Casinos

Casinos By Status

Popular Filters

By Banking Options

Games

All Games

Bonuses

Popular Bonus Filters

Forums

Popular Forums

Forum User Features

Complaints

Submit A Complaint (PAB)

PAB Rules and Guidelines

Browse PABs

Gambling News

Popular News Sections

Two Plus Two Forum Hacked

P

pokeraddict

Webmaster
Joined
Aug 3, 2002
Location
Las Vegas
I am not sure what forum this goes in, but I know many people here read 2+2 at least in passing. Here is the notice posted by 2+2 admins while the site is offline.

On April 26th at approximately 11:20 AM pacific time, the Two Plus Two Forums were closed as a result of a hacker who has displayed the ability to access e-mail addresses and encrypted passwords. He also indicated the ability to decrypt passwords.

While it is unclear the extent of data to which he gained access, e-mail addresses and passwords on the Two Plus Two forums should be considered compromised. If you have used your 2+2 password on any other site, you are advised to change it.

For your security we are closing the forums until the breach is patched.
Click to expand...
 
Casinomeister said:
Thanks for the announcement. What version of vBulletin were they using over there?
Click to expand...

Unlike the footer here, theirs does not include that info:

Powered by vBulletin®
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 ©2011, Crawlability, Inc.
Copyright © 2008-2010, Two Plus Two Interactive
Click to expand...

I don't know of any other way to find out. They have emailed everyone also. I will post updates, but assume this is going to be a long downtime. There was a recent notice in the forum header that there had been many recent attempts at logins and password phishing lately. That could be a coincidence though.
 
PNEFOREVER2 said:
The people that do these things really need to get a life and maybe put their "talent" to doing something good rather than causing disruption.
Click to expand...

Oh, I rather think this is more than simple online valdalism... The hacker/s are probably trying to used the stolen info to log into online poker accounts and ewallets right now.
 
Might be an idea to PM the membership here telling them to change their passwords to something they don't use anywhere else or at least at any gambling sites.
 
VBulletin employs MD5 encryption for passwords, meaning in layman terms, even Bryan is unable to view the passwords of any forum account when viewing the database that Casinomeister uses.

If it was just the admin or mod panels for 2 + 2 which were compromised, then all the hacker would see in the password field would be a blank.

However, if the person gained access to the database they would see the encrypted password. MD5 is a one way encryption and cannot be decrypted. But, you can use a dictionary brute force attack on an encrypted password, which if your password is weak and is based on a word, would likely work.

But still good advice to not use the same passwords for forums etc that you use for other important online accounts.
 
For more information on the MD5 encryption that VBulletin uses to store all account passwords take a look at the wiki page:
You do not have permission to view link Log in or register now.


The only user accounts at risk are those with passwords based on a dictionary word which can be brute forced, using a brute force application.

To brute force a strong password which is totally random such as 30rhlwdfr89fhdflk for instance would take the same software several years to decrypt it.
 
Great, I have an account there, although I generally don't use the same password all the time at forums for this very reason. :(
 
Webzcas said:
For more information on the MD5 encryption that VBulletin uses to store all account passwords take a look at the wiki page:
You do not have permission to view link Log in or register now.


The only user accounts at risk are those with passwords based on a dictionary word which can be brute forced, using a brute force application.

To brute force a strong password which is totally random such as 30rhlwdfr89fhdflk for instance would take the same software several years to decrypt it.
Click to expand...

The Wiki page also says MD5 should be considered "broken", and not used where security matters.

Also mentioned are a few attacks that might allow limited password cracking using a standard desktop or laptop PC. These are not "brute force", but can be targeted.

I am not 100% certain, but it appears they mean that they don't need to find the actual password, but another "message" that produces and identical MD5 hash. This message would also work just as well as the original password, and one could log in with it.

Reminds me of a password crack from 1981 on the university Nord 100 - piece of p1ss;)
 
Sounds like a disgruntled member of 2 + 2. Maybe his/hers main point was to shut the forum down rather than stealing data. I'd be looking at someone big time mad at 2 + 2 in the past. ;)
 
Bad security.. I think we will see a lot more of these threads this year.
Having the latest version of software is like only having sex right before or after a woman has her period, and thus not getting pregnant.. Sorry couldn't think of a better analogy :D
 
OK, this question is from a computer illiterate.

I have an account there at 2+2. I rarely ever sign in though cause I just read. How could anyone get my bank, credit card, etc info from what I used to sign up? I guess I mean, wouldn't they have to know a little more about me, like all my email addys cause I use different ones for different things, where I bank, what cards I use.

How would they get anything like that from my name and address at 2+2?
 
anniemac said:
OK, this question is from a computer illiterate.

I have an account there at 2+2. I rarely ever sign in though cause I just read. How could anyone get my bank, credit card, etc info from what I used to sign up? I guess I mean, wouldn't they have to know a little more about me, like all my email addys cause I use different ones for different things, where I bank, what cards I use.

