Monday, 12 November 2007

Fake RIAA Emails

Members of What.cd have today received an email purportedly from the RIAA. The email is fake. Do not believe its contents.

However, what it does prove is that the recent SQL Injection attacks and major lapses in security at What.cd have meant that the user database has been harvested. If you have an account at What.cd, consider your email address and possibly password as no longer private.

Edit: An official comment response from What.cd:
skullyzero said...
We have a grip on our security.
The passwords are stored in salted hashes so everyones accounts are safe.
The attackers got email addresses and thats all.
We do know who it was
If you signed up anytime after last friday your information is safe

Edit 2: The What.cd admins have posted a response on their website, and have tracked down the culprit, a 14 year old kid and his brother. They've also posted his contact details in case anyone feels like writing to him to point out the error of his ways.

Edit 3: OK, not SQL injection attacks, but the kid having access to the server upon which the site was hosted. Also most of the kid's contact information has been removed from what.cd.

34 comments:

Anonymous said...

major bummer

Unknown said...

Surely the passwords arent saved as plain text, rather salted hashes? I should hope so.

azc said...

Reponse to 'fire':
We have no way of knowing. Given the other major lapses of security we've seen so far, I think anything is possible.

Anonymous said...

Im so happy im not rushing into getting invites =D
people went like a moth to the flame, well...
Now they got burned .

Anonymous said...

so i should be glad that i haven't been accepted yet ... still waiting :(

Anonymous said...

This is fucked up. Too much downtime and too many security issues.

I'm deleting my account and I suggest everyone else do it too.

For all we know, these kids could be selling all of the email addresses they jacked from what.cd to spammers right now.

Unknown said...

if i wasnt signed up before but i sign up today am i still at risk?

Anonymous said...

Damnit, what.cd, you need to do better!

DMIXDJ said...

Nobody's at Risk from a Fake Email, Get a fucking Grip!!!! If ya that paranoid, delete ya Account and go Back to using Bearshare or Something! Jeez....

Might be worth making sure u use diff passwords for these things in the Future....

What are being attacked for whatever reasons, but this will make stronger...

Every Website has security flaws if u know where to look......

Anonymous said...

You guys are pathetic for getting so paranoid. The passwords (as it says on the front page) are all encrypted, and these people having our email addresses doesn't mean your internet life is over.

Anyone doubting the competence of the staff at what are gravely mistaken, as they're doing one hell of a job keeping the site going, even after being ddos'd and whatnot.

Anonymous said...

heh. i got one of those emails. it sounded pretty fake anyway, but still glad to know it is. it traces back to bitient anyway i believe.

i don't even remember my username there because of a botched signup, so now the SQL hax0r kiddies have my email and password i am sure, no way to login and delete.

Anonymous said...

im not even a member of what.cd and i got that email wtf

Anonymous said...

The passwords won't be saved as plain text, no site can surely be that retarded. And in response to one of the Anonymous comments regarding the sales of emails.. who give a shit? Everyone ends up getting spam anyways, they can spam me all they want. I already get lots, that's why I have four different email accounts.

Unknown said...

Is the site even working for anyone? I only get a white page

Anonymous said...

WhatMan confirmed on #what.cd that the passwords were hashed in the DB.

KD said...

even if your password consists of lower and upper alpha and numeric characters if it is 7 characters or less it's extremely easy to crack even when hashed as md5 thanks to rainbow tables. if your password is just numbers that upwards of 11 characters are simple to crack in under a second. once someone has a dump of a database like that of what.cd they're going to get at least 50% of those passwords pretty easily and pretty fast.

skullyzero said...

We have a grip on our security.

The passwords are stored in salted hashes so everyones accounts are safe.

The attackers got email addresses and thats all.

We do know who it was

If you signed up anytime after last friday your information is safe

Anonymous said...

So its clearly not from the RIAA - however it doesn't seem very good that the email addresses are not very protected....

Anonymous said...

people aren't angry getting sent a stupid joke email that doesnt mean anything

people are upset that what.cd's database was comprised with all of our email addresses stolen and possibly sold. who knows if they got our passwords or not.

what.cd's administrators are clearly incompetent. i don't think anyone should use the site as it is clearly unsecure and you're risking your personal information leaking into the wrong hands

Anonymous said...

It's a drag, but it'll be ok soon. What.cd's home page explains what happened in detail. They now know who was behind the attacks, as well as why they worked so well. Apparently it was a 14 year old kid with access to the server.
Who cares about spam and a password. Just change it and get on with your life, jeez...

