Hackers must just breach all sites that are popular or it's a coincidence around this time of year, other forum I use for a gaming community was breached in the same way on dec 26 (encrypted passes , emails , names , birthdates etc)

Also looking on leakedsource (.com) I found that my stuff had been leaked on probably 5+ forums over the last ~6 years, most of them being without sites even knowing or noticing users. Good idea in this day and age to use diff passwords for every site / login you use + make it random and have it written down to copy/paste instead of anything simple

Fail to see the grand importance of it all

Even a similar password that is somewhat different for every website You have ever signed up for they can put those certain perimeters into a password cracker (loft) say You use a password unique by using some extra characters now they can look over you old pass and tell it to make sure to include characters used to try and another account You may have, it's truly hard for most to have actually unique passwords for most sites and most at best use some type of variation, and when You know what You are looking for that is Dangerous . . . .

And that's just the start . . .

My details are showing on https://www.leakedsource.com/ as well.

This site is not using encryption when changing passwords or altering personal details:
http://forumserver.twoplustwo.com/pr...o=editpassword

It should say https. This is bad practice and insecure.

As a general precaution I would recommend removing personal details eg birthday, country details from any account where possible. It is possible to remove these on 2+2

I'm gonna buy the database just to see what kind of private messages jungleman has sent to durrrr

Can 2+2 delete all the birthday info from the forum database and remove that feature from allowing people to enter it. It makes social engineering and targeted attacks a little easier. It'd be better to not store it, and it doesn't really serve too much purpose.

agreed. but for sites like 2p2 that have 0 reason to need my personal info i just enter in a random birthday. i think probably most other users do too.

+100

I can confirm that this is a serious issue especially if you have the same password across multiple sites like I did. In early December my Pokerstars account was hacked into, password and registered email account modified. The hacker attempted to cashout all my funds but fortunately I was able to rescue them by quickly notifying Stars security (the cashout was not processed straight away). Still a very stressful process and I was lucky to be able to get my funds back. Lesson learned the hard way - if you use the same password across multiple sites then change them immediately!

Which hash function was used to encrypt our passwords?

Also Was the hack found so that it was fixed, last time Entire site was shut down . . . Seems Very odd

Probably black Afghani.

PSA but everyone should please consider installing and using: www.keepassx.org

What happens if that gets hacked? Please explain as if I'm a dummy, but it seems bad to me to keep all passwords in the same place.

Here's what Lastpass had to say when they got hacked I think this means hackers can't crack your master password to access your various usernames/passwords unless you used a really ****ty password, and if you use multifactor authentication, even if hackers did figure out your password, they couldn't log in without access to your second form of verification.

https://blog.lastpass.com/2015/06/la...y-notice.html/

Strange my email shows up in the 2p2 leaks but not my username.

Was notified via email that someone tried to log into one of my accounts from Brazil

There was a failed login attempt to your account

Time of Event: 1/9/2017 4:55 AM
From IP Address: 177.142.41.23
From location: Rio de Janeiro, Brazil

You'd lose everything. But that's no different than if you had passwords that you were entering elsewhere if your machine is compromised. Either way you're already ****ed. Knowing one super long password for keepass with lots of random passwords inside is ultimately much better overall security than the reverse.

Can anyone borrow me 5k?

You can trust me, I have more than 20k posts

wow lol great stuff

And this is one of the reasons you use programs like lastpass to create unique passwords to every site in seconds.

I first posted about the hack in some skype groups and messaged a few people.

I emailed 2+2 using the contact form but they didn't reply at all.

I couldn't make the thread because my account here was banned (I thought this one was too). I messaged Max and he was able to spread the word.

Reporting about a hack is quite a big deal.

Never mind a bounty, I didn't even get a reply saying thanks from 2+2 admin.

The good thing is people are aware and hopefully start to use password managers now.

Dean

+1 - I've seen this mentioned sooo many times and nothing is ever done about it.

How is this site well over a decade old and still not use https or offer 2 factor authentication? Considering all the claims in HSNL about 2p2 accounts getting hacked (and now this, as well as the other 2p2 hack a few years), and the high value of money that can be scammed this seems like a no brainer. I've been on other sites where the need for heightened security wasn't as necessary, and even those sites have implemented secured sites and 2FA (e.g. obscure car forums). At the very least, if 2p2 cared about its user's privacy then it would implement these standards if any of the admins learned anything from the last hack in 2012 - continuing to ignore these standards just seems irresponsible from a web admin.

Minus whale just put a big banner on the splash page in bold letters reading "hack me plz!"

Can someone explain as plainly as possible the following, since I don't think I've ever seen it spelled out clearly for non-techies:

How easy or difficult is it for hackers to figure out my actual password from this database that has been hacked? I never know exactly how to interpret the "don't worry, your passwords were encrypted" language that usually accompanies such announcements.

Yes, I get it: "you never know in this day and age" / "better safe than sorry" / etc, IOW: go ahead and change your passwords everywhere you may use a similar one. But that's a non-answer to the simple question of whether encrypted/hashed passwords can be deciphered (yes/no and if yes, please quantify), or is the bigger risk simply hackers using all of the NON-password info in the DB to social engineer access to other accounts of ours without ever actually cracking our password(s) themselves?

Thank you Dean!