Old 16th February 2011, 08:27   #1
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
Security breach

First of all: great product.

Now that's out of the way please allow me to tear you a new one.

Your "faq" and email states that the attack was blocked. It clearly was not. If it was blocked I would not be waking up to your email.

It would have been even better if you had not locked the FAQ thread so I (and no doubt others) wouldn't be about to create 1000 threads with the same content.

I am extremely dissatisfied that my personal information has been left vulnerable because of your lax security.

I bet I am not the only one.
labratofel is offline   Reply With Quote
Old 16th February 2011, 08:36   #2
radioactivity
Junior Member
 
Join Date: May 2008
Posts: 2
Agreed, blocked is not the same as "they have your email". Also the passwords, where they just MD5 hashes or where they salted?
radioactivity is offline   Reply With Quote
Old 16th February 2011, 08:51   #3
LABradio
Guest
 
Posts: n/a
Please delete my account.

It's not open to discussion.

Thanks.
  Reply With Quote
Old 16th February 2011, 09:14   #4
mupet0000
Junior Member
 
Join Date: Sep 2006
Posts: 15
Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.
mupet0000 is offline   Reply With Quote
Old 16th February 2011, 09:23   #5
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
wow ... drama llama's are in season

Quote:
Originally Posted by mupet0000 View Post
Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.
you'd be a grade a moron to use the same password on two sites, and deserve everything that befalls you


The FAQ is quite clear ...

breach detected and stopped ...
RECOMMEND you change your password (covering their arses) ...
Also, if you're a brain dead retard and use the same password on other sites, best you change that password as well

I can't see what more could be said

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 09:29   #6
newmeja
Guest
 
Posts: n/a
I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?
  Reply With Quote
Old 16th February 2011, 09:33   #7
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by newmeja View Post
I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?
surely it's better to err on the side of caution

I for one respect the fact that I was contacted about this - if they were sure passwords were not compromised, they could've remained silent about it and nobody would know any different - may get some more spam, but my wife wants my dick bigger and stay hard longer, so it's win win

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 09:41   #8
newmeja
Guest
 
Posts: n/a
Quote:
Originally Posted by jaromanda View Post
surely it's better to err on the side of caution
Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.
  Reply With Quote
Old 16th February 2011, 09:54   #9
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
So were passwords stored in the DB as plain text?
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 09:55   #10
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by newmeja View Post
Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.
I think all the info they're prepared to release was in the email

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 10:06   #11
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 10:21   #12
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.
change your passwords

change any passwords that are identical on other sites

move on with your life


how hard is that?

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 10:25   #13
nik_bloemers
Guest
 
Posts: n/a
The fact is the email addresses were stolen.. I don't care about this stupid Winamp account password, but I do care about my private email and spam!

I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.
  Reply With Quote
Old 16th February 2011, 10:29   #14
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by nik_bloemers View Post
I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.
did you read the FAQ link posted in the email?

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 10:30   #15
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
here ... let me read it for you

5) How can I delete my account?

We understand how important trust is on the web, and some of you may wish to delete your Winamp Forums account. To delete your account make sure that you are logged into the Winamp Forums and follow these simple instructions:

Scroll down to the bottom of the forum home page and click on View Forum Leaders. Scroll down to the Root section to see the list of Administrators. Send your deletion request to DJ Egg or DrO using the contact link to the right of the administrator's name. The Administrator will delete your account upon receiving the private request message and send you a confirmation email once the account is deleted.

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 10:49   #16
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Quote:
Originally Posted by jaromanda View Post
how hard is that?
About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 10:52   #17
DrO
 
Join Date: Sep 2003
Posts: 27,873
will everyone keep it in check please, especially telling people to STFU is not helpful.

as for the questions raised, i'm not going to answer them as i do not know the complete answer and so do not want to spread mis-information. as such what is officially provided is all there is to know on the matter though there may be further clarification (but i do not know and cannot confirm about that).

