've always found this the other way around: helpful hackers have improved the overall reputation malicious ones have given them.

Posts: 14,337

Clan: Death and Destiny

Game: None


+
# 13Cloverfield May 29 2012, 14:50 PM
why hack gamereplays -.- its not like gr goes against freedom and such

real anonymous wouldnt do that

Posts: 4,715

Game: Command and Conquer 3


+
# 14killaHdude May 29 2012, 15:27 PM
I've contacted GR with details regarding the hack, as well as how to fix it.
Although I don't know exactly which method the hacker used, the two things I noticed was outdated forum software and having the version number of the forum in the footer. Those two things combined is like yelling "Please hack me, I am just waiting!"

Posts: 197

Game: Company of Heroes


+
# 15SemInt May 29 2012, 15:59 PM
QUOTE(2FAST4YA @ May 29 2012, 16:11 PM) *

Oh dear... some scrub got my nick, password and my e mail address on GR. Gods im in trouble... oh wait - im not. Nice try though.

This isnt exactly disturbing but if that guy breaks into someones bank account - it could be a problem (to say the least).

Problems arise when people use the same password for everything.

Posts: 5,638

Clan: Suck it Trebek!

Game: Company of Heroes


+
# 16Gameslayer989 May 29 2012, 16:02 PM
Strangely enough whilst i was playing Dota2 on the GR teamspeak server i got a poke from a guy called Slayer¦Alex claiming that my personal details we're stolen and he wanted to report the mistake. I spoke to him purely in a chat window not wanting to let him into my passworded teamspeak channel, and he would not answer my question about who he was or why he is called my Alias (Gameslayer) and my real first name (Alex) which i don't even have on GR. After some purely one way discussion in which he asked me a lot of questions that i did not respond to he tried to get me to give him an admins skype details (which i don't have). Whilst i doubt it's the same guy (he was speaking german) it is very troubling since he now knows my first name. Fat lot of good that'll do him though since i never put my last name on tongue.gif

Could there have been more than 1 hacker?

This post has been edited by Gameslayer989: May 29 2012, 16:06 PM

Posts: 1,789

Clan: Team|Alias

Game: Dota 2


+
# 17bike_rush_ownz May 29 2012, 16:25 PM
hahaha if this was the real anonymous game replays.org want have A spam box off 10000000000 emails
and the servers want be down for a long long time smile.gif plus anonymous don't have such time for this and
they fight for freedom over the net Org.replays is free smile.gif and sweet and plus who cares .
all there can do is spam ur email.
unless you'r unsmart and used a email that you have a card on .
i have a sing up for sites email and Card email is for pay pl
only >3
plus cant you found hes Ip and go smash him up smile.gif


Attached image(s)
Attached Image


Posts: 3,916

Game: Kanes Wrath


+
# 18GreyKnight May 29 2012, 16:59 PM
Did they just get peoples emails or other information like names ect aswell?

Posts: 2,810

Game: Company of Heroes


+
# 19killaHdude May 29 2012, 17:04 PM
QUOTE(GreyKnight @ May 29 2012, 16:59 PM) *

Did they just get peoples emails or other information like names ect aswell?


Emails and password.

Posts: 197

Game: Company of Heroes


+
# 20OneCabal^ May 29 2012, 17:08 PM
well, no matter what it takes to get GameReplays.org back form the hackers i will be willing to do anything for my sponsor.

Posts: 9,456

Game: Overwatch


+

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)