Monday, 29 August 2016

Tens of Thousands of Infowars Accounts Hacked

Tens of thousands of subscriber accounts for media company Infowars are being traded in the digital underground.

Infowars, created by famed radio host and conspiracy theorist Alex Jones, produces radio, documentaries and written pieces. The dumped data relates to Prison Planet TV, which gives paying subscribers access to a variety of Infowars content. The data includes email addresses, usernames, and poorly hashed passwords.

The administrator of breach notification site Databases.Land provided a copy of 100,223 records to Motherboard for verification purposes. Vigilante.PW, another breach notification service, also has the Infowars dump listed on its site, and says the data comes from 2014. However, every record appears to have been included twice in the data, making the actual number of user accounts closer to 50,000.

Motherboard tested 20 random email addresses and their corresponding usernames on the signup page for Prison Planet TV. Of those, 19 were already linked to accounts on the site, and although one email address wasn't registered, its username was.

At the time of writing, two victims in the dump reached by Motherboard confirmed that they had signed up to Infowars/PrisonPlanet.

Infowars did not immediately respond to a request for comment.

The passwords are hashed with the notoriously weak MD5 algorithm, meaning they should be trivial for hackers to crack. Indeed, Motherboard successfully obtained the actual password for a number of users with a free online service.

The user accounts are in a SQL format file, implying that the data may have been obtained via SQL-injection, an ancient and yet often still effective type of web attack. (However, exactly how the data was stolen from the site is not confirmed).

The lesson: Users can never really be sure how a website is going to store their passwords. Instead of gambling, and just hoping that they've been hashed appropriately, users should make sure to sign up to different services with unique passwords. That way, when one site is hacked and its hashes cracked, the damage will be largely limited to that one site.

Another day, another hack.



from Tens of Thousands of Infowars Accounts Hacked

No comments:

Post a Comment