SoylentNews

upstart writes:

Submitted via IRC for Fnord666

Hack on 8 adult websites exposes oodles of intimate user data

A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it's not clear how many of the addresses legitimately belonged to actual users.

[...] Besides wifelovers.com, the other affected sites are: asiansex4u.com, bbwsex4u.com, indiansex4u.com, nudeafrica.com, nudelatins.com, nudemen.com, and wifeposter.com. The sites offer a variety of pictures that members say show their spouses. It's not clear that all of the affected spouses gave their consent to have their intimate images made available online.

[...] In many respects, the most recent breach is more limited than the hack of Ashley Madison. Whereas the 100GB of data exposed by the Ashley Madison hack included users' street addresses, partial payment-card numbers, phone numbers, and records of almost 10 million transactions, the newer hack doesn't involve any of those details. And even if all 1.2 million unique email addresses turn out to belong to real users, that's still considerably fewer than the 36 million dumped by Ashley Madison.

[...] Still, a quick examination of the exposed database demonstrated to me the potential damage it could inflict. Users who posted to the site were allowed to publicly link their accounts to one email address while associating a different, private email address to their accounts. A Web search of some of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that gave the users' first and last names, geographic location, and information about hobbies, family members, and other personal details. The name one user gave wasn't his real name, but it did match usernames he used publicly on a half-dozen other sites.

[...] Also concerning is the exposed password data, which is protected by a hashing algorithm so weak and obsolete that it took password cracking expert Jens Steube just seven minutes to recognize the hashing scheme and decipher a given hash.

[...] Known as Descrypt, the hash function was created in 1979 and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash. It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by 2018 standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.

"The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago," Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahash, told Ars. "It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you're not getting the full benefit from salting."

Original Submission