2p2 Hacked–Do This Stuff Immediately

The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

In other words, you should assume that there is currently a hacker that knows your 2p2 username, your e-mail, and your 2p2 password. That’s really bad. This isn’t your standard cryptonerd/privacy nut’s rant that makes you do a lot of work to prevent a potential attack that may or may not come and that you don’t understand; this is a situation in which a very serious hacker has already done the attack. Apologies in advance for the bold and all caps and stuff.

So, right now, here’s what you should do:

First, if you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY. If you don’t know what your 2p2 password is, go to 2p2 (whose forums are down but whose servers are still up), log out, and then try logging in again to check your password. If you have the same password across a large number of accounts, use the following priority when changing passwords: 1) e-mail address(es), 2) bank account(s), 3) poker sites, 4) sites that have your credit card number stored (e.g., Amazon), and 5) everything else. For advice on how to choose a good password, see this blog post.

However, do not change your password on 2p2. As far as I know, the vulnerability still exists, so changing your 2p2 password will just give you another potentially compromised password to worry about. And, 2p2 forums is down right now, so there’s no reason to worry about someone using your account. You obviously will want to change your password eventually, but now is not the time. If 2p2 responds to this properly, you’ll be forced to change your password there once the vulnerability is found and fixed, so you don’t need to worry right now.

That’s by far the most important thing. So, go do that. Seriously… go do that. I’m not being a crypto nut.

 

Now, here’s some other stuff that you should do, though they’re less urgent (and in descending order of importance):

  1. Quit using the same password for lots of stuff (if you do). This will not be the last time that this happens. The huge problem with passwords is that the server has to store (some version of) them in order for them to be useful. (There are cool cryptographic ways around this, but that’s for another post, and nobody uses them yet.) When information exists, people get access to it–especially when it comes with a big sign on it that says “This information can be used to earn lots of money.” Password leaks happen really really often. Don’t put all your eggs in one basket because, when it comes to password security, baskets get stolen really frequently.
  2. Change the password on the e-mail that you use for 2p2 to something secure. While the hacker has no immediate access to this if you use a different password, a hacker with your e-mail address is a scary thing. E-mail addresses are really really important things to keep secure because a lot of accounts can be easily accessed through your e-mail address (e.g., your poker accounts). So, this is a nice time to remember basic password security, which means changing your passwords frequently (e.g., now) and using secure passwords. Again, see my previous post about secure passwords. If you’re not sure what e-mail you used for 2p2, you should have recently received an e-mail from forum-master@twoplustwo.com or you will receive one shortly. The address that received this e-mail is the one whose password you should change.
  3. Change your other important passwords similarly. Again, see my previous post about secure passwords–It’s really not a hassle at all to have a secure password if you follow good advice instead of the standard stupid “Use lots gibberish with special characters and weird capitalization” advice.
  4. If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box. If I were a hacker (and had fewer scruples) who had access to durrrr’s 2p2 password, for example, I would have downloaded his PMs. There’s some reason to believe that this hacker was familiar with 2p2 and the poker community, so it’s not too far-fetched to think that he may have had this idea. He had access to the forums for long enough to have downloaded a lot of PMs.
  5. Keep forgetting that 2p2’s down, opening it up, and then getting really pissed off. That’s not actually advice; it’s just what I’ve been doing.
I want to keep this shortish so people read it, and I want to get it out quickly since there probably is some guy currently sitting at his computer with a list of usernames and passwords frantically coding and running scripts to try to get into poker players’ various accounts. So, that’s it.

58 Comments.

  1. Thanks for the info. I think it’s also improtant to point out that should your email service provider support 2-step-verification, then this should be enabled as it brings additional security benefits.

  2. Hi Noah,

    Could you explain how this works?

    the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

    So they add a fixed salt to the password before running it through the MD5 algorithm or something? (e.g. MD5(password + salt)). Sounds like it would be better if the salt would be different per user, but anyway: Even if this is the case, isn’t it still infeasible to actually find the passwords for all account if the passwords are sufficiently complex?