-daz
DrO is offline   Reply With Quote
Old 16th February 2011, 10:54   #18
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was
code:
SELECT email FROM usertable WHERE 1;


edit: sorry mod, you posted while I was constructing this post.
labratofel is offline   Reply With Quote
Old 16th February 2011, 10:55   #19
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.
I believe I've answered the question

no need to get your panties in a bunch, sweetheart

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 10:58   #20
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by labratofel View Post
The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was
code:
SELECT email FROM usertable WHERE 1;


edit: sorry mod, you posted while I was constructing this post.
but ... I can READ emails, and READ the FAQ ... so I UNDERSTAND

I've admined fora over the years, and know what will and wont be disclosed by 99 out of a 100 admins in such circumstances

but, right now, I'll let the drama llama's carry on their whinging and whining
Attached Thumbnails
Click image for larger version

Name:	drama-llama.jpg
Views:	216
Size:	42.7 KB
ID:	48547  

Is it just me or are shoutcast users getting dumber?

Last edited by jaromanda; 16th February 2011 at 13:07.
jaromanda is offline   Reply With Quote
Old 16th February 2011, 11:05   #21
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Quote:
Originally Posted by DrO View Post
will everyone keep it in check please, especially telling people to STFU is not helpful.
And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.

If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 11:09   #22
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.
they're called facts, sweetheart

I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since

thanks for your input, though, sweetheart
Quote:
Originally Posted by Third_of_Five View Post
If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.
yeah, encrypted passwords and all the info you put on your PUBLIC profile page too ... oh noes, they got info you already made public!!! what to do what to do!!!

interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today

just saying is all

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 11:11   #23
Batter Pudding
Major Dude
 
Batter Pudding's Avatar
 
Join Date: Jun 2008
Posts: 1,665
Thanks to the admins at being honest here. Okay, that is a legal requirement when you get your database stolen, but how many other forums get quietly hacked and then everything covered up in secrecy?

Can I make a small suggestion? Any chance of making the "Contact an Admin" links a little easier to find? When I dropped by this website on Jan 8th at 20:47 hrs GMT NOD32 blocked a connection to ciriso9********/multi/jnaojtgpizin.jar (Don't be stupid enough to follow that link, I am typing it here purely as an example...) If I could have found a way to easily contact an Admin, I would have reported this. Trouble is, it was not clear how to report anything so instead of wading around an infected website I ran away.

Oh - and nice to see NOD32 in action. Often sit in all kinds of silly debates about the qualities of different AV products, and it is always fun to see NOD32 getting the gloves off.

Edit:Oooo - now that is nice to see. I typed the URL above of the virus that tried to hump my PC on that day. And now I see the domain name gets blocked. I think this is the same virus that got the BBC website ( http://www.theregister.co.uk/2011/02...veby_download/ ) From that nice place the cocos islands.

If the BBC, with its huge site and cash investments gets nailed, then I think Winamp Admins can be forgiven.
Batter Pudding is offline   Reply With Quote
Old 16th February 2011, 11:13   #24
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Your nothing more than a Troll jaromanda.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 11:29   #25
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
Must.. not.. feed.. the.. troll..

I have used Winamp for more years than I care to remember. Just because I haven't posted much doesn't mean that I don't know what I am talking about.

*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.

Edit: I just looked over my very small posting history and saw one of my original posts that I joined the forum to create. It was a step by step guide to show people how to get shoutcast running as a Windows service.

Speak little, but when you do make sure the message is useful.

Maybe you should try that.
labratofel is offline   Reply With Quote
Old 16th February 2011, 11:32   #26
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Quote:
Originally Posted by jaromanda View Post
I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since
You were told to keep it in check, which you seem incapable of comprehending or doing.

Quote:
interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today
Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 11:33   #27
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by labratofel View Post
*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.
you were told in the email

1) email address, stolen

2) suggest you change password

3) change password on other sites if same as here

all other possible stolen info is already public in your profile ... so it's not really stolen, is it


from 1) you MAY get spam ... I'm sure you do already

from 2) you change your password, no big deal

from 3) if applicable, you learn not to use the same password on different sites

not sure what else you want? class action lawsuit?

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 11:37   #28
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
You were told to keep it in check, which you seem incapable of comprehending or doing.
no, sweetheart, that was directed at you .... telling someone to STFU is rude

Please, Mr 4 posts, don't think you can tell me what to do on this forum ... I'll take direction from admin/moderators ... but not from Chicken "the sky is falling" Little

Quote:
Originally Posted by Third_of_Five View Post
Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.
read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here

all other info possibly "stolen" was clearly visible in your public profile here ... so ... you going to sue AOL for leaking information you gave out willingly and publicly?

read my sig .... and take into consideration I'm also modest

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 11:44   #29
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
Information in your profile could include your web address.

