hacker.org

Hello everyone!
I just found a website on the internet where all members of Hacker.org are listed with their nickname and email address. It's freely accessible. No password or anything. So everyone can look at it.
You'll be able to find it if you google your email address.
W1zard

Whoa. Thats..fucking amazing.....
Dude.. Theres like 7301 members.. Who cares?

Hi!
Thanks W1zard.
As there are also md5 hashes of our passwords, perhaps it's a good idea to change them.

Hopefully have all the members not (!) taken the same PW on their mailservers...

Looks like some of the easier passwords have already been cracked. Especially at the top of the list. I wasn't sure what the stuff behind the md5 hash was until I checked it with an md5-generator.
So all passwords have to be changed!
The list seems also to have been noticed by others. I suddenly get a hell lot of spam mails. Up to now my address was relatively "secure" in that way. That's how I noticed the problem in the first place. So I started doing some research.
W1zard

osterlaus wrote:Hopefully have all the members not (!) taken the same PW on their mailservers...

Well, this was no posting of mine - so someone already used my account...

I googled my email address.
Found nothing.
My password is custom encrypted too.

it's on milw0rm since febuary 27

Thanks W1zard!

Luckily my password was strong enough, and it hasn't been cracked
Now it is even more secure.

The passwords have been cracked for 3139 users.
And I got out more passwords (>100) by searching the md5 on google.

my 9 char password was strong enough aswell, yay for non-word-passwords, proof to dictionaries

hacker.org - prove your skill. k, another hacking challenge site not that different from any of the others except the name makes it fun

to fuck with. sooo if you are going to offer hacking challenges why not make sure your shit just a tad secure? sounds logical to me but maybe i'm

just throwed off a bit. tbh this isn't even worth a zine entry but hacker.org getting hacked is pure hilarity.

not nice, but well, the site was not proof enough.

so, to the admins: where was there a SQL injection possible, and more important: is it fixed?

I'm wondering why my account doesn't show up in the list...

I could imagine the injection was made by phpBB as the defacement was visible on the main page and on the forum's main page.

Well a google search shows me nothing for my email address...Is there a link to this alleged page so that we can do some more research on it and possibly catch the perps??

The list on this page appears to be old since many users arent listed on it. It does'nt appear to be relevant to the most recent hijacking. Passwords should still be updated. (for email too if you happen to use the same password)

Is this what the whole down for matinence thing was for?

The newsletter is new. It's possible that the defacement wasn't part of the initial attack, given that this was published a week ago - plenty of chance for readers to put the information to use.

I noticed tails's username changed to Helios last Thursday or something, shortly before the attack, which is pretty pointless if your next step is to totally take the site down.