You are NOT Logged in.
Chat about all aspects of snowsports, backcountry, climbing and mountaineering.
Goto Thread: PreviousNext
Goto: Forum ListMessage ListNew TopicSearchLog In
Goto Page:  12Next
Current Page:1 of 2
Lurker


Posts: 8
Joined: Feb 2013
Last Visited: 21:20
16th Feb 2021
Password Leak
Date Posted: 09.43hrs on Thu 11 Feb 21
(De-lurking after any number of years hiding in a snowhole)

There's been a big pile of leaked passwords and emails from various websites dumped recently and I thought it might be worth checking mine.

It seems that my only appearance in this list is from Winterhighland - hacked 10th Dec 2020.

Did we know about this? I haven't seen an announcement.

I suggest everyone changes their forum passwords and makes sure that they aren't using it anywhere else.

NB, although the list says the passwords were encrypted, it was actually clear text!

(Back to lurking)




Edited 1 times. Last edit at 09.46hrs Thu 11 Feb 21 by Lurker.

Lurker


Posts: 8
Joined: Feb 2013
Last Visited: 21:20
16th Feb 2021
Re: Password Leak
Date Posted: 10.31hrs on Thu 11 Feb 21
Apologies, this looks like a much earlier problem, but the actual data was last publicly leaked as of 10th Dec.

It came from the Cit0Day database which was dumped online some time late last year.

[www.avast.com]



Edited 1 times. Last edit at 10.32hrs Thu 11 Feb 21 by Lurker.

alan


Posts: 10746
Joined: Nov 1994
Last Visited: 21:01
10th Apr 2021
What's this?What's this?What's this?
Re: Password Leak
Date Posted: 12.28hrs on Thu 11 Feb 21
We checked numerous emails and test accounts on the forum that exist for this sort of thing when there was a spate of announcements regarding this in December. None showed up related to here, but an old email showed up as linked to snowheads.

There is some evidence this all happened some time ago and was sat on for a long time, which makes it harder to work out what happened and how. However, a password leak is possible without hacking - on the individual scale keylogger spyware on individual computers is also a possibility, and for much more widespread password harvesting is the fact http is insecure and passwords can be intercepted. It’s likely a lot of the passwords in that 10th Dec dump were acquired that way sometime ago before wider adoption of https. All together it’s reasons not to use the same password for everything and certainly not for critical things like online banking!

As this website is not used for transactional purposes, only login to forum and report submissions and because of the purpose of the site we’ve put off using https because as security ramps up so do the data transmission overheads vs staying on basic http. The reason was poor mobile data connections at or on route to the snowsports areas particularly on the two most popular networks. While EE and 3 were better for a while there’s been a recent marked improvement in O2 and Vodafone, so this is something under ongoing review.

However the transfer of user credentials over http do mean that good practice is not to use the combination of email, username and password elsewhere. Usernames and passwords can then be matched to email addresses by various means from publicly viewable info.

Without going into any specifics that would be helpful to anyone of ill intent, passwords are neither stored on the web server nor stored anywhere in plain text, but any password system is vulnerable to ‘dictionary attacks’ for simple or common passwords where active usernames are visible to the public - hence probably a factor in why many forums featured heavily in the data dump.

jabuzzard


Posts: 884
Joined: Jan 2010
Last Visited: 19:50
28th Feb 2021
Re: Password Leak
Date Posted: 12.24hrs on Thu 11 Feb 21
I would note that snowheads was indeed hacked backed in December. So there is a good chance if you ask me it is related to that.

Note that you don't have to put the whole website under https. Just the login pages and account settings would be sufficient to protect accounts/passwords. For a no transactional website like this that would IMHO strike the right balance between security and data transmission overheads.



Lurker


Posts: 8
Joined: Feb 2013
Last Visited: 21:20
16th Feb 2021
Re: Password Leak
Date Posted: 12.32hrs on Thu 11 Feb 21
It might have come from a long time ago I suppose, as I've never changed my password (until now).

But it was definitely linked to winterhighland.com on the database. I don't have an account on snowheads.

The password was clear text and I'm not using it anywhere else.

I think it is very unlikely to have been a keylogger as I very rarely log in and don't run Windows.

Sorry...

Lurker


Posts: 8
Joined: Feb 2013
Last Visited: 21:20
16th Feb 2021
Re: Password Leak
Date Posted: 13.32hrs on Thu 11 Feb 21
Here's what I see. Note that it does say that 8511 other accounts have been compromised (which would suggest it was a while ago when fora were popular).

It is possible that my password was subsequently de-encrypted which means that the password store was (at some time in the past) vulnerable to brute force or a dictionary attack (if the dictionary includes geographic features). That would of course mean that either it wasn't salted or the salt has been discovered.

I know that there's likely nothing that can be done now other than rechecking current security but just in case anyone was using their password elsewhere - don't!




Edited 1 times. Last edit at 13.39hrs Thu 11 Feb 21 by Lurker.

Attachments: leak.png (76kB)  
alan


Posts: 10746
Joined: Nov 1994
Last Visited: 21:01
10th Apr 2021
What's this?What's this?What's this?
Re: Password Leak
Date Posted: 15.33hrs on Thu 11 Feb 21
Continuing to look into this.

We first became aware of the cit0day dump from other mountain sports forums and at the time (as now) several email addresses used by admin and test users on the forum did not show up as pwned.

WH did not feature in the first and main part of this dump, but out of over 23k websites intotal sadly our .com address is listed in the summary index of the dumped archives in a second batch. These lists generally contain email addresses and decoded password pairs - these are likely obtained by a wide variety of means.

