Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Any recent hacked accounts from Southperry users?
Jellyflower Wrote:Maple allows passwords up to 12 characters long
I'm pretty sure it allows passwords up to 20 characters long.
Reply
-accidentally posted somehow-
Reply
y0y0y0y0shi0 Wrote:I'm pretty sure it allows passwords up to 20 characters long.

I just changed my password last night. Trust me when i say it's 12 characters long.
Reply
Jellyflower Wrote:Here's something I've been thinking about. I'm still in the process in gathering data. Right now we're suspecting someone is cracking MD5 hashes, but this also applies to any encryption employing hashes. What you want is a 'strong' password. This is sort of ironic since the whole epidemic might have been prevented (but not forever) if the so called exploit is via hash match-up.

Maple allows passwords up to 12 characters long, so symbols are allowed as well. I'm not sure if it was changed somewhere along the line, but I know a lot of people only use letters and numbers, because some other corporations exclude the use of symbols to prevent possible SQL injection and loophole exploit because %, ', ", _, are used for operators in a lot of languages. I don't know which ones Nexon rejects, if any, but supposingly all are allowed, that's 47 keys + shift lock = 94 different possible character. Since 12 letters are maximum, that lead to 94^12 combinations ~ 2^78.655 (ln(94)/ln(2) x 12 = change of base) which rougly translates to 78 bits of protection. 11 letters will be 94^11 ~ 2^72.1, which is 72 bits. Each bit double the protection in basic bruteforce term because it takes twice as long to check all combinations. Of course this is assuming the bruteforce method uses all 94 ascii for checkups, which might not be the case so symbols are highly recommended as of now, unless there are dominant cases where passwords with symbols are cracked or bypassed. 128 bits security is slowly become unsecured, with maple only allowing maximum of 78 bit true protection, you want yours to be high as possible don't you? (This is all assuming passwords are stored as MD5 hashes)

You may also want to do a short hash lookup with your new password, since MD5 is not collision-free, meaning there might be more than one password/passphrase/key that will generate the same hash, even though the occasion is extremely rare. More is detailed on previous pages as to how to go on about checking. If you want a password that you can remember easily, you can simply concatenate random symbols somewhere within your existing password to make it full 12-character length. Except I would suggest changing it to a whole new one, and simply not rely on the avalanche effect that MD5 has.

First off, as you said yourself: You're assuming MD5.

And second, you're assuming unsalted MD5. If the MD5-keys are salted, then knowing the password would be even harder, unless these guys knows the way the salting works. And even then, it's going to take forever as lookups doesn't give the required password.
Reply
i logged on yesterday, and my pin was changed. After I changed my pin back, I got on Hippo, my 132 shadower. It was then that I noticed my 107/16 fan (+6 hammered), 10 att scg (+2 hammered), 2 att 1str 1 luk palette ( +1 5 slots), Bloody Rose chair, 6 str icarus cape (1 slot), Red Designer chair, and my 1m mesos. Lol. I found the hacker (rabbyyms) with my stuff in his/her shop around 2-3 hours after I got back on; Unfortunately I didn't have nx to tag my items. I did send in a ticket describing the same incident and I posted screenshots but I highly doubt I'm gonna get anything back. : \

oh yeah, no-one knew my account info.

gg. i just noticed they stole my palm chair too. LOL how jew
Reply
Takebacker Wrote:I just changed my password last night. Trust me when i say it's 12 characters long.
Oh. Nevermind then. I was always under the impression that the username and ign are 12 characters, password 20 characters. That's what most games and forums use.
Reply
[Image: fvvkp4.jpg]

FREE PW AND IDS

lax security

Quote:Since GMS has decided to be complete asshats to us for the past couple of years, we have finally decided it is time to treat those as they treat us. As you all say, it's one large community. One cannot be responsible for himself, he represents his peers as well. So, here you have it. Why have so many people been getting hacked? This:

-- login IDs removed--

No, we do not want you to equip them. No, they are not all banned. Those are just a small amount of the tens of thousands of account info.'s we have of everyone. Thank Nexon for terrible security, this is why people are getting hacked recently.



If further justification is requested, we will throw down more account info.'s. There are tens of thousands more where that came from.