How would they get anything like that from my name and address at 2+2?
Click to expand...

Some people use same/similar emails, user names, and passwords at different sites. For instance, maybe a player (unwisely) uses same email and almost same password at an ewallet.... or a poker room.... some hackers might use that and be able to get past any other safeguards to steal from his accounts.

Also if you use an all too simple password on your email account that leaves that account vunerable to hijacking, and sometimes there's lots of valuable info inside our email folders.
 
Mousey said:
Also if you use an all too simple password on your email account that leaves that account vunerable to hijacking, and sometimes there's lots of valuable info inside our email folders.
Click to expand...

I'm sure that lot's of scrambling in going on changing passwords etc., Mousey made some very valid points.

Everyone should note that email isn't secure unless encrypted, storing or evening sending data that you don't want hacked should never be sent or stored within an email system.

Sure a few deface the fact by saying well I've never heard of anything bad happening but I'm sure 2 + 2 never dreamed they'd be hacked either.

Email isn't secure and makes more stops than driving down the Vegas strip before reaching its intended recipient. :thumbsup:
 
There is an excellent password security manager called Roboform.

It costs about $10 and it generates and stores passwords for every single thing on your pc laptop mobile etc. It means you never have to type your passwords, which negates the effect of keyloggers, and storing your cc info and banking info means you are less likely to be hacked. All you ever need to remember is your master password which gives access to the program.

All my passwords are 16+ characters including numbers, upper and lower case etc. A geek friend of mine says it is almost impossible to crack those kinds of passwords, or at least far too time consuming. Hackers tend to go for the easy targets e.g. passwords that include words or names and dates of birth, and those of 8 characters or less. Maybe some hacker members here could comment on this? :D

I have no idea what most of passwords are as they are impossible to remember. I like it.
 
If someone managed to recover the encrypted MD5 hash from 2+2, they would have had to reverse engineer it to the originating password in order to use this information to hack in to casino accounts using the theory that the same password would be used elsewhere.

They would also have to know the casino account numbers, so how would they get these from hacking the 2+2 database?

To get hold of such wealth of information just from an email address and password hash from 2+2 would require the expertise of a pretty knowledgeable hacker, and suggests this is more an organised group than an individual. It would involve many sources, many of which would also need hacking, to gather this information.

It is possibly the email address that is most dangerous, as if hacked, accounts could be attacked using the standard "forgotten your password" procedures. Securing the email address used at 2+2 should therefore be the top priority, ensuring the password for it cannot be guessed easily from information at 2+2.
 
vinylweatherman said:
If someone managed to recover the encrypted MD5 hash from 2+2, they would have had to reverse engineer it to the originating password in order to use this information to hack in to casino accounts using the theory that the same password would be used elsewhere.

They would also have to know the casino account numbers, so how would they get these from hacking the 2+2 database?

To get hold of such wealth of information just from an email address and password hash from 2+2 would require the expertise of a pretty knowledgeable hacker, and suggests this is more an organised group than an individual. It would involve many sources, many of which would also need hacking, to gather this information.

It is possibly the email address that is most dangerous, as if hacked, accounts could be attacked using the standard "forgotten your password" procedures. Securing the email address used at 2+2 should therefore be the top priority, ensuring the password for it cannot be guessed easily from information at 2+2.
Click to expand...

I think maybe the only way they could get that information is if they gathered the IP addresses on the 2+2 forum and then attacked them individually, recording data there, and then using it to do all of that..
Kinda far fetched :D But to me this makes more sense than getting the information through email addresses or similar passwords..
 
Damn that's crazy, either the hackers did an extreme amount of damage, or twoplustwo has no idea how they got in and how to solve it.
Yes, I'm an *******, but then again they were bitching about poker sites having lousy security. Karma is a bitch. Ahum sorry karma, please don't make look like a fool any time soon (well more than fits me that is :D)
Btw this is the only forum I have a newsletter to with my affiliate email, and I never receive spam on there so this one is clean as can be.. Cause usually the hackers only want to gather information and use it without making the webmasters aware of the breach.
 

Similar threads

crypie
Requesting Insight from Maxd about a two casinos and my experiences with them.
Replies
3
Views
605
Casinomeister
Casinomeister
LadyJelena
World Cup 2022 10 Half Time Free Spins and €60,000 Football Prize Draw @ NordicBet
Replies
0
Views
1K
LadyJelena
LadyJelena
LadyJelena
Christmas Special Christmas Calendar @ Betsson
Replies
2
Views
1K
LadyJelena
LadyJelena
Bitcasino.io_Karl
  • Article
Lesson 4: How to keep your crypto safe
Replies
0
Views
2K
Bitcasino.io_Karl
Bitcasino.io_Karl
pereblue
  • Article
Can Coinbase be used for gambling?
2
Replies
28
Views
15K
chuchu59
C

Users who are viewing this thread

Total: 3 (members: 0, guests: 3)

Meister Ratings

Read about our rating system and how it's done.
Back
Top