The easiest way into a website is abuse of the front door, and also data sniffing is a possibility over HTTP. There does not appear to be usernames included in most of these lists, but emails could still be matched to passwords obtained without hacking database server. Forum users had the option to display their email address publically, we have changed every user's forum setting to hide email (it will display to yourself while logged in).

Arguably the MOST IMPORTANT password safety tip is to never re-use your email password. If someone has your email address and it's password, ultimately they can access most other accounts associated with that email address! This is very much why though it can be a pain, 2-factor authentication is being rolled out for financial sites and transactions.

If you use your email account password here or anywhere other than your email account - CHANGE IT NOW!



alan


Posts: 10746
Joined: Nov 1994
Last Visited: 21:01
10th Apr 2021
What's this?What's this?What's this?
Re: Password Leak
Date Posted: 16.44hrs on Thu 11 Feb 21
Would be very grateful if some people reading this who has actively used the forum by posting in threads on the forum since early 2018 and in particular from the start of 2020 could check the email address registered on the forum at [www.avast.com] .

If you get a warning from there, verify it at [haveibeenpwned.com] as there are discrepancies noted elsewhere. This would be useful pointers to when if not what happened.

If you do not wish to post in the thread, please PM in the forum or email snow2021 at winterhighland dot info.

RobC


Posts: 209
Joined: Nov 2005
Re: Password Leak
Date Posted: 20.41hrs on Thu 11 Feb 21
My snowheads account has been leaked but no leak from winterhighland for me

Tourer


Posts: 21
Joined: Mar 2016
Last Visited: 22:06
11th Feb 2021
Re: Password Leak
Date Posted: 22.11hrs on Thu 11 Feb 21
There absolutely is a security issue on this site, and whilst it doesn't give out users email passwords, it does give out their email addresses - even if they want to keep it secret.. Click on login, then forgot password. enter ANY forum username and BINGO - there is their registered username.
It looks like you can also change their password, thus locking them out from the forum...

I tried to let the forum admin know about this months ago - no response.
I tried to post this information on here twice now (I couldn't login so used a 'guest' username) - I can only assume 'admin' didn't allow my post to become visible as it exposed security issues with his forum?

Jim61


Posts: 9
Joined: Sep 2014
Last Visited: 14:01
17th Feb 2021
Re: Password Leak
Date Posted: 22.53hrs on Thu 11 Feb 21
My Winterhighland email address has been leaked, said it occurred on 10th Dec 2020.



Edited 1 times. Last edit at 22.54hrs Thu 11 Feb 21 by Jim61.

winterhighland


Posts: 46
Joined: Dec 2004
Last Visited: 23:51
16th Mar 2021
Re: Password Leak
Date Posted: 23.20hrs on Fri 12 Feb 21
We are continuing to investigate this and exploring potential scenarios that may have occurred both to this forum and from other sources of the data.

We are now aware that there are additional valid email and password pairs in the cit0day dump for our forum, but not from further users where this forum appears to be the only source. Thus we can't yet rule out the possibility that these were accounts where the forum was used for verification of passwords found elsewhere through credential stuffing, where users have reused passwords.

If anyone else appears to be in a similar situation to Lurker, that they're email and password are included in the cit0day dump and the only linked web address is winterhighland.com please drop us an email to snow2021 at winterhighland dot info or call 0333 444 1973 - please leave a message if it goes to voicemail, but please don't send your password in communications!

You can check your email at [www.avast.com] .

If you have used your Winterhighland password elsewhere, please change it everywhere you use it now!



Also please don't just use one password for that and never re-use the password you use for your email account! If some bad actor acquires your email password, they can reset many if not all passwords associated with that email address.

Jim61, if you read this could you please get in touch as to whether your email address shows up for any other website. This would be very helpful, thanks for checking and taking the time to post - every bit of info helps.



andrewr


Posts: 237
Joined: Feb 2006
Last Visited: 15:13
30th Mar 2021
Re: Password Leak
Date Posted: 13.00hrs on Sat 13 Feb 21
Hello just to say my email is showing up as leaked from winterhighland.com, with no other sites mentioned. Leaked 10th Dec 2020. Avast says the password was leaked in encrypted form.
[haveibeenpwned.com] confirm it as Cit0day (unverified): In November 2020
I used to have a snowheads account as well, not been used in years, and not sure if it was even the same email address.



Edited 1 times. Last edit at 13.07hrs Sat 13 Feb 21 by andrewr.

jabuzzard


Posts: 884
Joined: Jan 2010
Last Visited: 19:50
28th Feb 2021
Re: Password Leak
Date Posted: 11.52hrs on Sun 14 Feb 21
andrewr Wrote:
I used to have a snowheads account as well, not been used in years, and not sure if it was even the same email address.


Even if you have not used it in year it will likely still be active. If it was on the same email address...

I would note that changing your winterhighland password is somewhat pointless until the breach is identified and patched.

fluff29


Posts: 112
Joined: Dec 2007
Last Visited: 10:30
18th Mar 2021
Re: Password Leak
Date Posted: 12.40hrs on Sun 14 Feb 21
Hi

I used the link above for avast and the only website listed is winterhighland as a leak. It was 10 December also for myself.

Do I change my password now for winterhighland or wait the the breach is sorted, as someone mentioned above?

Ps I checked that 2nd link to Alan and it listed only one website too.

Cheers



Edited 1 times. Last edit at 12.44hrs Sun 14 Feb 21 by fluff29.

Goto Page:  12Next
Current Page:1 of 2
Your Name: 
Your Email: 
Subject: