Planet Calypso: PlanetCalypsoForum data breach

Discussion in 'Entropia News' started by NotAdmin, Jan 12, 2020.

  1. NotAdmin

    NotAdmin Administrator

    Just received this in my mailbox:

    You've been pwned!
    You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:

    Email found: <my email>
    Breach: Planet Calypso
    Date of breach: 1 Jul 2019
    Number of accounts: 62,261
    Compromised data: Email addresses, IP addresses, Passwords, Usernames
    Description: In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

    Why did we not hear about this until now? And why did MindArk themselves not inform us of this? I guess their extensive logs failed them... Must be this Gotenborg excellence once again.


    Last edited: Jan 12, 2020
    • Thanks Thanks x 1
  2. Password changed, catastrophe avoided, for now. [​IMG]

    Good question. :headscratch:
    Well trust in them isn't around much anymore for me.
    To be sure, changed it here also, just in case.
    Last edited: Jan 12, 2020
  3. The most interesting thing about this security breach is, that

    people on "the other forum" did INDEED ask at that time, if something fishy was going on,

    as they recieved emails with current passwords they were using :
    (exactly 1 week before the "hacker" published the database on raid forums)

    You can bet, support cases had been sent...

    So, the 1st who stepped forward, claiming it wouldnt mean much,
    was a swede...with a rock solid explanation...but read for yourself :

    pcf breach july 2019.jpg

    But the most epic post was done by Mac Farmer, the allmighty, all knowing, everybody else sucks but me, Mac Farmer :

    pcf breach july 2019 2.jpg

    He cries about a malware, that encrypted his PC and asked for bitcoin...but wait, there is more to it : x'D

    So Mac Farmer wanted to illegally activate his windows and downloaded "KMSpico" [ofc it was his "friend" here ;) ] from some obvious malware site, straightly via google.

    Just to get his PC encrypted. On top of it, he never thought such thing could HIM !

    So he smashed his HDD...the only valid solution, of course.

    While KMSpico actually IS a great piece of software/work, that does indeed activate your windows (illegally) should only download it from trusted places. But ya, this is how I remember ye good olde Mac Farmer. ^^

    So he is then warning people about "KMS_piko" and that they should NOT use it to activate their windows ! *geeee* x'D

    To make a long story short :

    -July 2019 "Actual Breach happened " -MA + 711 aka. Jason Peterson silent

    -August 2019 "PCF forum users recieve emails with their clear passwords in it" -MA + 711 aka. Jason Peterson silent

    -September 2019 "PCF forum users post about the problem" (only 2 pages though, which says a lot about the numbers never looking at that forum)
    (Blueberry even links to the link, NotAdmin posted here) -MA + 711 aka. Jason Peterson silent

    pcf breach july 2019 3.jpg

    -January 2020...lets wait and SEE, like always ^^

    -MA + 711 aka. Jason Peterson silent
    Last edited: Jan 12, 2020
  4. Wistrel

    Wistrel Kick Ass Elf

  5. NotAdmin

    NotAdmin Administrator

    But users reuse their passwords, and thus their accounts might be compromised in other ways. Jesus fucking Christ. Perhaps from an MA perspective there's nothing to worry about, but that's the dumbest possible thing I ever read.

  6. LooOoooOOooOoOooOOooOOoL...this is epic... "I looked into it...someone told me there is nothing to worry about" ...PCF people not happy (once again)...but it will be forgotten sOooOoooOOOOn...until the next accident...impressive company...impressive community... x'D
  7. NotAdmin

    NotAdmin Administrator

    People on PCF are wondering what exactly happened, as MindArk is choosing to not say anything, other than "nothing to worry about".

    While of course I'm not certain, the most likely explanation is a weakness in the vBulletin software. A quick search for vBulletin exploits (which most likely is what was used. Most "hacks" are typically done by script kiddies firing off an exploit scanner that simply tests sites against a database of known exploits) reveals at least 13 of them reported last year:

    Edit Date Name Status
    2019-10-13 VBulletin 5.0 < 5.5.4 updateAvatar Authenticated Remote Code Execution Published
    2019-09-27 VBulletin 5.x 0-Day Pre-Auth Remote Command Execution Published
    2019-09-25 VBulletin 5.x Pre-Auth Remote Code Execution Published
    2019-08-25 VBulletin Reflected XSS via Click here Published
    2019-03-04 VBulletin 4.2.5 Ajax Threads 1.1.3 Lite Open Redirection Published
    2019-03-04 VBulletin 4.2.5 Thread Post Bookmarking 1.2.0 Open Redirection Published
    2019-03-04 VBulletin 4.2.5 vBSuper_PM 1.2.3 Lite Open Redirection Published
    2019-03-04 VBulletin 4.x Seo by vBSeo 3.3.2 Open Redirection Published
    2019-03-04 VBulletin 4.2.5 Member Map 1.1.2 Lite Open Redirection Published
    2019-02-28 VBulletin 4.x.x DragonByte SEO v2.0.31 Pro Open Redirection Published
    2019-02-26 VBulletin 4.2.0 ChangUonDyU Chatbox Plugins 3.6.0 Cross Site Scripting Published


