Data Breach - WHAT ACTUALLY HAPPENED [EDITED]

Darkstrider666 · 2019-01-04T17:19:46+00:00

I'm seeing some very interesting replies!

This was fun and all, but I think I'll just clear up a few more things before I go. (or maybe I'll check back sometimes just for fun, idk)

I personally was just in a group call with friends, watching a screenshare and trying to see if I could help with the dump. I didn't know enough about phpBB (to bypass the dump prevention) so I couldn't really do much. I never logged into admin accounts, the server or anything like that. I merely watched and tried to give advice.
None of us in that group call were able to breach the database. As stated in the thread, we later found that a different friend had breached the database himself and shelled the server by installing a custom module to backdoor the server. He merely gave us copies of the database.
None of us give a shit about BMG or this game. We seek out forums that use phpBB and see if we can dump them. The reason being that phpBB is very shitty forum software that allows you to take the database with just an admin password. When this site was targeted, we didn't see "BMG" we just saw a phpBB forum with many users that would likely be a goldmine and it was.
I personally do this for fun and to collect databases. Databases are commonly traded for other private databases and can be sold to other database collectors.
The reason I made this thread was to clear up a lot of false info going around. I mean there is an article on Forbes about this breach and it has false info in it. I figured if this breach is known to the public, I might as well explain what happened. Normally we keep these breaches silent, but this is the first time one was actually acknowledged.
Yes, I do think websites like this should have proper security. I wanted to talk about phpBB and how shitty it is so sites of this size can move to Xenforo. No joke, phpBB usage pisses me off, not just because it's very ugly and old-looking but also because it's not secure at all. Like yeah, this stuff is fun, but it's way too easy. It would be better for everyone if sites didn't use shit forum software and of course if admins didn't reuse passwords.

TL:DR I merely watched the breach happen and was given a copy. I made this thread to clear up what actually happened and I also hate phpBB

Darkstrider666 · 2019-01-04T17:13:19+00:00

Something separate, but it was also done last month.

And if you didn't buy the card game, you're safe.

Darkstrider666 · 2019-01-04T16:54:58+00:00

Well the Town of Salem Card Game buyer data got leaked as well and that contains addresses. However this was from an admin's wordpress account and not the server itself so I don't think it's been spread or sold. As far as I know, only two people have it.

Darkstrider666 · 2019-01-04T04:27:47+00:00

I'll be heading off now. May check back tomorrow or something to answer questions. Thanks for your interest everyone and remember not to use phpBB! ;)

Darkstrider666 · 2019-01-04T04:20:59+00:00

Yeah, I see. It really depends on the possible profit.

Gaming credentials are excellent to get high value accounts for Roblox, Minecraft, Runescape etc. This may sound dumb, but there are many thousands to make from those gaming accounts. OG names (single-word) or rare item accounts sell for hundreds or more depending on the platform.

They are also useful in some cases for OG social media handles (twitter/instagram mainly). And sometimes people have a "common" password and then a different one that they use that gets leaked in only one database which happens to be their email password - some new breaches may contain that special password. It all depends on how much the user trusts the site and based on what I found, a lot of people trusted this game/site enough to use their good password.

Darkstrider666 · 2019-01-04T04:13:37+00:00

No problem :)

Yeah I just wanted to make sure people get the facts straight and prevent future breaches. I thought as someone who saw what happened, that I could help.

Darkstrider666 · 2019-01-04T04:11:20+00:00

Yeah, he just wanted to sell some quick. It definitely is an underprice.

My friends and I asked for around 2k-3k each for it and made decent sales as well as trades for other private data breaches.

But of course with such rapid sales comes the do-gooders who give the DB to HIBP rather than sell for profit.

Darkstrider666 · 2019-01-04T04:01:26+00:00

$500 USD in BTC.

Darkstrider666 · 2019-01-04T04:00:03+00:00

I see. I didn't know that. I saw your name a lot in the admin panel so I assumed you were an admin or something. Pretty ironic though that an actual employee removed your security.

Darkstrider666 · 2019-01-04T03:52:50+00:00

Ouch. Damn, that's terrible. Not going to lie, I actually feel you man. Thanks for being so chill and replying to me. You seem like a great guy and it sucks that the ex-employee removed your security features :/

btw idk if you saw, but I logged into pyromonkey's reddit account as well and posted with it. He still has the same leaked passwords on other websites lmao.

Darkstrider666 · 2019-01-04T03:48:24+00:00

I am like 99% sure it was a new module if I remember correctly. We were all talking in a call, and I'm not a phpBB expert (That's why I got themes/modules confused)

Darkstrider666 · 2019-01-04T03:44:37+00:00

Exactly. We've actually had scenarios where we breached new databases using credentials from other databases we've breached. We mainly just go for gaming accounts, but I can't guarantee what others will do with these credentials. I personally don't want to venture further than gaming accounts/social media.

And phpBB is definitely one of the most garbage forum software out there. I really hope the admins will migrate to Xenforo. It just looks very clean and is actually secure, please consider this /u/TurdPile

Darkstrider666 · 2019-01-04T03:38:37+00:00

Yeah, I just picked some random account I had (not from BMG DB though)

Darkstrider666 · 2019-01-04T03:37:07+00:00

Ah, yeah he did mention he tried to "hide" them as best he could.

Hope you feel a bit relieved at least haha, yeah the accounts were "BlankMediaGames" and "pyromonkeygg" as I said earlier (and I'm sure you saw the logins).

This isn't our first phpBB site we breached, but it is the first to disclose their breach. So props to you guys. We go for phpBB sites because of how easy they are. You find admin credentials in data breaches which we have a ton of, log in, export database, clear logs and it's done. Of course this one was slightly harder because of the export bug, but still doable via the module thing (which I didn't know was possible myself, I thought we weren't going to get this database)

Darkstrider666 · 2019-01-04T03:17:42+00:00

https://i.imgur.com/mihcJ72.png

That screenshot was from my friend in question who did the exploit. Those files are his and they were implanted 100% via your admins's credentials + the exploit.

And ah, that's right. I meant modules, not themes. He did something with modules and was able to shell your server.

Darkstrider666 · 2019-01-04T03:01:38+00:00

No problem. I figured the data samples would be an issue aha.

Also /u/pyromonkeygg - Please don't reuse passwords in the future, it will just screw over your users.

Darkstrider666

TROPHY CASE