LegendMiner hack explained, what to do if you were compromised/security tips

Status
This thread has been locked.

Tulip

hi
Banned
Feedback score
3
Posts
3,970
Reactions
2,066
Resources
0
I felt like this thread was necessary as so many members have been targeted by this retard.

LegendMiner: If you're reading this, fuck you. And good luck getting into my account. All my passwords are different plus I use authy.

LegendMiner isn't a hacker, he's not a l33t person, he isn't shit. I'll explain how he hacked all the accounts. A few simple precautions could have prevented it.

Some sites have shit security and don't take the necessary precautions to secure their backends. As a result of this, their databases get breached. When you signup for any site (including this one), your information is stored in a database. This typically consists of usernames, passwords, emails, IPs, and sometimes other info. Now, this entire file sometimes gets leaked online from popular sites. Some real big ones. Examples: [Censored], nulled.io, 000webhost, plenty more. Most sites hash your passwords.

Example: Say your password was 'megaman7'. The password may look like this:
f64785abe18a7368c3a114dd2890afda
(This is the MD5 encrypted version)

However, this is extremely weak and can very likely be decrypted to it's original plaintext format. Some better sites will salt their passwords, which makes it harder to crack. Some use login keys, and other info to make it harder to decrypt passwords.

Now onto the point. LegendMiner searched one of your aliases or emails inside these databases, and found the passwords. He was able to decrypt them by cracking. If you used the same password on MCM as on that site, he was able to get into your account.

You can't do that much if you're already compromised. Try contacting support of your email, and getting that secured. For a temp solution, add 2FA (USE THE APP, NOT THE EMAIL CODE), to all important accounts.

Tips:
- Don't download shady .exe files.
- USE DIFFERENT PASSWORDS. Use a password manager, or at least use different passwords on some sites.
- Use 2FA on everything you care about.

/thread

That's about it, good luck recovering to all.
 
Last edited:
Banned forever. Reason: Compromising Accounts
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Nagi

PM Only - No Skype
Supreme
Feedback score
12
Posts
535
Reactions
679
Resources
0
I thought most sites used Blowfish or something lol...
 

Tulip

hi
Banned
Feedback score
3
Posts
3,970
Reactions
2,066
Resources
0
I thought most sites used Blowfish or something lol...
Believe it or not, plenty of sites are using weak MD5 or SHA1 encryption. 000webhost even stored their's in plaintext.
 
Banned forever. Reason: Compromising Accounts

Ivain

Master Terraformer
Supreme
Feedback score
45
Posts
9,610
Reactions
4,888
Resources
0
Pretty sure I asked this before, what's the reason the email code is unsafe? if it's to do with email server security, no need to explain, my email server security is PLENTY good enough (a server being hosted by an IT expert with security experience is pretty safe)
 

Tulip

hi
Banned
Feedback score
3
Posts
3,970
Reactions
2,066
Resources
0
Pretty sure I asked this before, what's the reason the email code is unsafe? if it's to do with email server security, no need to explain, my email server security is PLENTY good enough (a server being hosted by an IT expert with security experience is pretty safe)
because if your email gets jacked then they can get through your 2FA.
 
Banned forever. Reason: Compromising Accounts

mattrick

Web Designer & Developer
Premium
Feedback score
0
Posts
105
Reactions
62
Resources
0
If you are worried that you may be a part of a leak, you should check out https://haveibeenpwned.com. It has most public leaks on it, just enter your email or common usernames.

Most sites hash/encrypt your passwords.
It should be noted that sites should (and usually) hash, not encrypt their passwords. Encrypted passwords provide little to no security if a hacker manages to get into the server, anyway.

He was able to decrypt them.
He's likely not decrypting them (assuming they are hashed and not encrypted, which most notable leaks are), he's cracking them or using plaintext leaks like Neopets and 000webhost.

Some better sites will salt their passwords, which is like a second hash.
Salts aren't second hashes, salts are used to enhance the security of the current hash. Essentially, if you don't salt a hash, once a hacker is able to crack one password, they are able to find everybody else who uses the same password as well (or they can even use passwords associated with other leaks using unsalted hashes).

because if your email gets jacked then they can get through your 2FA.
You should use your phone for 2FA, not your email. Also if you use Gmail, that usually uses phone based 2FA if you have it enabled.
 

Tulip

hi
Banned
Feedback score
3
Posts
3,970
Reactions
2,066
Resources
0
If you are worried that you may be a part of a leak, you should check out https://haveibeenpwned.com. It has most public leaks on it, just enter your email or common usernames.


It should be noted that sites should (and usually) hash, not encrypt their passwords. Encrypted passwords provide little to no security if a hacker manages to get into the server, anyway.
Sorry, did not know the difference

He's likely not decrypting them (assuming they are hashed and not encrypted, which most notable leaks are), he's cracking them or using plaintext leaks like Neopets and 000webhost.
cracking/decrypting, what I meant

You should use your phone for 2FA, not your email. Also if you use Gmail, that usually uses phone based 2FA if you have it enabled.
What I meant.
 
Banned forever. Reason: Compromising Accounts

Tulip

hi
Banned
Feedback score
3
Posts
3,970
Reactions
2,066
Resources
0
Just wanted to correct you because hashing and encrypting are two very different things.
No problem. If you have anything extra to add to the OP I can do so.
 
Banned forever. Reason: Compromising Accounts

mattrick

Web Designer & Developer
Premium
Feedback score
0
Posts
105
Reactions
62
Resources
0
No problem. If you have anything extra to add to the OP I can do so.
You should use password managers so you don't reuse your passwords. I would recommend LastPass, but if you need mobile support and don't want to pay like $14/yr, KeePass is free and open source.
 
Status
This thread has been locked.
Top