Does this latest hash list hacking have anyone else worried? Does anyone know how they work?

[jefferey]

Does this latest hash list hacking have anyone else worried? For those of you that don't know what I'm talking about, a hash list was released on [removed] that included peoples' usernames, passwords, pin, email, and birthday, and word got out and spread to the premium Neopets message boards.


I was told that this list could have been acquired by directly hacking into the neopets server. Because TNT refuses to use hashed passwords, anyone that has access to the database can see what our passwords are. The industry standard is to have passwords with a one-way encryption so that even if someone were to gain access to their servers, they would just see a bunch of mumbo jumbo where the passwords are stored. I was told that Neopets does not do this, and it makes sense because they tell you what your own password is when you request it. Out of the millions of websites out there, I don't know any other websites that tell you what your current password is, they only let you reset it if you have forgotten it. But neopets tells you directly what it is, which I always thought was a big security threat.

At any rate, does anyone know if we are safe from these hash lists, or how they work? I don't feel too safe with my account at the moment and would feel better if someone knew how these were obtained (if it was from hacking neopets.com or if people were just careless with their passwords or what..)




UPDATE: I was reading the hacking forums for some safety tips and came across a guide that "teaches how to protect yourself from fellow hackers." I thought I'd share it, since this information is especially useful. I only picked out the information that might not have been very obvious.


Credit goes to Sneakz on [removed].

Pick a VERY random password, one with a random combo of letters (both lower case and upper case), numbers, and symbols.
This may sounds very obvious, because most sites recommend this upon signup. [/size]
This is important mainly because of hash lists. If you have ever purchased a hash list, you have likely come across hashes that you cannot find in an online database. This is because they have not been decoded yet. The more unique your password is, the less likely it is that it will be easily cracked if you happen to end up on a hash list.[/size]
Do not even use a real word or name. Make it completely random. Like this: aer38yr&*3r [/size]
Keep it somewhere safe so you don't forget it.[/size]

Change your pin often
Let's say someone was able to get your password and you haven't had the chance to change it in a while. If your account is pinned, it is very likely that the hacker is working on cracking your pin. If he is doing it himself and he is not Demo, it will probably take him a while and he has probably been trying different combos. Keep changing your pin, this will throw them off. If the hacker paid Demo or another pin-cracking pro to crack it, you probably won't realize until it's too late.[/size]

Pin your email change
MAKE SURE IT IS PINNED. It may sound like a no brainer, but it's really surprising how many active players with millions do not think to pin their email change option, or they assume it's already pinned. You have to go to the pin preferences page and check the box. It is not automatically pinned for you. Double check this.[/size]

Use fake answers for secret questions
Go to your email account, find your account preferences, and review your password recovery options. If you are using secret questions, don't use questions like "What is my birthday?" or "What is my best friend's name?" These kinds of questions can be answered by doing a simple Google search. It is not uncommon for a hacker to look you up to find answers to your secret questions. It is extremely easy to find answers to these kinds of questions simply by finding your Facebook account.[/size]
My best suggestion is to use fake answers and write them down somewhere or keep them safe so you remember. That way other people won't be able to find these answers by stalking you.[/size]

Use a secondary email
Another option in addition to using secret questions is to use the secondary email feature that many email providers offer. Use a secondary email (WHICH HAS A DIFFERENT PASSWORD, REMEMBER?) to which you can email a reset link in the event you forget your password. Using this combined with the secret questions gives you max security for your email.[/size]

Don't sign up for other sites using the same email. << This one is especially important
Again, because of the possibility of ending up on a hash list, avoid signing up for other sites with your Neopets email. The best way to keep your Neopets account safe is to keep your email completely unknown, that way other people can't even ATTEMPT to get into it because they don't know what it is. Leave a false trail.[/size]



This post has been edited by a member of staff (hrtbrk) because of a violation of the forum rules.
Do not mention potentially dangerous sites. These have been removed.
Please check your user inbox to see if you have been contacted regarding this incident, then review our rules.

[hrtbrk]

Yes, it's allegedly true. TNT has been working hard returning accounts and reversing trades. If you see something that is being traded - either items or Neopets - that looks too good to be true, it probably is.

 

Remember that TDN offers a random password generator (here) and password security articles (here)

 

No one knows how this information is obtained but just play it safe by changing your passwords on a regular basis (as you should be doing anyway).