For all you kids who talk pomegranate, keep it up. Everyone pays the price for your actions. When we say "WRT" we DO mean "We Run This". This is our house suckas, cry about it all you want. There's the truth behind it all.


Happy Mapling, love Vent guild from Bera;Armand (FaceLt/Gewsie/ioigiraffe), Mikey (Spunz/Pures1n/Doezx), Ed (YTMS/Caerulean/Yutakemyspot), and Richard (Traded/HitlersMyDad/Jenniphox3)DanzoXV, Dan (FONDLING).

[Image: ogkzd3.gif]
Reply
That's why I'm suggesting 'strong' passwords because hey, it wouldn't hurt. Going from 10 to 12 letters offer just below 9000x the protection in layman terms. That's pretty substantial if say an average account is compromised every hour because of using 10 letter pass and with standard bruteforce, that's delaying the intrusion by 375 days with said 12 letter recommendation. End result is, there's nothing but gain and no harm in this clause, given that your comp is clean, data transfer is authentic, Nexon servers and sites aren't infected/hijacked.

Also, does anyone remember or know of the exact date from Wizet -> Nexon management switch? Or when Nexon decides to drop security questions from the sign up process altogether? Has there been accounts hacked that were created in 2006, like the really old ones? I know there are some in 2007 but they seem to be late 2007.
Reply
By the way, I'm pretty sure "Vent" is Ecko, for anyone who's wondering. He types almost exactly the same as Ecko, with that pseudo Gangstathug typing style, and uses the "Owns" thing ("Ecko Owns").

Thought it was fairly obvious, but felt like throwing that out there.

[video=youtube;zkSeuLPSVNU]http://www.youtube.com/watch?v=zkSeuLPSVNU[/video]

Video description Wrote:chyeaaa. i ownt that kid. why? cuz he talkin mad pomegranate. i don't give a fk how messed up that is. if you talk sht to me then you deserve it. learn from other's mistakes kthx
Reply
Spideyjvc Wrote:By the way, I'm pretty sure "Vent" is Ecko, for anyone who's wondering. He types almost exactly has Ecko, with that pseudo Gangstathug typing stle, and uses the "Owns" thing ("EckoOwns").

Thought it was fairly obvious, but felt like throwing that out there.

[video=youtube;zkSeuLPSVNU]http://www.youtube.com/watch?v=zkSeuLPSVNU[/video]

Are you freaking serious? I already heard enough infamous stuff from him. He only hacks those that messed with him, now this outbreak? *Raaage*

Also, wtp at that video.
Reply
IllegallySane Wrote:Are you freaking serious? I already heard enough infamous stuff from him. He only hacks those that messed with him, now this outbreak? *Raaage*

Also, wtp at that video.

Meh, well it seems like him anyway. He did make Smega's a few days ago in Bera using an account he stole saying he was giving free items and how it "Sucks don't it? Karma's a bitch"

Then again, Ecko pretty much does his own thing for his own personal revenge. Maybe it isn't him after all. They sure as hell do type like each other.


By the way, video was back in 07 when 26m will pretty damn good, and Zhelms actually meant something.
Reply
Sorry if this is old/known news, but MS Sea has faced similar hacking problems. So I think GMS is now getting hit... Seems very similar to what's happening here... Basically the summary of below, hackers were able to get into MapleStory SQL database and getting hold of people's info. Guys think it's happening here?
http://maple-news.com/2008/09/14/maplesea-vs-china/
Reply
Kubi Wrote:Sorry if this is old/known news, but MS Sea has faced similar hacking problems. So I think GMS is now getting hit... Seems very similar to what's happening here... Basically the summary of below, hackers were able to get into MapleStory SQL database and getting hold of people's info. Guys think it's happening here?
http://maple-news.com/2008/09/14/maplesea-vs-china/

This is REALLY old news.
Reply
Yeah, it may be old news. But if Nexon America here has done the same way of having the info of people's account stored with the low security of their database like MS sea has and left it unchanged, I think the chances of it happening here is pretty high; people that has done the commonly known things of not sharing info with anyone and that sort of stuff, the only way to get that info is from nexon's database. So Nexon is still going on their belief that it's still the players fault for whatever happens, refusing that there's a leak, poor security, or whatnot on their side...
Reply
lax security, -_-..... hopeless...
Reply
GameMX Wrote:Wrong. It's scattershot as hell. I've seen 3 month old accounts get hit.

