|
Community Links |
Social Groups |
Pictures & Albums |
Members List |
Search Forums |
Advanced Search |
Go to Page... |
|
Thread Tools |
03-16-2018, 12:44 AM | #1 |
Bucketbot
Join Date: Jan 2016
Location: ATX
Posts: 1,402
|
While checking the background on someone I am doing a deal with for toys, I found the email of the person I am doing the deal with, in what is purported to be a Yo Joe database. I found their email address, along with atleast one other GI Joe fan I personally know in the database. Going through my Paypal list of email addresses, I find other people I have done deals with, on this list.
I strongly considered reporting directly to Yo Joe and holding off providing this information to the general Joe community. The reason I am sharing this information publicly, is it is already publicly available, by simply doing a google search for the email address of someone who is part of this breach. It is freely available in atleast one location online, and I found it for sale on atleast one more. I spoke with someone in IT at my office, and they recommended everyone change their passwords. Someone who is familiar with IT and databases, could likely give a full explanation of the risk involved here. I am in no way an expert on computer security, but changing your own password, is an obvious choice. This data was apparently stolen on 4/13/17. This data can be found at Removed by Staff Thanks for the information lets not help it spread. at the bottom of the list, is a file, titled "yojoe.com-vb-2017.txt ". Please change your password. Please be very careful and watch out for phishing schemes. |
03-16-2018, 01:10 AM | #2 |
Iron Grenadier
Join Date: Jan 2009
Location: SF Bay Area
Posts: 821
|
Thank you for the head's up! I found my username, email and what I'm assuming is my password in some hash value (I think).
__________________
Feedback: http://www.hisstank.com/forum/buy-se...-niknak96.html |
03-16-2018, 02:23 AM | #3 |
Crimson Guard
Join Date: Jul 2008
Location: WV
Posts: 3,155
|
Thanks for alerting everyone. I haven't posted on YoJoe's forums in a long time. I don't even remember my user name, been going through my old e-mail addresses to see which one I used for it.
No luck yet finding which e-mail I used. edit: well I guess now, I know why I've been getting so much junk mail the past year when I hadn't been getting any. Thanks again for letting everyone know. Last edited by Trigue; 03-16-2018 at 02:27 AM.. |
03-16-2018, 08:34 AM | #4 |
Crimson Guard
Join Date: Jul 2009
Location: Illinois
Posts: 4,185
|
Thank you for this warning and for looking out for the community.
|
03-16-2018, 09:06 AM | #5 |
A Makeupless Clown
Join Date: Sep 2015
Location: Ohio
Posts: 5,271
|
Giddyup!
__________________
Torso Adapters and Alternate Neck Pegs for MTF and BFS Figures Reproduction Vehicle Parts 3d-Printed Parts Gallery My BST Thread | My Feedback Thread | My Shapeways 3d Print Shop (1/18 scale creations) |
03-16-2018, 09:41 AM | #6 |
Cyber Warfare Specialist
Join Date: Jul 2015
Location: Somewhere
Posts: 3,661
|
Quote:
I’d recommend changing you password regardless anywhere you use that email address and password combo just for piece of mind. It would be nice for YoJoe.com to make an announcement on this at some point. They may not have been aware. The way hushed found this is the way most breaches are detected unfortunately, after the fact and when the info is already on the web. Free piece of advice, the password for your email account should be long and strong and never reused. Set up two factor authentication as well if you can (gmail supports it and so do others). Once bad guys have control of your email, they can reset the password for any site you do business with. Scary when it comes to banking, payment sites, Medical, financial, etc. |
03-16-2018, 10:11 AM | #7 |
A Makeupless Clown
Join Date: Sep 2015
Location: Ohio
Posts: 5,271
|
Quote:
They are MD5 hash representations of your passwords for sure. I’m hoping the three characters preceding the semi-colon are hash salts. If they are indeed hash salts, it makes in much more difficult for anyone to derive the passwords from the hashes. If anyone cares to know why salted hashes make a huge difference, reply back and I’ll explain further.
I’d recommend changing you password regardless anywhere you use that email address and password combo just for piece of mind. It would be nice for YoJoe.com to make an announcement on this at some point. They may not have been aware. The way hushed found this is the way most breaches are detected unfortunately, after the fact and when the info is already on the web. Free piece of advice, the password for your email account should be long and strong and never reused. Set up two factor authentication as well if you can (gmail supports it and so do others). Once bad guys have control of your email, they can reset the password for any site you do business with. Scary when it comes to banking, payment sites, Medical, financial, etc. On all of the rest, I 100% agree. If any of you tend to use the same email/username and password for other places, this breach compromises those accounts as well, since cyber criminals will blindly try that combination - in an automated fashion - in a LOT of different places. Again, it's just a matter of time on that. They don't actually want your YoJoe account, they want your email account, bank account, and so on. The odds are that at least some people in that database are using the same credentials elsewhere, and that's where the money is for the criminals who want this data. They aren't interested in starting flame wars in your name or anything. They want to steal actual wealth from you, however possible. They'll buy stuff on Amazon with your account and ship it to themselves, or they will do bank transfers to themselves, or whatever they can possibly get at. So, yeah, change the HELL out of your passwords anywhere that you use that email address (or username) and password. People will be trying to penetrate your accounts everywhere with that info.
