Hacker get HoN password database, posts on reddit - Page 6
Forum Index > General Forum |
Dwelf
Netherlands365 Posts
| ||
ShaLLoW[baY]
Canada12499 Posts
| ||
mrRoflpwn
United States2618 Posts
| ||
paper121
50 Posts
http://www.teamliquid.net/forum/viewmessage.php?topic_id=382776 http://www.teamliquid.net/forum/viewmessage.php?topic_id=382876 | ||
semantics
10040 Posts
On December 18 2012 09:34 mrRoflpwn wrote: Did they get credit card info stolen as well? If so i am seriously scared... Pretty sure hon doesn't store credit card data just off the fact they don't bind your CC to your account, although they may keep some of the info, ofc I could be wrong but I just assume. | ||
Manit0u
Poland17046 Posts
On December 18 2012 09:40 semantics wrote: Pretty sure hon doesn't store credit card data just off the fact they don't bind your CC to your account, although they may keep some of the info, ofc I could be wrong but I just assume. Pretty sure about it too. You can't even "make this card default" or get other "store my data for convenience please" buttons when doing purchases from S2. I think that it even goes through ssh or other secure protocol to reduce the chance of data leakage (don't take my word on it though). | ||
Daumen
Germany1073 Posts
On December 18 2012 09:31 ShaLLoW[baY] wrote: Oh look, thread turning into game vs game arguments. Quelle surprise. Indeed... lets not unite under the banner of E-Sports and Gamers to get universally acceptance in the "real world". Lets eat each other alive in petty conflicts, gg. | ||
Comogury
United States412 Posts
It's pretty sad S2 has acted like they don't care very much about this right away. Is it that hard to realize that their servers are being hacked? The fact that it took more than two days of thousands of accounts being compromised for them to do anything is just embarrassing. | ||
Angra
United States2652 Posts
On December 18 2012 08:54 Alur wrote: Just a comment on your statement about player numbers. A couple of months ago, S2 started counting the Garena HoN players (south east asia) towards the total amount of players, resulting in a drastic burst from 40k'ish to 100k'ish players. This however does not reflect the status of the game with it's western audience. While the Int client might had 40k players a year ago, that number looks more like 30k currently, probably helped by the rise of DotA 2 (Graph of concurrent DotA2 players) and S2's security/ddos issues. They also removed the counter of the number of people from each region when you hovered over the "players online" part, because the NA/EU servers were still only getting like 25k max, while a vast majority was from Garena. | ||
semantics
10040 Posts
On December 18 2012 08:54 Alur wrote: Just a comment on your statement about player numbers. A couple of months ago, S2 started counting the Garena HoN players (south east asia) towards the total amount of players, resulting in a drastic burst from 40k'ish to 100k'ish players. This however does not reflect the status of the game with it's western audience. While the Int client might had 40k players a year ago, that number looks more like 30k currently, probably helped by the rise of DotA 2 (Graph of concurrent DotA2 players) and S2's security/ddos issues. ? Same data with that dota 2 graph i don't get why to make that point all it does is point out dota2 has twice as many players pretty much vs hon, though out the day both go up and down, dota2 pretty consistently double of what hon is, which is pretty easy to attribute by brand recognition of dota plus the marketing by steam. | ||
Onioncookie
Germany624 Posts
On December 18 2012 11:49 semantics wrote: ? Same data with that dota 2 graph i don't get why to make that point all it does is point out dota2 has twice as many players pretty much vs hon, though out the day both go up and down, dota2 pretty consistently double of what hon is, which is pretty easy to attribute by brand recognition of dota plus the marketing by steam. The amount of players in Dota2 barely have an Asian players in it ... because they only gave out a minimum of keys to that region , its pretty much only US/EU so its alot more then HoN. Anyway, i dont trust any company that allows to have my account details stolen that easily... so no more HoN for me... | ||
Firebolt145
Lalalaland34456 Posts
| ||
Bswhunter
Australia954 Posts
Should really delete that shit. I've noticed S2 has multiple security leaks again and again and im unlikely to ever touch it. | ||
Onioncookie
Germany624 Posts
| ||
synapse
China13814 Posts
On December 18 2012 09:31 ShaLLoW[baY] wrote: Oh look, thread turning into game vs game arguments. Quelle surprise. The first post saying HoN was the best didn't help lol | ||
semantics
10040 Posts
On December 18 2012 12:08 Onioncookie wrote: The amount of players in Dota2 barely have an Asian players in it ... because they only gave out a minimum of keys to that region , its pretty much only US/EU so its alot more then HoN. Anyway, i dont trust any company that allows to have my account details stolen that easily... so no more HoN for me... You're just making excuses to hype up dota2 more then it needs to be, first off you can flat out buy dota2 beta keys from steam, secondly it's hardly difficult to get a hold of one they give them out like hot cakes hell my steam account gave out 6 so far. You probably should never touch sony, microsoft, nintendo(yes someone actually hacked them awhile back) blizzard, steam all of them have been hacked some more then once over the year and some with confirmed worse results such as credit card info included etc. Pretty much every gaming company has had problems over the years ever once and awhile. | ||