If anything, they may just be bypassing the login server in a certain way. Spoofing in some sort.

How many have been hacked while offline? How about online? I see most people who get hacked are offline at the time. Tally it up.

It's possible to bypass the login server completely - by using a custom client. Or even just sending packets manually, works.

The channel server accepts a character ID in the 2nd packet sent to it (1st would be encryption init). Since it is hard to do a foolproof check on that (not sure if Nexon checks, but they could check via IP..), anyone who has a working packet logger and a working custom client can just connect, enter your character ID, and bam, they have access to your character as if they logged in normally.

Note that creating a custom client that can move around is haaard.

And the reason why I state to use a custom client is because the real MS client checks if the character is the correct one; else it disconnects. Unless someone managed to remove that check, they would have to use a custom client.

P.S. Am I giving too much information here? If so, delete/edit my post, thanks
Reply
I got hacked and my account was made before '07.

If this was Ecko, all my characters would most likely be deleted or have their untradeable items dropped. Not to mention that most of my other rare items on my mules were not gone either, and my other accounts, as well as my girlfriend's who shares with me, would be hacked too. This is too random.
Reply
Spideyjvc Wrote:Meh, well it seems like him anyway. He did make Smega's a few days ago in Bera using an account he stole saying he was giving free items and how it "Sucks don't it? Karma's a bitch"

Then again, Ecko pretty much does his own thing for his own personal revenge. Maybe it isn't him after all. They sure as hell do type like each other.


By the way, video was back in 07 when 26m will pretty damn good, and Zhelms actually meant something.

I know Ecko actually. It probably was him He went to my High School. He was a huge jerk irl, he used to harass and beat up the nerdy kids and weaker kids for no real reason at all. He was also smart. One time this kid stepped on his soes in class, he got pissed beat him up and got suspended. When he came back he found the kids laptop and hacked it and got him kicked out of school. At lunch he was laughing about it with his friends.

He was a huge jerk to everyone even the teachers. he had a ton of equally as annoying friends and was basically having sex with every semi hot-hot girl in school and then would brag about it. If you argued with him he'd just laugh and say "I'm banging <x> today, you're at home playing WoW you ugly nerd. I'm better than you so your opinion is void. Shut up"
Reply
Eosian Wrote:If they've already been on the account once they know all the characters on it and who to DC if they want to retake it. It would be more practical to add a new character to the account and idle on it.

They have not been on the accounts I'm leaving logged in. They account they were on has nothing on it (I removed what the hacker found unworthy the first time) and as there is nothing to take, I don't bother leaving it logged in.

Also I don't leave a main character logged in, I leave someone on the account logged in. It's only a main character when I'm present.

I'm still a little confused about the login info the hackers obtained. Did they obtain a list from a set point in time, or are they continusly retreving data from the nexon servers? So do they have all our old pw & pin, or are they able to obtain new ones as well? Or do they just make notes of valuable accounts and try to brute fource a pw later in case the person tries to recover?

Eosian Wrote:No, it's rather neutral. If your hash isn't found it means you've got a password that can't immediately be looked up, which is positive, but it also implies that some other method was used to bypass your pass/pin, which is somewhat bad for us, but honestly if you've already been hacked zeroing in on the how isn't going to be good or bad - it's already too late.

I looked up the hash for the old pw on the account that was broken into and checked the hash using the links you provided. Mine was not listed. So that means bad news for us?

It's not too late for me, I have over 15 accounts, so far they got one that I valued at 500m. My accounts that have probably 10-20b in items or nx are now left logged in 24/7 to minimize the probablity of anyone being able to get in. But naturally I'm interested in futher security methods.

Well, I hope the hackers get a GM account. That would be great (and nexon would finally notice). Though probably GM accounts are limited to log in only at nexon's ip, but since nexon doesn't do anything else right why would they bother to get this one right?
Reply
HELOHELO Wrote:
 Spoiler

I Lol'd

It's amusing. Very Very amusing.
Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)