    • Noah Stephens-Davidowitz

      They used randomized unique salts for each player, which were also stored in the DB, like you suggested. The salt is rather short, so some of the weaker passwords are still breakable by rainbow table, which is effectively instant. Others he’d have to brute force individually, but that can be done in minutes per password. So, while he’s not going to get every password on 2p2, he’s going to get a lot of them.

      He logged into some mods accounts, so we know that he knows how to do this.

  3. well i want to leave a link here to funkyworms security thread for poker players here, but obviously can’t. it’s really good.

    I think it’s in the computer and technical sub forum.

  4. Excellent info. I do use similar passwords for low priority/security sites but any sites with any real risk or value to me have unique passwords. This is good advice for all.

    I suspect the main goal here was getting into poker accounts. So hopefully people did not share info from twoplustwo and poker sites. People should probably change the poker passwords ASAP if the same.

  5. Noah, if I put every legal password character in a string and then use a random number generator to sample the string to generate say 10 random characters, how safe would the password be?

  6. Lisa (DiamondDixie)

    Thank you so much, without this I would of forgotten a bunch of stuff.

  7. great post. thanks noah.

  8. My current 2P2 password isnt used for anything else, but previous ones were. Does the server keep a historical record of passwords?
    cheers

  9. Thank you for this. How do I access the forums. I do not know my password and want to find out what I was using. Thank you.

    • Noah Stephens-Davidowitz

      I think you no longer can right now, as they’re playing with stuff behind the scenes.

  10. bunch of tards

  11. Do you feel that attacks are becoming more common on 2+2? or are attacks just generally increasing on the Internet? Also it is possible to trace where the attacks came from? Thanks

    • Noah Stephens-Davidowitz

      This is the second attack on 2p2 that I can remember, and the other one was pretty recent. it’s possible that they were both the same person. I don’t really think two attacks makes a trend regardless. Am I forgetting some attacks?

      I think this stuff’s happening a bit more often on the Internet in general because each attack advertises the idea to a new group of potential hackers. Also, Anonymous and various similar groups do stuff like this sometimes. (FWIW, I’d bet a lot of money that this wasn’t them based on the way that this guy behaved.)

      But, mostly, this stuff was common in the past, is common now, and will remain common in the future. Implementing proper security is hard. Breaking improperly implemented security is easy; lots of people find it to be incredibly interesting; and it can be very profitable. So, it’s quite natural that it’s going to happen a bunch.

  12. Thanks for this info. And, kudos to the person at 2+2 who decided to send out the emails a couple weeks ago telling everyone to change their passwords. If I hadn’t changed to a unique password I’d be a lot more worried today.

    I haven’t really thought this through, but I’m concerned about the possibility of the 2+2 hacker also having access to the Ultimate Bet/Absolute information that was breached and temporarily posted last year. Do you think ex-UB customers are more compromised by the 2+2 hack or am I just being paranoid?

    • Noah Stephens-Davidowitz

      No. That information’s no longer online.

    • I disagree with this, i was using a password for sites I didn’t care if someone logged into. This email then forced me to change to something more secure.

    • Noah Stephens-Davidowitz

      Nobody forced you to do anything. It’s fine to use insecure passwords for stuff that you don’t care about. But, obviously, it’s easy to think you don’t care about something before it gets hacked.

    • Yes, the website forced me to change my password, and would not allow me to login if I didn’t

  13. Any guess as to the value of the information? With unlimited time to look at it and with knowledge of who is who…short time frame and some who is who…can’t imagine it is someone without any knowledge of the community (mentioning Anonymous seems silly to me).

    • Noah Stephens-Davidowitz

      I only mentioned Anonymous because they come to mind when talking about the general trends in attacks on websites. It seems safe to assume that the hacker knows the poker world.

