Jump to content
Brian Enos's Forums... Maku mozo!
Sign in to follow this  
Stan-O

USPSA passwords database has been hacked

Recommended Posts

What happened?

The USPSA passwords database has been hacked and about 15,000 records (emails + passwords) have been published by hackers. I found out about midnight on November 25th and notified USPSA. About 6 hours later the USPSA web-site was taken down until the code was updated. It is now back up with the limited functionality until the proper fix is implemented.

What do you need to do now?

If you used the same password at any other web-site (besides uspsa.org) you need to log in to that website and change your password ASAP. The reason hackers even tried to obtain your USPSA password is that they hoped some of those e-mail/password combinations will work for other sites -- like eBay, PayPal, online banking, iCloud. The link to the database dump is available further down in this thread, but if your e-mail address isn't there it doesn't mean you're safe. That dump is not necessarily everything hackers got.

Is my credit card info I've used to pay at uspsa.org safe?

USPSA payments are handled thru a third-party vendor and their infrastructure has not been affected by this attack.

What to expect in the future?

When the USPSA.org is back online with the full membership functionality -- make sure you update your password there too. Do not use the password you use anywhere else.

Below is my original post I'm keeping for posterity reasons and so that some of the discussion below doesn't seem completely out of context.

Well, I didn't feel like it's appropriate to post in USPSA shooting or USPSA rules sections, but I'm sure there's plenty of the USPSA members here and if Brian/mods feel like this topic should be moved, they can do so.

I have received a notification that the USPSA.org passwords database has been hacked and the DB dump containing about 15,000 account records (e-mail + password) has been posted online for the world to see.

For obvious reasons I'm not including the link to the DB dump, but I'd welcome first 10-15 people who reply here to PM me with an e-mail address so I can confirm if their passwords have been leaked (unless there's a clear correlation between the BE username and the e-mail address I'll obscure a few characters from the password with asterisks to prevent abuse). I have found my own password in the plain-text in the leaked DB dump and a few passwords of my fellow USPSA members as well, although as it's late I haven't confirmed with them their passwords are real.

For now, I'm fairly certain the vulnerability has not been fixed, however it would be beneficial to log in to uspsa.org and update your password there (especially if you're a primary contact for a club). If you have used the same e-mail/password combination at any other web-site I would strongly advise you to log in to those and update your passwords there as well (especially if it's an iCloud and you're a celebrity and have some private photos there ;)).

UPDATE 1: Forgot to mention, the note posted along with the dump claimed that at least 1,000 of those records are working logins for ebay/paypal too! So do not ever use the same password across multiple sites.

UPDATE 2: Out of 8 e-mail addresses sent to me 4 were in the dump along with the correct passwords and 4 were not in the dump. However I believe not all the stolen records made it to the public dump, so even if your e-mail is not there I wouldn't rest easy.

UPDATE 3: Looks like the uspsa database is down or offline, nobody can login.

UPDATE 4: uspsa.org is down.

Edited by Stan-O

Share this post


Link to post
Share on other sites

I sent a PM, I could tell he was correct with the password he sent back. It is one I use for sites like USPSA.

This sucks!

Share this post


Link to post
Share on other sites

I'm getting some stuff that is not usual for the USPSA page. Looks like it might be hacked in a way to link your facebook with your account, to get an ID for the hackers to go with all those passwords. I wouldn't even go to the address unless you are running Ghostery for firefox that blocks some of those things.

Share this post


Link to post
Share on other sites

I tried to login, says my pass word is wrong then when I try to retrieve says I already have the max number of logins.

Share this post


Link to post
Share on other sites

I'm getting some stuff that is not usual for the USPSA page. Looks like it might be hacked in a way to link your facebook with your account, to get an ID for the hackers to go with all those passwords. I wouldn't even go to the address unless you are running Ghostery for firefox that blocks some of those things.

To me it looks like either the DB is down or it's been put offline by USPSA. At the moment I cannot even login. I haven't received a reply to my e-mail sent to USPSA web-master, but if they took the DB down it's a great move I think, at least no one will be able to abuse to published passwords at uspsa.org.

Share this post


Link to post
Share on other sites

Stan-o out of curiosity where does one go to find database dumps on the web? Who sent you the email? I got the same email but I wonder why you got sent the link

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites

Stan-o out of curiosity where does one go to find database dumps on the web? Who sent you the email? I got the same email but I wonder why you got sent the link

Sent from my iPhone using Tapatalk

The notification I've got didn't come from USPSA. I'm pretty sure they didn't know when I emailed Rick and Val. So I'm not sure what you meant by saying you got the same email.

I don't think it would be beneficial to share the link to the dump. USPSA people have it and sharing it beyond them would do more harm than good. There are people with .gov and .mil addresses there and their passwords which may still be valid at other web sites.

Share this post


Link to post
Share on other sites

Got an e-mail from Val, they acknowledged the leak and are going to fix the problem.