A whois search could then reveal your real name *edit* and address. Not Winamp's fault but a link in a chain.

The date of birth could be stored in the forum database so they can send you birthday greetings. It doesn't have to appear on your profile page ("Hide age and date of birth").

Now I potentially have a name, address, email and a date of birth. A little social engineering and I can get access to your ICQ account. Then I can take over the world. Or something.

It's been done before. Just not by me.
labratofel is offline   Reply With Quote
Old 16th February 2011, 11:47   #30
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Quote:
Originally Posted by jaromanda View Post
no, sweetheart, that was directed at you .... telling someone to STFU is rude
Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.

Quote:
read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here
It's not clear the passwords were stolen at all. And how do you know the passwords are encrypted? You don't.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 11:48   #31
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by labratofel View Post
I can get access to your ICQ account. Then I can take over the world.
ROFL

see

a little humour never hurt

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 11:51   #32
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.
.
how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)


Quote:
Originally Posted by Third_of_Five View Post
It's not clear the passwords were stolen at all.
so why were you told to change them?

Quote:
Originally Posted by Third_of_Five View Post
And how do you know the passwords are encrypted? You don't.
I'm the one that stole the database useless to me because the passwords are encrypted

- or -

I know a lot more about this forum than johnny come seldoms

code:
$password_hash = md5(md5($password_text) . $user_salt);


sorry, I said encrypted ... but 99% of n00bs wouldn't understand "hashed"

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 12:03   #33
Third_of_Five
Junior Member
 
Join Date: May 2001
Posts: 11
Send a message via ICQ to Third_of_Five Send a message via AIM to Third_of_Five Send a message via Yahoo to Third_of_Five
Quote:
Originally Posted by jaromanda View Post
how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)
Waste of effort conversing with you as there seems some kind of language barrier, as you continually misinterpret plain English, which as Troll seems to be your primary language is probably not surprising.
Third_of_Five is offline   Reply With Quote
Old 16th February 2011, 12:06   #34
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by Third_of_Five View Post
Waste of effort conversing with you
and yet, here you are
Quote:
Originally Posted by Third_of_Five View Post
as there seems some kind of language barrier, as you continually misinterpret plain English,
let me type it out SLOWLY for you

I never claimed you told me to STFU ... I was not rude or disrespectful to you until you basically told me to stop posting

not ONE admin/mod has corrected any points in any of my posts

why do you think that is?

because it's COMMON SENSE

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 12:15   #35
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
http://forums.shoutcast.com/online.p...members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this thread

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 12:17   #36
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
Quote:
Originally Posted by jaromanda View Post
http://forums.shoutcast.com/online.p...members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this thread
Yeah they are too busy changing their passwords.
labratofel is offline   Reply With Quote
Old 16th February 2011, 12:18   #37
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by labratofel View Post
Yeah they are too busy changing their passwords.
yeah, because it takes HOURS to do that

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 12:21   #38
osmosis
Major Dude
 
osmosis's Avatar
 
Join Date: Jan 2006
Location: Cananada
Posts: 839
As I understand it, the MD5 hashes which *MAY* have also been taken in addition to the emails (as written in the security bulletin), could be used to generate a collision (ie. something which has the same hash) and that could be used to login to your Winamp Forums account.

The odds of the collision being your actual password are minimal so your password will most likely be safe on other sites unless they also use MD5 hashes, but to err on the side of caution we've all been advised to change passwords on other sites if it's the same. At the very (very) least your Winamp forum password should be changed.

Hope that helps anyone who's still a bit confused.

Request: A little SmartView Query Language love.
osmosis is offline   Reply With Quote
Old 16th February 2011, 12:23   #39
labratofel
Junior Member
 
Join Date: Apr 2007
Posts: 12
MD5 Rainbow tables.
Ask google about them.

Says it all really.
labratofel is offline   Reply With Quote
Old 16th February 2011, 12:23   #40
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
Quote:
Originally Posted by osmosis View Post
Hope that helps anyone who's still a bit confused.
I'll take "Common Sense on the Internet" for 400, please, Alex

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Site Design

Tags
angry, breach, security, winamp

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump