Addic7ed hacked (2018) and password security

[Amdrew]

Hi,

it seems there is a serious security breach in addic7ed.com .

I have gotten emails around the end of September that claimed that addic7ed was hacked. As proof they did send me the email and the corresponding password which I used for addic7ed.

They tried to get me to pay 700 USD to some BitCoin Account. However, I did not react, since I won't do any business with those individuals.

Anyway, I would have hoped to find some evidence about this on addic7ed. 

Also, please do not store our passwords in clear. There is an easy way to hash it and store only that, so that even a hacked plattform does not compromise the security of its users.

Thanks for all the subtitles, but please fix this issue.

 

 

[Amdrew]

Here is the e-mail I received. I used this exact e-mail-Address only for addic7ed. Same with the password. I never use the same password and email againh, hence I am not worried, but "only" mad that our passwords are stored in clear.

Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account _email-address_ was hacked, I sent message you from it.

Now I have access to you accounts! You still do not believe it? 
So, this is your password: _password_ , right? 

Within a period from July 5, 2018 to September 21, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y
I guarantee that after that, we'll erase all your "data"

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security. We hope this case will teach you to keep secrets.
Take care of yourself.

It seems quite some people fell for the scam:

 

[alex28]

Hello, Amdrew

First of all, sorry to hear your password has been leaked. 

I got an email similar to the one you got, but on a different address (not addic7ed related).

This happened at the start of October, if I recall correctly. 

If you want to dig more, just Google the phrase "We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know.." 

 

We did have some hacks a few years ago and we announced them all in the news section and / or Facebook page (like any service that respects its users should do).

We also don't store the passwords in clear. Yes, we did send the passwords in clear in the welcome email (When you signed up), but that was changed (and even so, we didn't save the passwords in plain text, we compose the email before hashing the password and saving it in the database) since it was obviously a bad practice. 

I'm not saying tho there isn't a chance we've been compromised, but I personally didn't find anything suspicious (or nothing came to my attention recently). 

What I suggest doing is putting your mail here and see what happens: https://haveibeenpwned.com/  (for myself, I get: "Pwned on 7 breached sites and found no pastes ").

 

I will keep an eye out on your report and, if the case, I'll come back with an answer. 

Let me / us know if you find anything suspicious. 

 

[Amdrew]

Thanks for the answer.

I have been doing some research and it seems those emails are not necessarily linked to a recent breach.

However, even though you suggested:

"We did have some hacks a few years ago and we announced them all in the news section and / or Facebook page (like any service that respects its users should do)."

I couldn't find any notice of that. Since this information is (obviously) still being used, I think you should do the responsible thing and make that information available (again).

As for my email address, it is specific to addic7ed. As is the password. I registered almost 8 years ago. Hence I know where the breach happened. The chance they reverse engineered a password from a hash is slim at best. Maybe it is the mailer?

Make from this what you wish, but it is pretty clear where this originated from. Maybe years ago, maybe recently.

Cheers and keep up the subtitles!

 

Edit: Did the pwned email check thing you suggested. It is not listed.