Jump to content
Brian Enos's Forums... Maku mozo!

USPSA passwords database has been hacked

Stan-O
 Share

Recommended Posts

alma Sees Sights Lift

alma

Posted
Posted

Full email addresses and passwords leaked to the internet here: http://pastebin.com/C9e82Lm7

Someone already tried to use this to log into my DropBox today but that has a different password.

This is serious. Change your passwords now for any sights that might share the same login information.

USPSA must send notification to all affected immediately!

Also, when you rebuild this, USPSA, please salt and hash our passwords!!!!!!!!!!!!!!!!

It's disgraceful that these were stored in plane text.

Link to comment
Share on other sites
  • Replies 157
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

NickO Finally read the FAQs

NickO

Posted
Posted

I'd remove the link to the dump, i fear many people will not learn about this leak and minimizing exposure to list would be ideal/

Also I would hope that USPSA would send an email to its user base SOONER than later.

Stan thank you for posting this.

Link to comment
Share on other sites
alma Sees Sights Lift

alma

Posted
Posted

No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit.

The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find.

Link to comment
Share on other sites
alma Sees Sights Lift

alma

Posted
Posted

Like I said, attempts have already been made to access my accounts. This is urgent and action must be taken now.

Hiding the link from this group does no real good unless someone requests a takedown from pastebin.

Link to comment
Share on other sites
Beastly Looks for Match

Beastly

Posted
Posted (edited)

Full email addresses and passwords leaked to the internet here: http://pastebin.com/C9e82Lm7

Someone already tried to use this to log into my DropBox today but that has a different password.

This is serious. Change your passwords now for any sights that might share the same login information.

USPSA must send notification to all affected immediately!

Also, when you rebuild this, USPSA, please salt and hash our passwords!!!!!!!!!!!!!!!!

It's disgraceful that these were stored in plane text.

Yes, mine is in there. Fortunately I don't re-use passwords.

Disgraceful is an understatement. I'm wavering somewhere between negligent and grossly negligent.

Why have I not received notification from USPSA?

Maybe we just need to use the email list to send a mass warning notification to USPSA members email addresses informing them of the breach and the potential risk to any other accounts tied to that address/password combo. Anyone have easy access to a bulk e-mailer?

Edited by Beastly
Link to comment
Share on other sites
gose Finally read the FAQs

gose

Posted
Posted

What database is that? Doesnt seem to be the member database as I cant find my address there.

It looks like the USPSA website database so whatever you use to sign in there.

Guess Im reaping the rewards for never signing in then... :)

Link to comment
Share on other sites
ron169 Looks for Range

ron169

Posted
Posted

I wonder if it only effects people that changed their passwords on the site? When I log on, I use my member number and a code that came on my first issue of front site magazine.... Never changed it either

Link to comment
Share on other sites
BritinUSA Beyond it All

BritinUSA

Posted
Posted

I found my email address and password, but the thing is I don't use that email address as my login id. I think what they did is found the id and password and then looked up the email address associated with that id (such as USPSA number) and that is what is in that password dump. I don't use that password for any other site so I should be ok.

I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though...

Link to comment
Share on other sites
ummm Looks for Range

ummm

Posted
Posted

If you read the dump file, you'll see that USPSA was apparently vulnerable to more than just a standard SQL injection attack. It claims they also used cross-site scripting and blind sql injection.

I mention this as a potential source of concern as the USPSA blurb (now posted in the OP) mentions only SQL injection, raising the possibility they are unaware of other attack vectors.

Link to comment
Share on other sites
ctay Finally read the FAQs

ctay

Posted
Posted

From USPSA:

We have become aware of a security breach that happened on USPSA.org within the last 24 hours. The USPSA website login database was compromised and at least a partial list of usernames and passwords were exposed. USPSA staff has taken steps to address the vulnerability, and we have changed the system to ensure this type of attack will not be effective in the future. Members are strongly encouraged to change their passwords on USPSA.ORG and any other website for which they used the same email and password.

It is important to note that the breech did not involve the credit card processing system or any financial data. All credit card processing is done using a separate industry standard secure vendor — no credit card information is stored on the USPSA server.

We will keep the membership updated as more information is available.

Link to comment
Share on other sites
Yagi Calls Shots

Yagi

Posted
Posted

i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick.

say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items....

Link to comment
Share on other sites
gose Finally read the FAQs

gose

Posted
Posted

I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though...