I'm glad that pretty much everything I've suggested in my e-mail (take the server down, fix the bug, store passwords hashed/salted) has either happened or going to happen.

My guess that if they rush it, they can get the web-site back before the end of the day today. If they're thorough it'll probably be at least two working days to inspect all the existing code for vulnerabilities and implement the changes for storing passwords salted/hashed and password reset.

But seriously, storing plain text passwords in 2014 (almost in 2015) is like drawing facing uprange.

Edited by Stan-O

Share this post


Link to post
Share on other sites

But seriously, storing plain text passwords in 2014 (almost in 2015) is like drawing facing uprange.

Much like drawing facing uprange, this hurts the people it's affecting much more than the person who did it.

Share this post


Link to post
Share on other sites

FFS, storing passwords in clear 20 years ago was a bad idea, nevermind today.

Share this post


Link to post
Share on other sites

FFS, storing passwords in clear 20 years ago was a bad idea, nevermind today.

agree 100% - 20 years ago we weren't allowed to do that

another good reason why you should never have the same password on multiple sites - and use different usernames if possible

Edited by D.Hayden

Share this post


Link to post
Share on other sites

Writing code that allows SQL injection is a capital offence where I work. You just pack your stuff up and go home.

Share this post


Link to post
Share on other sites

Stan

I received the email from Uspsa, I was more curious how you were made aware of the issue before anyone and it seems like you have extensive knowledge on how to deal with this type of thing. Definitely don't post the link that wasn't at all what I was asking,

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites

Stan

I received the email from Uspsa, I was more curious how you were made aware of the issue before anyone and it seems like you have extensive knowledge on how to deal with this type of thing. Definitely don't post the link that wasn't at all what I was asking,

Sent from my iPhone using Tapatalk

Oh, I ran a few IT startups, you pick stuff up real quick if you rely on your web-sites for living. ;)

I use a specialty service to alert me if my credentials have been compromised. Once I've received a notification and verified it's real I've forwarded the link to dump to all contacts at USPSA I've had -- Val & Rick.

My biggest concern now is that hacker's note mentions some of those leaked credentials are proven to work on e-commerce/finance sites I think USPSA should do the mass-mailing to everyone and advise them to remember if those e-mail/password combinations were used on other sites and change the passwords there immediately.

Share this post


Link to post
Share on other sites

Writing code that allows SQL injection is a capital offence where I work. You just pack your stuff up and go home.

This. Sanitize your inputs. Lucky someone didn't drop the classifier table.

Share this post


Link to post
Share on other sites

My biggest concern now is that hacker's note mentions some of those leaked credentials are proven to work on e-commerce/finance sites I think USPSA should do the mass-mailing to everyone and advise them to remember if those e-mail/password combinations were used on other sites and change the passwords there immediately.

And the very next step should be hiring/paying someone competent to run their website and IT stuff. I would be laughed out of my job if I would ever even suggest or think of storing passwords in the clear.

Also, at this point I wonder about my credit card I use to pay for classifiers and the like. How much confidence do I now have that they also don't store that somewhere in dubious fashions?

Share this post


Link to post
Share on other sites

My biggest concern now is that hacker's note mentions some of those leaked credentials are proven to work on e-commerce/finance sites I think USPSA should do the mass-mailing to everyone and advise them to remember if those e-mail/password combinations were used on other sites and change the passwords there immediately.

And the very next step should be hiring/paying someone competent to run their website and IT stuff. I would be laughed out of my job if I would ever even suggest or think of storing passwords in the clear.

Also, at this point I wonder about my credit card I use to pay for classifiers and the like. How much confidence do I now have that they also don't store that somewhere in dubious fashions?

I asked Val if there're going to be repercussions to the individual/company which designed the buggy code and the system which stored plain text passwords but didn't have this question addressed.

For the credit card info they said to be using a "separate vendor" which was not affected by this attack.

Share this post


Link to post
Share on other sites

Writing code that allows SQL injection is a capital offence where I work. You just pack your stuff up and go home.

This. Sanitize your inputs. Lucky someone didn't drop the classifier table.

Crap, I could have made GM overnight! ;)

Share this post


Link to post
Share on other sites

What could someone get from USPSA.?

Passwords?

Member List?

Gun Owners?

Private addresses of Law Enforcement or Officials?

Items sold or purchased via Classifieds?

Where everyone shoots every week?

The database was compromised over a year ago when the Executive Director allowed third parties to access the info without a privacy agreement.

Sad to say it.... I told them they had vulnerabilities in the Dec 2013 BOD meeting. When I suggested they notify the members that data had been compromised, Phil just blew it off as not such a big deal. They said "I doubt anything will come of it and I can't see it hurting anyone". So nothing was done.

I raised the issue several times in email and phone meetings but nobody would take me seriously. Hence, one more reason to resign.

Share this post


Link to post
Share on other sites

From what I understand, they use stripe as the merchant services. They are a third party and yes, secure

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...