__________________
Torso Adapters and Alternate Neck Pegs for MTF and BFS Figures Reproduction Vehicle Parts 3d-Printed Parts Gallery My BST Thread | My Feedback Thread | My Shapeways 3d Print Shop (1/18 scale creations) Last edited by Zap Rowsdower; 03-16-2018 at 10:18 AM.. |
03-16-2018, 10:16 AM | #8 |
Hisstank.Com General
Join Date: Feb 2009
Location: Georgia
Posts: 14,837
|
So if I have a UN and PW for an account on YoJoe.com that is tied to an email, your saying, I should change my email PW?
If I have never created an account on yojoe.com, then I should be OK right?
__________________
Feedback Thread: http://www.hisstank.com/forum/buy-se...-feedback.html B/T Thread: http://www.hisstank.com/forum/g-i-jo...-b-t-list.html |
03-16-2018, 10:31 AM | #9 |
A Makeupless Clown
Join Date: Sep 2015
Location: Ohio
Posts: 5,271
|
Quote:
Quote:
But for those who DO have a YoJoe account, if you use that same password anywhere then that is the key. They have your email address already (hence the spam that was mentioned, though that more likely comes from web crawlers than from people who want to break your password), and they have your username as well. Once they manage to reveal your password they will go to any number of places trying that username/password combination and that email/password combination looking for an active account for you in those places. They will also almost certainly attempt to log in to that email account with the very same password (that would absolutely be the first thing I would try if I were them), and if they get in there they will change the password to one of their choosing and then do account recovery attempts all over the place with just that email address in an effort to steal control of bank logins, eBay, Amazon, or whatever else they can use to get money and/or products into their hands. God help you if they get control of your email address this way. I'd start there with an all-new password and then fan out to banking (PayPal included) and shopping accounts next.
__________________
Torso Adapters and Alternate Neck Pegs for MTF and BFS Figures Reproduction Vehicle Parts 3d-Printed Parts Gallery My BST Thread | My Feedback Thread | My Shapeways 3d Print Shop (1/18 scale creations) Last edited by Zap Rowsdower; 03-16-2018 at 10:34 AM.. |
03-16-2018, 11:53 AM | #10 |
Cyber Warfare Specialist
Join Date: Jul 2015
Location: Somewhere
Posts: 3,661
|
Quote:
There is only one thing you say here that I disagree with. With the salts provided right along side the hashes, and with vBulletin hashing techniques being public knowledge, all it takes is a slightly expanded version of the same process used to crack unsalted hashes. People just plug the data into a program and let it run, attempting to guess at every combination of ASCII characters possible from a min to max character count and then salting it in an array of ways (but a finite and in this case KNOWN set of ways), calculating the hash of the result, and comparing it to the table of hashed passwords they have. Matches are recorded, and that along with your email address and/or username compromises the account. In a case like this where salting methods are known, it literally is just a matter of time before pretty much every password on that list is figured out.
On all of the rest, I 100% agree. If any of you tend to use the same email/username and password for other places, this breach compromises those accounts as well, since cyber criminals will blindly try that combination - in an automated fashion - in a LOT of different places. Again, it's just a matter of time on that. They don't actually want your YoJoe account, they want your email account, bank account, and so on. The odds are that at least some people in that database are using the same credentials elsewhere, and that's where the money is for the criminals who want this data. They aren't interested in starting flame wars in your name or anything. They want to steal actual wealth from you, however possible. They'll buy stuff on Amazon with your account and ship it to themselves, or they will do bank transfers to themselves, or whatever they can possibly get at. So, yeah, change the HELL out of your passwords anywhere that you use that email address (or username) and password. People will be trying to penetrate your accounts everywhere with that info. Again, I did still recommend changing your password anywhere your YoJoe password may have been reused because you never know and methods get better all the time. And this data will be out there forever. |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Figures Law a.k.a. Breach by CRS | code_red_shockwave | G.I. Joe Customs Finished Projects | 4 | 06-14-2015 07:53 PM |
Dioramas Preparing To Breach | kt174 | G.I. Joe Customs Finished Projects | 12 | 07-12-2014 01:02 PM |
Is there a SW/Marvel equivalent of the YoJoe figure database? | Charade | Toys | 6 | 06-24-2011 05:53 PM |
An ARAH fans review of the movie - from YoJoe.com | Troynos | G.I. Joe Live Action Movie | 21 | 08-02-2009 01:37 PM |
Breach (New Joe) | Iron Will | G.I. Joe Customs Finished Projects | 4 | 05-23-2009 01:21 AM |
|
|
Recent Off Topic Threads |
Hisstank Late Night thread... |
DarkLordMordred... |
Last Movie You Watched? |
What song are you listening to? |
G.I. Joe March Madness 2024 Championship Battle Armor... |