    Another list shows the following exploits:

    # CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
    CVE-2019-17271 89 Sql 2019-10-08 2019-10-09
    None Remote Low Single system Partial None None
    vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
    CVE-2019-17132 20 2019-10-04 2019-10-11
    None Remote Medium Not required Partial Partial Partial
    vBulletin through 5.5.4 mishandles custom avatars.
    CVE-2019-17131 1021 2019-10-04 2019-10-11
    None Remote Medium Not required None Partial None
    vBulletin before 5.5.4 allows clickjacking.
    CVE-2019-17130 552 2019-10-04 2019-10-10
    None Remote Low Not required Partial Partial None
    vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
    CVE-2019-16759 20 Exec Code 2019-09-24 2019-09-25
    None Remote Low Not required Partial Partial Partial
    vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig code parameter in an ajax/render/widget_php routestring request.


    The second list is specific for vB version 5, where PCF runs on vB 4.2.2 (Right-click any page, then select "View Source", and you'll see a line:

    <meta name="generator" content="vBulletin 4.2.2" />)

    vBulletin 4 has been discontinued (end of life) since late 2017. That mostly means that no new features will be developed for it, but security patches for it would typically still be rolled out to patch newly discovered exploits. Of course, it's up to the forum administrator to actually install those patches.

    Forum software is quite complex, and typically relies on external libraries to implement specific functionality, like a standard open-source text editor window, or an AJAX library to provide slicker interfaces. Often, issues are discovered in libraries like those, because due to being open source, they are widely used, and thus provide a great attack surface for potential hackers. After all, if you manage to find a loophole in such a library, you would be able to target any standard software package using it.

    Sometimes, it's also possible that an exploit is discovered in the source code of the software itself. Take for instance the following exploit found in vB 5:

    It uses a function called "evalCode", which apparently basically executes whatever code you parse to it. It essentially sidesteps whatever security is built into PHP, and allows an attacker to execute operations against the underlying operating system (Linux). Why vBulletin would include such a function is beyond me, as it's obviously a risk.

    I'm just happy we migrated to Xenforo all these years ago. And I hope MindArk informed their Planet Partner Toulan of the breach. After all, MindArk was kind enough to recommend Toulan to use the same forum service provider they use, and thus Toulan runs the exact same software, and most likely is also vulnerable to the same exploit.

    (Again, not saying this is how it happened, but it's a likely explanation. The alternative is a direct hack against the forum server(s) itself).

    But you have nothing to worry about, guys. Someone at MindArk said so. Now please go back and [strikethrough]dump more quarters into their slot machine[/strikethrough] invest more money into Entropia Universe, the most secure MMO in the world.
    Last edited: Jan 13, 2020
    • Thanks Thanks x 1
  8. Tass

    Tass Administrator

    GDPR Art. 33 & 34
  9. too funny somehow :)

    i've made an inquiry to the local austrian dataprotection agency, and i've made some posts on PCF and reported myself.

    actually i think i'll call mindark tomorrow...

  10. NotAdmin

    NotAdmin Administrator

    I saw your post. 711's response in that thread reads as if they *just* found out about the breach. Yet, on their own forum, this was posted:


    I would assume that this would have been noticed by MA. If not directly, most likely people in that thread submitted a support ticket notifying them. I'm still annoyed I had to find out through the mail that was sent to me, rather than hearing directly from MindArk.
  11. Is this why my account has not yet activated in there?
  12. GeorgeSkywalker

    GeorgeSkywalker Explorer

    nope, thats a separate issue. They manually activate new accounts over there to avoid something, can't remember what :)
  13. Wistrel

    Wistrel Kick Ass Elf

    Just logged on... cough!

  14. just for the records, no further actions have been taken by MA or PCF.

    the affected users have never been informed, and i'm pretty sure, that the breach wasn't reported to the swedish authorities.

    noone on PCF seems to care anyways - noone even tried to discuss my warnings regarding leaked emails and IP-addresses.

    fuck this shit, i'm out soon.
  15. NotAdmin

    NotAdmin Administrator

    That's not entirely true. 711, a MindArk employee, added a certificate, and password expiration dates.
  16. Wistrel

    Wistrel Kick Ass Elf

    confirmed as in my post above

    thread closed without notice ... just for the records.

    no, i'm not gonna report my own posts again, why should i?!?

    no, i'm still not a fan of whatever they call security...

    no, i still don't think we can call this improved communication, maybe not even adjusted, or ever upgraded at all...

    seems it's the events-shut-down and threads-closed season again... funny time, quarantine :dunno:

    ps ... did i ever mention that it's nice to be here? :geek:

  18. Fan_boy99

    Fan_boy99 Ignore Spawn and San they are Sheeples

    It is an incredible bot.

    Basically if A (some1 else) enters an area that X (you) is in then the bot auto shuts down .

    The Bot IS much in use in EU at the moment. There is no way to ''detect'' it because of the way it works. It is actually a professional hack that took a lot of time. It is in use for hunting also.

    Basically you can say using the bot if you get 1 or 100 reports against you that you was AFK feeding the dog cat fish etc.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.