They could get the email addresses from the database dump on pastebin...

Link to comment
Share on other sites
alma Sees Sights Lift

alma

Posted
Posted

i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick.

say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items....

That information is already gone. It has been compromised and is being actively exploited by hackers. Removing the link from here doesn't keep thousands of script kiddies from accessing it and testing logins across the internet.

In cases like this I think full disclosure works better than selectively releasing information that is out there for anyone to Google. If your information isn't there maybe you will see some of your friends' and can prompt them to make corrections.

Link to comment
Share on other sites
johnsons1480 Finally read the FAQs

johnsons1480

Posted
Posted

i would suggest blocking that link to lessen the spread... the bad part is (i think) ..when the website gets live again and people who were not inform will get the short end of the stick.

say someone manipulated an ad you have in the uspsa.org... lo and behold someone liked your item, the hacker might change all the info to receive the payment... He may not receive the firearm because of the ffl. but he may get the check and/or the non-ffl items....

That information is already gone. It has been compromised and is being actively exploited by hackers. Removing the link from here doesn't keep thousands of script kiddies from accessing it and testing logins across the internet.

In cases like this I think full disclosure works better than selectively releasing information that is out there for anyone to Google. If your information isn't there maybe you will see some of your friends' and can prompt them to make corrections.

Great point. I just let my coworker and shooting buddy know that he was also on the list. He doesn't frequent these forums, so he had no idea.

Link to comment
Share on other sites
Sarge Back From the Dead

Sarge

Posted
Posted

No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit.

The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find.

Hey Alma,

Computers are not my first language so I have a question. I searched my email just like you said and my name does not appear to be on that list. Does this mean all I really need to do is go in and change my password on uspsa.org when it comes back up?

Thanks a lot in advance

Link to comment
Share on other sites
rbgaynor Looks for Range

rbgaynor

Posted
Posted (edited)

What could someone get from USPSA.?

Passwords?

Member List?

Gun Owners?

Private addresses of Law Enforcement or Officials?

Items sold or purchased via Classifieds?

Where everyone shoots every week?

The database was compromised over a year ago when the Executive Director allowed third parties to access the info without a privacy agreement.

Sad to say it.... I told them they had vulnerabilities in the Dec 2013 BOD meeting. When I suggested they notify the members that data had been compromised, Phil just blew it off as not such a big deal. They said "I doubt anything will come of it and I can't see it hurting anyone". So nothing was done.

I raised the issue several times in email and phone meetings but nobody would take me seriously. Hence, one more reason to resign.

California law is clear on this kind of breach - timely notification is mandatory (SB-46). Additionally, if it affects more than 500 Californians (I suspect it does), they are required to notify the CA Attorney General.

Edited by rbgaynor
Link to comment
Share on other sites
Stan-O Looks for Match

Stan-O

Posted
  • Author
Posted (edited)

I suspect that the reason that we have no received an email from USPSA about this is that they can't pull in the email addresses because they have shutdown the server that housed all the e-mail addresses. There should be something posted to Facebook page and Twitter account though...

No that can't be the reason -- they can easily spend 5 minutes or so to pull the e-mails out of the database without risking any further attacks.

I didn't want to increase the exposure of the dump until every USPSA member was made aware of the leak, I don't know what's taking USPSA so long to reach out to the membership. Nothing can be gained by posting the link to the dump here, even if your e-mail address isn't there, you're still at risk.

Edited by Stan-O
Link to comment
Share on other sites
alma Sees Sights Lift

alma

Posted
Posted

No, finding that was as easy as searching for my email, "almacole@gmail.com" in google with quotes. It was the first hit.

The information is out there and in the hands of bad guys right now! Keeping the link from others does no good especially since its so easy to find.

Hey Alma,

Computers are not my first language so I have a question. I searched my email just like you said and my name does not appear to be on that list. Does this mean all I really need to do is go in and change my password on uspsa.org when it comes back up?

Thanks a lot in advance

Sarge, yes, that sounds correct. If you remember the password and username that you use on that site just check to ensure that you don't use that same password and username (or email) elsewhere.

In my case my email is there along with a password that is thankfully not being used on any of my other online accounts. I have no action to take other than verifying that fact and then selecting a new password when the website comes back up. USPSA should force a password change for every member as a result of this hack so I doubt you will even have the option to keep the same one.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...