      I’m not sure how much it’s worth. I’m inclined to guess that it’s actually pretty close to worthless because 2p2 itself is down, which gets rid of the obvious method of monetization, and the other potential methods all seem a bit difficult to me. But, it’s also not too hard to imagine scenarios in which it ends up being worth huge amounts, so I could probably convinced that it’s actually worth like six figures. In short, I would place the value at somewhere between $100 and $1 million….

  14. You’ve mentioned KeyPass before. Do you use it? I’d really appreciate if you did a guide to setting up and using KeyPass, or directed users to an online resource.

    Thanks!

  15. hi, thanks for the info.

    fyi, my email account registered with 2+2 has apparently been used for spam and was locked by my provider. so people should really change passwords asap.

    btw, my email-password was not changed, thank god.

    • hey, i just realized i didnt use the same password for 2p2 and my email account, so that was a false alarm. i think i triggered the locking by changing the password and then sending mail via google mail

  16. Hi Noah, I have two questions.
    1) If you have separate passwords for every important account, then you must keep a separate file somewhere that stores them all (since obviously you can’t remember them all if they are strong passwords). This seems like a pretty bad system too, since a hacker with access to that file would be really bad. What is your solution?

    2) In the current situation, wouldn’t it be really hard for a hacker with just our 2+2 sn/email/pw to figure out our bank acct/credit card login information too?

    • Noah Stephens-Davidowitz

      Hi sam,
      I think that you’ll find it to be remarkably easy to remember all your passwords if you choose things that are memorable. For example, the following password is secure but not memorable: “f6;&15b1)1mA”. The following password is secure and memorable “Carla the frog’s pinstriped bikini didn’t quite match my suit.”

  17. This is a good learning lesson in keeping your software up to date. You’re running a forum that has 300,000 members. According to the bing cache from yesterday, your vbulletin software was 3.8.7 which was cracked in Jan. Vbulletin is already up to 4.0, although I’m sure its just a matter of time until that gets cracked.

    For all of those wondering if your password is cracked, heres an easy way to tell. If you were using something that was pretty secure, just do a google search on your password inside quotes “password” and you’ll see some cracking sites show up with your password.

  18. Any update Noah? Are they doing the upgrade as part of the fix?

  19. yo get this site back up so we can discuss how the greatest pitcher of all time is going to f up some yankee pussys

  20. I have heard the DOJ had hacked the 2+2 forum for being a large promoter of USA poker sites in the past is this true

  21. In the comment section of your other post you mention this:

    The hacker gave 2p2 an ultimatum. So, yes, he did show people what he was doing

    What do you mean with this? Would you mind sharing some of the information?

  22. blowjob mcghee

    I did it, and I’d do it again! I would’ve gotten away with it, if it wasn’t for you meddling kids! No but seriously, $100 says this is blackgerbil1’s revenge.

  23. md5, lol @ 2p2 as usual

    • Noah Stephens-Davidowitz

      Yeah. Sadly, it seems that A LOT of sites use md5 or sha to store passwords.

  24. To achieve #3, people may find it useful to search Google for their user names. A lot of people have user names unique enough that the only Google results will be their profiles on other forums.

  25. Here’s another idea. Don’t use the site anymore. I’ve been on 2plus2 since it started but this latest go round has made me believe that it’s best not to even bother with it anymore. Seriously. When they put out the word to change passwords a while back I used a unique password for that site. I should have quit then, I will now. It’s not like the folks running the site didn’t know that people were trying to hack their site. Yet it happened.

  26. 2+2 shows that their archives are still available. Unfortunately, when I just went to look at a few links from the archives, I was attacked by a Trojan virus. Thankfully my virus protection caught it.

    But, worth noting that people should probably avoid that too.

  27. ^^ Is this confirmed?

    Someone posted a link to a thread in the 2p2 archives yesterday on twitter. When I clicked the link an “authentication” box popped up wanting a username and password. Is that standard?

    • Not sure if it has happened to anyone else, but it 100% for sure happened to me.