 

You shouldn't be worried to play or go on your account if you have changed your passwords :)

[Envy]

Pretty crazy. One of my side accounts was stolen like a month ago out of the blue.. I was able to recover it (only after contacting support though) but it really freaked me out. I have nothing of value on it, just a side for another lab map but in over 10 years I have never once had my accounts compromised.

[Viridian]

One of my side accounts was taken that way over a year ago... So yeah, it's definitely something to worry about. I think however that they can only get your account and password. The birthday they will get from yet something else (but it won't be necessary if they getthe password right at once). The pin, they will have to use the reset pin option which takes a couple of days, I believe. So long you got everything PIN protected you should be good.

[Envy]

Something I discovered, that I did not know about, is having it prompt you for your birthday whenever you login from an unknown device (found under preferences). So if in fact the birthday isn't being made available to these people it's one more thing in their way.

[hanashalash]

This is scary :/

I hope everyone's password stays safe :3

[siniri]

Is there somewhere (safe) so you can find out if you're on the list and need to worry? I hate the fact that Neopets seems to make my e-mail account more vulnerable. It's stupid that anyone would want to hack my e-mail account just to get access to a game.

 

TNT should really upgrade to the 21st century with its security already. A friend who has an account from early 2000 had hers stolen in the last big batch of account stealings. In that case, people suspected that passwords were stolen en route to and from the Neopets server (because TNT doesn't encrypt passwords even when they're being transmitted). Thankfully, TNT responded quickly, freezing it for her protection, and then restored everything she could remember that was lost (I wouldn't even know what I had of any value, but she keeps a SDB and gallery database in Excel). She did lose out on attached petpetpets, I think, and of course the ages of her petpets (she would have been pretty high on the list for the PPL) -- and they sold all her stocks, mostly at a loss, which TNT only could restore as the NP gained, not as stocks (so that was ~7M loss right there). (Yes, she had a PIN, and yes, she had the PIN requirement on her e-mail and her password change, and no, they did not get into her e-mail but still got her PIN. She worked for 10+ years in IT, protecting computers for a living. And still got hacked.)

 

One thing she recommends: If you know you've typed your password correctly, instead of requesting TNT send your password, send a bug report asking that the account be frozen. Because they'd already changed the e-mail address, the hacker was given the notice and knew that her account would be frozen soon, as soon as the user didn't get the e-mail, reported it, and TNT could act. So they immediately started clearing out her shop, gallery, etc., and she watched in despair from her side, until TNT finally got to her ticket (which they did within 2 hours, on a Saturday, but extensive damage was already done). And then after her account was frozen, it took 2-3 months for TNT to return it to her, and she had to jump through a lot of hoops to prove she was the owner (NC codes, grundo warehouse codes, etc.).

[Crystalline]

Geez, all these stories are terrifying. I had no idea Neopets still used such an outdated security system, but the explanations listed here seem to make sense. Thankfully I haven't been hacked before, but I suppose this is more incentive to continue my routine of regularly changing my password and PIN.

[andaraen]

Yes, it's allegedly true. TNT has been working hard returning accounts and reversing trades. If you see something that is being traded - either items or Neopets - that looks too good to be true, it probably is.

 

Remember that TDN offers a random password generator (here) and password security articles (here)

 

No one knows how this information is obtained but just play it safe by changing your passwords on a regular basis (as you should be doing anyway).

 

You shouldn't be worried to play or go on your account if you have changed your passwords :)

I thought I'd add my own method of generating passwords that can be fairly easy to remember and can be found easily if lost without the need to write it down or save it on a computer.

 

First, find and choose a book that you own. Open it to a random page and point to a random sentence. Make a note of what page and sentence number you chose. You can write the two numbers down or store it somewhere without fear that someone could steal it and use it. Then, take the first letter of every word and put them together to form the password. If you want symbols and numbers, simply add the punctuation from the sentence you chose and add your lucky number or some other number you really like and can remember easily.

 

For example, let's say I was trying to generate a password using my own post.

I'll use the sentence.

 

Make a note of what page and sentence number you chose.

Let's pretend it's on page 74 since it's not from a book. :P Which means I can add the name of the site I'm using this password for to my list of "passwords" with the numbers 74 and 4. If I ever forget my password, I can glance at that list and rediscover my password quickly and easily.

The password itself would be Manowpasnyc.13.

 

I hope you guys find this helpful. :)