Database Leaks FAQ

Tutorials and guides for Plazma Burst and community features.

Database Leaks FAQ

Postby ZapruderFilm » 27 September 2016, 16:30

For my second 'tutorial' of sorts, this is going to be more of an awareness check on a phenomenon of database leaks. I am sure the majority of you have heard them mentioned, but more than likely don't know the risks of database leaks, how databases store your information, and other such things. This topic will be going over all of this.

What is a database leak?

All website data is stored in MySQL databases. These are like huge tables of information, recording IP addresses, times, passwords, usernames, posts, everything like that. This forum runs on a MySQL database. Almost every website utilizes them.

A database breach is when the database leaks, whether this be through MySQL injection, Social Engineering, or simply hacking or bruteforcing the administrator's account that has access to the database, and is posted online or given to people with a malicious intent.


All the information in the spoiler is something you could know, and could be useful and interesting knowledge, but isn't necessary to get my point across. Read if you would like!
Spoiler: Show More
So if I register on a website, and the database leaks, people get my password?

Even though this isn't a FAQ, I put this here to draw attention to something. Most databases do not actually store passwords. They store hashes of passwords.

Alright I guess.. What's a hash? Relevance?

A hash is basically an encrypted password. But it doesn't just work like that. When a password is hashed, it produces this very long complicated string of characters and numbers, depending on the hashing algorithm.

Does PlazmaBurst 2 Hash my password?

I believe they do, they store your password in an MD5 hashing algorithm (I think, I am not 100% sure, but I am pretty confident.) This is actually an older hashing algorithm and isn't seen as the most secure one, but for PB2 purposes, it does just fine!

If a password is hashed, couldn't it just be reverse engineered and the password be pulled from it?

Hashes are actually a one-way encryption, and can't be decrypted. It would be like mixing a whole bunch of atoms together to create a chemical, then trying to undo it. It just can't be done.

So.. My password is safe if it is leaked in a database breach, and it is hashed?

No, and let me explain why. Just like a chemical mix, just because it can't be undone and reverse engineered, doesn't mean that it can't be replicated. And because the more complex hashing algorithms, each password hash product is completely unique, if they hash a string of letters, and then the hash they get from it is the same exact hash as different hash, then they know the same string of letters was used to create that hash.

This is actually how a website verifies that the password you typed to login, is the same password you registered under.


Examples/Analogies to gain a better understanding.

Your cousin bakes a cake. You love the cake so much, you want to replicate it, but he refuses to tell you his recipe. So you continue to test ingredients until you make the same exact cake, thus cracking his recipe.

Replace the cake with a hash, recipe with password, and ingredients with random passwords.

Let's create a hypothetical hashing algorithm on our own, so you can better understand how it works.
Let's say I want my password to be 123456.
In our imaginary hashing algorithm, our hash will just be all the numbers of the string added together.
So when we hash '123456', our product will be 21.
So when I go to type my password of '123456' into the website, it adds them all together, and if it equals 21, it lets me login to my account.

Of course, a real hash is much more complicated, and looks something like this.
Code: Select all
5a67ba9861a2dfd61f9c0d323ae232b13fafddaa29e9bf5421d6917caaf11f17
<-- Props if you can figure out what this hash is of. (Hint: SHA256)


Alright, so what is the risk if I am compromised in such a breach?

Anyone who has that database can and will try to steal accounts on other websites. The majority of people use the same password across multiple websites, and these hackers realize this. They will test your password on other websites such as paypal, netflix, hulu, etc.. And sell or steal from your accounts, or simply highjack them as their own.

How can I check to see if I have been compromised in a breach?

There's no sure fire-way to know if you haven't been compromised. Many people register on a lot of low-profile websites, and when their database leak, they don't notify their customers or anyone else of the compromise. However, we can check if we have been compromised in known database leaks through the website http://haveibeenpwned.com/ If we go here, and insert usernames and emails, it will search database breaches and tell us which ones we have been compromised in.

Are there any breaches you think I should know about?

There's only one database breach that directly relates to the PB2 community at this time. This is the Xat database breach. In October 2015, the Xat owner was social engineered and eventually accidentally gave database access to a malicious hacker. He dumped it, and now somewhere on the internet, the Xat database is floating around. This means, you Xat account username, password, IP address, and other information is in hacker's hands.
Spoiler: Show More
Btw, if anyone has this database, HMU, I trade linkedin and myspace for it :)


What's the best way to protect myself from these risks?

Pretty simple-I would recommend using a Password Manager, and having a new password on every account you use. Additionally, I recommend using 2 Facto Authorization on every website that offers it. Google Authy is the app for that. Me personally, I randomly generate every one of my passwords, and save them in a password manager called Lastpass. It is very high quality and would recommend it to everyone.

Are there any additional threats that can come from database breaches?

There are, through breaches, people will jack your accounts and impersonate you. But if you stay safe, you still are at risk. If your address leaks in a database leak, people will send you pizzas, harrass you anyway they can, even can lead to swatting. This is why I recommend never entering your actual address on the web.

Is every website vulnerable to a leak?

I would say so. Even this forum, even though it is separate from the PlazmaBurst2 website, relies on phpBB, and usually once or twice a year a vulnerability in these forums is leaked. Should one come out for this forum, hackers could potentially acquire access to the entire PB2 website databases, because this forum and the PB2 database appear to be linked somehow.

I'll have to let this tutorial churn in my mind a bit. There's definitely more to be said about the topic, but I'm not sure what's necessary to bring to the table.
Last edited by ZapruderFilm on 27 September 2016, 16:39, edited 1 time in total.

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: Database Leaks FAQ

Postby ZapruderFilm » 27 September 2016, 16:31

Reserving this post for future thread updates-Mods pls no delete post

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: Database Leaks FAQ

Postby supertramp » 28 September 2016, 08:31

Omg new thread
I found hidden messages

Spoiler: Show More
http://prntscr.com/cn917z
http://prntscr.com/cn95zj
http://prntscr.com/cn94cq

supertramp
Cyber Grub [25]
 
Posts: 48
Joined: 24 July 2013, 11:18

Re: Database Leaks FAQ

Postby GhostX5 » 28 September 2016, 10:14

Hm, good topic you have there. Now I know what's gonna happen to my acc.

Well, you spelled hijack wrong, it's not "highjack".
User avatar
GhostX5
Civil Security Ghost [400]
 
Posts: 424
Joined: 26 July 2016, 07:15
Location: Moon


Return to Tutorials

Who is online

Users browsing this forum: No registered users