Anonymous said...

Why would you sign up for a filesharing scheme with your legit email anyway?

Anonymous said...

^

Yes. Anyone stupid enough to use their real email for stuff like this deserves to get spammed. Not that that has happen yet, or is that probable to happen in the future. (The kids responsible is most likely being bombed to hell as we speak, nothing they do will change that.)

Anonymous said...

It's quite funny, actually. Users think that we have sold their email's to spammers, etc. for profit or whatever reason they may think up. I know for a fact that the e-mail addresses contained within the database would never be released to any site, etc. We just don't do that. OiNK Didn't do it, nor us. End of that discussion. Furthermore, if you're worried about being personally identifiable, I believe torrenting/Internet activity isn't the right thing for you. Afterall, everything can be traced back, It's just how the internet works. I welcome all users who are hesitant to join What.CD to join now. Any users currently having problems, can IM me on AIM at WhatDAQ.

Thanks!
<3 OiNK

D1mitri said...

The site explains everything in details ( in fact a very long post!)

You guys sound too much paranoid.

Just change the password if you're not sure. And if you were already into security, my guess is you have different passwords for all accounts.
If not, well, too bad for you, cause it's your fault.

Plus, it's not like it's your fucking Paypal account or bank account. Max they can get is download some stuff with your account and ruin your ratio, or you can banned if cracker is too obsessed (later explain to staff at IRC and get it fixed).
So what? It's not the end of the world!

Anonymous said...

waffles!

Anonymous said...

businesses sell your contact information to other businesses all the time so you really shouldn't worry all that much as said above. it may result in an increase in spam or something, but more than likely won't result in anything.

Unknown said...

the e-mail looks so fake. those little kids are idiots.

sigloiv said...

Everyone needs to calm down. As stated on the What.CD page, this was not the result of SQL injection as was first believed. What happened was that some people who shared hosting with the What.CD staff (the 14 year old kid and his brother) got ticked that they'd have to share bandwidth, and used their legitimate access to the server to grab passwords (and alter the database to redirect to shock sites, add RIAA warnings, etc.)

Basically, they've lost their hosting and What.CD's on a different host now. There's absolutely no risk, and anyone who's being paranoid or think that this somehow make What.CD inadequate is crazy.

Anonymous said...

I posted a comment regarding this issue on torrentfreak a moment ago, so i'm just gonna copy-paste it here.

What.cd and Waffles.fm are such halfwit, dipshit trackers. Allowing some idiots to thrash the site like that. And waffles don’t need anyone to ruin their tracker. They’re doing it quite well themselves. Fuck them both.

God, how I miss my sweet Oink.

Alan Hamlett said...

Kevin said...
even if your password consists of lower and upper alpha and numeric characters if it is 7 characters or less it's extremely easy to crack even when hashed as md5 thanks to rainbow tables. if your password is just numbers that upwards of 11 characters are simple to crack in under a second. once someone has a dump of a database like that of what.cd they're going to get at least 50% of those passwords pretty easily and pretty fast.


Kevin is exactly correct: MD5 is proven insecure and every member of What.cd should forget the password they used there.

Anonymous said...

While well intentioned, admins should really have a grasp on what they're doing before they take on such a project.

Someone really needs to scrap TBsource and start from scratch using good practices. As with most other PHP code out there, TBsource is absolute crap.

Anonymous said...

upallnight > Notice they said "salted hashes", which is completely different than just plain MD5. Terabytes and terabytes of rainbow tables are pretty well useless once you introduce salting.

While I don't disagree with you on changing passwords on the site is good practice (as we don't truly know if they really are salted to begin with), if they were actually salted hashes your password should be perfectly safe.

Anonymous said...

Got one too about being ex Oinker and now whatter and I should stop pirating.
Sended ONE back with answer; we never stop asshole.
Good to see you guys are still alive and kicking.

greetings:

hotemetoot
holland

Anonymous said...

" Anonymous said...

I posted a comment regarding this issue on torrentfreak a moment ago, so i'm just gonna copy-paste it here.

What.cd and Waffles.fm are such halfwit, dipshit trackers. Allowing some idiots to thrash the site like that. And waffles don’t need anyone to ruin their tracker. They’re doing it quite well themselves. Fuck them both.

God, how I miss my sweet Oink."


Awww, someone got denied an invite to both sites I guess.

Go die you little retard.