List of Hacker.org members online

W1zard · Post by **W1zard** » Wed Mar 04, 2009 7:50 am

Hello everyone!
I just found a website on the internet where all members of Hacker.org are listed with their nickname and email address. It's freely accessible. No password or anything. So everyone can look at it.
You'll be able to find it if you google your email address.
W1zard

S3th · Post by **S3th** » Wed Mar 04, 2009 10:56 am

Whoa. Thats..fucking amazing.....
Dude.. Theres like 7301 members.. Who cares?

Yharaskrik · Post by **Yharaskrik** » Wed Mar 04, 2009 11:12 am

Hi!
Thanks W1zard.
As there are also md5 hashes of our passwords, perhaps it's a good idea to change them.

osterlaus · Post by **osterlaus** » Wed Mar 04, 2009 11:16 am

Hopefully have all the members not (!) taken the same PW on their mailservers...

W1zard · Post by **W1zard** » Wed Mar 04, 2009 11:53 am

Looks like some of the easier passwords have already been cracked. Especially at the top of the list. I wasn't sure what the stuff behind the md5 hash was until I checked it with an md5-generator.
So all passwords have to be changed!
The list seems also to have been noticed by others. I suddenly get a hell lot of spam mails. Up to now my address was relatively "secure" in that way. That's how I noticed the problem in the first place. So I started doing some research.
W1zard

osterlaus · Post by **osterlaus** » Wed Mar 04, 2009 12:18 pm

osterlaus wrote:Hopefully have all the members not (!) taken the same PW on their mailservers...

Well, this was no posting of mine - so someone already used my account...

S3th · Post by **S3th** » Wed Mar 04, 2009 1:25 pm

I googled my email address.
Found nothing.
My password is custom encrypted too.

m!nus · Post by **m!nus** » Wed Mar 04, 2009 1:45 pm

it's on milw0rm since febuary 27

efe · Post by **efe** » Wed Mar 04, 2009 2:18 pm

Thanks W1zard!

Luckily my password was strong enough, and it hasn't been cracked

Now it is even more secure.

The passwords have been cracked for 3139 users.
And I got out more passwords (>100) by searching the md5 on google.

m!nus · Post by **m!nus** » Wed Mar 04, 2009 2:46 pm

my 9 char password was strong enough aswell, yay for non-word-passwords, proof to dictionaries

hacker.org - prove your skill. k, another hacking challenge site not that different from any of the others except the name makes it fun

to fuck with. sooo if you are going to offer hacking challenges why not make sure your shit just a tad secure? sounds logical to me but maybe i'm

just throwed off a bit. tbh this isn't even worth a zine entry but hacker.org getting hacked is pure hilarity.

not nice, but well, the site was not proof enough.

so, to the admins: where was there a SQL injection possible, and more important: is it fixed?

fridolin · Post by **fridolin** » Wed Mar 04, 2009 3:27 pm

I'm wondering why my account doesn't show up in the list...

I could imagine the injection was made by phpBB as the defacement was visible on the main page and on the forum's main page.

plope0726 · Post by **plope0726** » Wed Mar 04, 2009 3:42 pm

Well a google search shows me nothing for my email address...Is there a link to this alleged page so that we can do some more research on it and possibly catch the perps??

plope0726 · Post by **plope0726** » Wed Mar 04, 2009 8:08 pm

The list on this page appears to be old since many users arent listed on it. It does'nt appear to be relevant to the most recent hijacking. Passwords should still be updated. (for email too if you happen to use the same password)

Zaffron · Post by **Zaffron** » Wed Mar 04, 2009 8:51 pm

Is this what the whole down for matinence thing was for?

gfoot · Post by **gfoot** » Wed Mar 04, 2009 8:57 pm

The newsletter is new. It's possible that the defacement wasn't part of the initial attack, given that this was published a week ago - plenty of chance for readers to put the information to use.

I noticed tails's username changed to Helios last Thursday or something, shortly before the attack, which is pretty pointless if your next step is to totally take the site down.