Angra
United States2652 Posts
On December 18 2012 12:41 semantics wrote: You're just making excuses to hype up dota2 more then it needs to be, first off you can flat out buy dota2 beta keys from steam, secondly it's hardly difficult to get a hold of one they give them out like hot cakes hell my steam account gave out 6 so far. Except he's right, though. Millions of people are still playing Dota 1 in China. They only just recently started allowing signups to a future beta coming up for Dota 2 in China this month, distributed by the Chinese company Perfect World. Steam isn't popular there so you don't have many people switching over yet because of that. | ||
althaz
Australia1001 Posts
SHA-2 has an output size of 512 bits, so finding a collision would take O(2^256) time. Given there are no clever attacks on the algorithm itself (currently none are known for the SHA-2 hash family) this is what it takes to break the algorithm. To get a feeling for what 2^256 actually means: currently it is believed that the number of atoms in the (entire!!!) universe is roughly 10^80 which is roughly 2^266. Assuming 32 byte input (which is reasonable for your case - 20 bytes salt + 12 bytes password) my machine takes ~0,22s (~2^-2s) for 65536 (=2^16) computations. So 2^256 computations would be done in 2^240 * 2^16 computations which would take 2^240 * 2^-2 = 2^238 ~ 10^72s ~ 3,17 * 10^64 years Even calling this millions of years is ridiculous. And it doesn't get much better with the fastest hardware on the planet computing thousands of hashes in parallel. No human technology will be able to crunch this number into something acceptable. Link This assumes a dumb brute-force attack which you are almost never going to use (or at least you shouldn't). There are more intelligent (and orders of magnitude faster by using parrallel computing hardware, eg: GPUs) methods of brute force, but it's far more likely that you are going to use dictionary attacks which means 90%+ of the passwords will be cracked within a few days (or possibly within a few hours depending on the encryption used). SHA hashes are designed for real-time encryption (and they not realistically crackable when used for that purpose, although weaknesses have been discovered in SHA-2, though they haven't been exploited AFAIK in the real world). If they are at rest they are incredibly vulnerable to intelligent attacks (as you point out dumb attacks don't work). That's why things like the incredibly slow bcrypt are becoming more and more popular. What might have taken 16 hours could take them 16 years if you used bcrypt to encrypt your passwords. You can achieive a similar result with progressive passes (tens of thousands) of SHA-2, but because of the way bcrypt works vs the way most hashing functions work, bcrypt may be inherently more resistant to attacks (the algorithms are better understood and have no discovered weaknesses). EDIT: Also, the math above seems old, 220ms for only 65536 guesses is mad slow for SHA (but the same amount of guesses might take 10 minutes or more with bcrypt). EDIT2: It's probably also worth mentioning scrypt (google it), which has a lot in common with bcrypt, but is even more impossible to crack (and once it is better studied will likely become the default resting password encryption). | ||
Manit0u
Poland17046 Posts
On December 18 2012 14:44 althaz wrote: This assumes a dumb brute-force attack which you are almost never going to use (or at least you shouldn't). There are more intelligent (and orders of magnitude faster by using parrallel computing hardware, eg: GPUs) methods of brute force, but it's far more likely that you are going to use dictionary attacks which means 90%+ of the passwords will be cracked within a few days (or possibly within a few hours depending on the encryption used). SHA hashes are designed for real-time encryption (and they not realistically crackable when used for that purpose, although weaknesses have been discovered in SHA-2, though they haven't been exploited AFAIK in the real world). If they are at rest they are incredibly vulnerable to intelligent attacks (as you point out dumb attacks don't work). That's why things like the incredibly slow bcrypt are becoming more and more popular. What might have taken 16 hours could take them 16 years if you used bcrypt to encrypt your passwords. You can achieive a similar result with progressive passes (tens of thousands) of SHA-2, but because of the way bcrypt works vs the way most hashing functions work, bcrypt may be inherently more resistant to attacks (the algorithms are better understood and have no discovered weaknesses). EDIT: Also, the math above seems old, 220ms for only 65536 guesses is mad slow for SHA (but the same amount of guesses might take 10 minutes or more with bcrypt). EDIT2: It's probably also worth mentioning scrypt (google it), which has a lot in common with bcrypt, but is even more impossible to crack (and once it is better studied will likely become the default resting password encryption). Best encryption is first closing the gaps in the system. Something like remote SQL code execution by random user should not be happening in this day and age. Pity to see S2 take such a huge blow, seeing how I've been supporting them for all those years. They're not the first and won't be last though, like it was mentioned previously a lot of other companies had problems with hackers which were much more severe (more crucial data/valuable goods stolen). | ||
zeru
8156 Posts
| ||
| ||