CP User Data Leak?

[CaptainYooh]

A message popped up on my phone today that my username was among other usernames identified in the data leak from this forum.

1) Did anyone else receive this message?
2) Was there a data leak?
3) If yes, what information has been leaked/breached?

Can the administrators comment, please?

[fundmark19]

I didn’t get a message but Google Says my password was compromised and recommend I change it so I did.

[Cecil Terwilliger]

What data? It’s CP. hackers can take everything and it would make no difference to me. It’s not like CP stores my bank records and credit card numbers.

I guess my name and/or email address but neither of those are confidential.


Edit: forgot the salacious and erotic (but definitely unsolicited) PMs that peter12 keeps sending me. Definitely don’t want those getting out. But I feel that’s more a concern for him than it is me.

[Wastedyouth]

Quote:

Originally Posted by Cecil Terwilliger

What data? It’s CP. hackers can take everything and it would make no difference to me. It’s not like CP stores my bank records and credit card numbers.

I guess my name and/or email address but neither of those are confidential.


Edit: forgot the salacious and erotic (but definitely unsolicited) PMs that peter12 keeps sending me. Definitely don’t want those getting out. But I feel that’s more a concern for him than it is me.

He's sending YOU those too! My goodness, I thought he only had eyes for me!

[bob-loblaw]

Quote:

Originally Posted by Cecil Terwilliger

What data? It’s CP. hackers can take everything and it would make no difference to me. It’s not like CP stores my bank records and credit card numbers.

I guess my name and/or email address but neither of those are confidential.


Edit: forgot the salacious and erotic (but definitely unsolicited) PMs that peter12 keeps sending me. Definitely don’t want those getting out. But I feel that’s more a concern for him than it is me.

That's odd. I had to give my credit card numbers, SIN, and a picture of my passport when I signed up.

[PaperBagger'14]

Quote:

Originally Posted by Cecil Terwilliger

What data? It’s CP. hackers can take everything and it would make no difference to me. It’s not like CP stores my bank records and credit card numbers.

I guess my name and/or email address but neither of those are confidential.


Edit: forgot the salacious and erotic (but definitely unsolicited) PMs that peter12 keeps sending me. Definitely don’t want those getting out. But I feel that’s more a concern for him than it is me.

Let me guess, a clowns nose between 2 grapefruits

[squiggs96]

Quote:

Originally Posted by Cecil Terwilliger

What data? It’s CP. hackers can take everything and it would make no difference to me. It’s not like CP stores my bank records and credit card numbers.

I guess my name and/or email address but neither of those are confidential.

You should see the current sign up process for CP. They ask for way more than just a screen name and email address. It sounds like a passport application.

[rbochan]

I guess hackers will now know if my tp goes over or under. The horrors.

[GordonBlue]

Quote:

Originally Posted by CaptainYooh

A message popped up on my phone today that my username was among other usernames identified in the data leak from this forum.

1) Did anyone else receive this message?
2) Was there a data leak?
3) If yes, what information has been leaked/breached?

Can the administrators comment, please?

I didn't receive a notification of any kind.
Not too worried though.

[Fuzz]

I checked to see if my CP password was on any pwned lists, and it was not. And I haven't changed it in a long time. So I don't think this was part of the Cit0day release, which would be the most likely source.

[Krovikan]

PII probably isn't the big concern if the data was leaked, most data people sign up with is public domain PII. You could associate a person's username with their real name, which could be a huge PII issue if they have posted their political beliefs, religious beliefs, gender identity, sexuality, request for advice on sensitive topics, etc. on the forum. For some users, not a big deal, in my case, it's easy to figure out who I am from my username for others this could have an impact. This assumes they signed up with a real name.

The bigger concern was the passwords leaked, a lot of non-technical users probably use a few passwords for everything. Forums are quite often a vector of attack for other more sensitive credentials like email, bank, etc. password. The main vector of attack on World of Warcraft accounts when I played the game was via 3rd party forums not associated with Blizzard.

There is another risk IP can be considered PII, and I would assume that the forum has IP tracking, so theoretically if the audit logs were exposed someone could trace someone's movements by the geolocation of the IP address. It isn't GPS level tracing; however, it can give you city data which could be an issue depending on the person. With secondary access (to the ISP's network) a malicious actor, could in theory utilize the IP address to track the person to houses or public access points.

(None of this is saying suggesting there was a breach, this could be a fishing email, just trying to lay out some of the personal risks I could see to CP's data being leaked if it happened.)

(I personally am changing my password just to be on the safe side)

[TorqueDog]

If you have used the username and password that you use with CP on other websites, then it’s possible that one of those sites got hacked and your phone is alerting you that the credentials have been compromised.

iOS has this built in, you can look in Settings > Passwords and it’ll tell you if any of your credentials are compromised and need to be changed. It’ll also suggest you use different passwords for every account if you have some common ones.

[Fuzz]

If you want to see if your password has been used elsewhere(by you or someone else) you can enter it here:
https://haveibeenpwned.com/Passwords


WARNING!
Once you do this, that password is compromised. Not officially, he's not going to use it for nefarious stuff(probably), but you just entered it on a random internet form. Untrusted. So if you use this, make sure you change it after.

[Krovikan]

LastPass also has a checker if you don't want a random web forum, just create a free account and do the security check.

[photon]

Quote:

Originally Posted by CaptainYooh

A message popped up on my phone today that my username was among other usernames identified in the data leak from this forum.

1) Did anyone else receive this message?
2) Was there a data leak?
3) If yes, what information has been leaked/breached?

Can the administrators comment, please?

Where was this message from? Was it the browser? If so what browser?

1) I've never seen it, though I have seen the Google message fundmark19 mentions before.

2) Not to my knowledge. Many years ago we did have an issue with site files being updated to introduce code onto the webpage of the site, but that never touched the database server or software to my knowledge

Krovikan's post sums it up if some had gotten access to the database.

They would have a list of email addresses and password hashes and with enough effort they could reverse engineer the passwords one by one. The big risk there is if people don't practice good password hygiene and use the same password from the forum and on their email, which would give someone access to a lot of stuff (since most sites use email to do password resets). Always have different passwords on different sites, but at the very least always make sure your email is different than everything else and use a very strong password and 2 factor authentication if your email provider offers it (and switch to one that does if they don't).

They'd also have a list of IPs a person has posted from which as mentioned isn't overly accurate in terms of determining location and likely not overly useful for what such hackers would be looking for.

And any other information that was provided during the registration process.

If you have any other questions or want to let me know more details you can post here or PM me.

[ResAlien]

Everyone else appears fine, sounds like it’s a Yooh problem.

[CaptainCrunch]

Nothing from my side. All my pron sites are safe.

[rayne008]

Quote:

Originally Posted by ResAlien

Everyone else appears fine, sounds like it’s a Yooh problem.

[CaptainYooh]

Quote:

Originally Posted by photon

Where was this message from? Was it the browser? If so what browser?...
If you have any other questions or want to let me know more details you can post here or PM me.

This message popped up on my iPhone in Safari browser. I should have saved a screenshot, but I didn't. It asked me if I wanted to log in to calgarypuck.com under my user name and when I clicked on it, it gave me the second message advising that this user name was included in the data leak from this forum and that I should change my password immediately. It looked legit coming directly from Safari and was not a phishing email.

I will PM you separately. I posted this to warn others who might have been exposed if this data leak did actually happen.

[ricosuave]

I think the latest version of Firefox checks the email addresses/logins and warns you...