Establishing Digital Trust: Don't Sacrifice Security for Convenience
Hacker Ececus recently published the account information of approximately 10,000 members of gaming Web site GameReplays. "The leaked data contains user IDs, names. emails, encrypted passwords and the SALT for the encryption, which is fairly stupid to [store] in the exact same table and colums of the hashed passwords," note Cyber War News' Lee Johnstone.
On May 28, GameReplays co-owner and general manager Jon "AgmLauncher" LeMaitre posted a notice on the site acknowledging that the site's member database had been breached, and that Ececus had sent GameReplays an e-mail in Spanish notifying them of the attack.
"Roughly translated, he says he found a vulnerability with GR's database, but that his intentions were not for evil," LeMaitre wrote. "He simply wanted to alert us of the problem so that we might have a chance to fix it, before anyone does anything malicious. He also kindly asked for some credit to be given for discovering the issue. Ok, fair enough! Sounds great right?"
However, LeMaitre says, Ececus didn't provide any information about the vulnerability -- and the same hacker then turned around and published member account information online 24 hours later.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
As a result, LeMaitre says GameReplays has been forced to stop development of additional features in order to focus entirely on finding the vulnerability.
"As such, we invite anyone who *ACTUALLY* wants to help, to hack GameReplays and give us details about where our vulnerabilities are," LeMaitre writes. "Rather than making them public, they can be sent to us through our Contact form, or we will even create a special forum where security vulnerabilities can be discussed."