      Category: Trojan

      Description: This program is dangerous and executes commands from an attacker.

      Recommended action: Remove this software immediately.

      Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

      Items:
      file:C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\187OGXQF\www1_imageigloo_com[1].htm
      file:C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5GW3VB18\www1_imageigloo_com[1].htm

      I took out my login name under Items, left everything else in there.

    • I can’t say for sure, but it *sounds* like it might be an image in a thread. That’s usually the cause of most virus warnings we get. Odd, though, that it hasn’t come up before. If anyone is able to grab a link of the page they’re on when this happens, it would be quite useful.

  28. Just to be clear, this is really inaccurate, right?

    “and encrypted passwords. He also indicated the ability to decrypt passwords.”

    The passwords are hashed, not encrypted… does 2p2 know the difference or is that true or am I wrong? You mentioned md5 (lol) a few times, but I just want to be sure…

    • Noah Stephens-Davidowitz

      2p2 knows the difference. Mat got it wrong in one of his e-mails, but 1) Mat’s not the tech guy and 2) it’s pretty standard to say “encrypted” instead of “hashed” (and probably instead of some other words as well, though I can’t think of an example right now) when talking to laypeople, so he might have done that intentionally. “Encrypted” has a simple technical definition that you and I know, but it also has a colloquial meaning that basically just means “obscured in some way by crypto nerds.”

      That bothers me a bit too, but at this point, I’m pretty used to it.

    • Hey Bobo (or Noah) any word on when the forums may be back? Also, where are people getting discussion/updates? And lastly: Can you comment on the archives asking for your name and password, is this something from the hacker or 2+2? Thanks

    • Noah Stephens-Davidowitz

      Hi D,
      I was on a radio show with Mason the other day, and he basically just said “We’re working on it.” I think they’re being super careful, and a timeline’s a bit difficult to give in a situation like this because, as I understand it, they’re looking through their code for any vulnerabilities right now–and it’s hard to predict what you’re gonna find before you find it.

      I assume that the archives thing is fine because I have no reason to believe that the hacker ever did anything but get a list of e-mails/passwords and log into some accounts with them. I don’t think he ever had the ability to add code to 2p2’s servers.

    • Thanks. It’s not so much that it bothers me, (well the md5 part kind of does), but I just wanted to make sure there wasn’t actually any encrypting (or more importantly ‘decrypting’) going on. I don’t hold it against anyone because I know I sound at least as ridiculous in areas where I don’t know anything. “So what kind of oil do you need?” “Uhhh I put the center stick to ‘D’ and it goes forward. Whatever kind of oil that needs.” Anyway, thanks again.

  29. Let’s hope it’s not going to be too much longer… twoplustwo withdrawal is setting in! 😀

    Juk :)

  30. I hope that after relauch 2+2 will force everybody (for example on first login) to change their passwords since some of the people are really careless 😉

    • Noah Stephens-Davidowitz

      I’m sure they will. Some of the changes that they need to make actually don’t give them a choice in the matter.

  31. I just clicked on 2p2 and the forum came up for a second, then I got redirected to the outage page. Hopefully they are getting close. :)

  32. im here for the lol 2p2

  33. Can someone summarize what was said on the podcast?

    • I have been mildly curious about how twoplustwo is handling this. They have a statement on their website that May 12 is a conservative estimate of when the site will be back up.

      I find it interesting that they’ve moved the date back several times. From my experience this indicates they had more security issues than they realized and/or they didn’t understand what it would take to rectify their security issues. I’m guessing this is turning out to be an expensive undertaking as well.

  34. I always use different passwords for every site. I have firefox store all the passwords for me.

    • Noah Stephens-Davidowitz

      Just so you know, Firefox stores those in plain text. You can go to Settings -> Security -> Stored passwords to see a list of your passwords. Anyone with access to your computer can do the same, and someone could trivially write a Trojan to read that file and send back the information. Depending on your specific situation, this might be a big problem or no problem at all.