Jump to content
FGHTYRDMNS

2+2 Forums Hacked

Recommended Posts

So 2+2 loses everyone's emails and passwords, and doesn't even include an apology in their posts explaining what happened? Typical arrogant, greedy Mason/Sklansky.

On behalf of Mason Malmuth, Shit Happens, grow a pair, oh yeah we certainly are sorry that you username and password may have been datamined,

Link to post
Share on other sites
On behalf of Mason Malmuth, Shit Happens, grow a pair, oh yeah we certainly are sorry that you username and password may have been datamined,

You're making no sense. I have a pair. And if Mason did too, he'd man up and admit to his mistake and apologize for it. He's still trying to act like they did no wrong, blaming everything else but refusing to take any himself. He's the one that needs to "grow a pair" . And you btw, for getting so defensive even though it wasn't about you ;).

just like to say, maybe karma is real, 2+2 should know

+1

On behalf of Mason Malmuth, Shit Happens, grow a pair, oh yeah we certainly are sorry that you username and password may have been datamined,

Oh and as for the retarded "shit happens" comment...ummm....not a site losing everyone's emails/passwords in plaintext, no that does not just "happen". When was the last time Google lost everyone's emails and passwords? Yahoo? Microsoft? Dropbox? Amazon? You get my point. 2+2 fucked up. Simple as that. They can say stuff like "oh we were using the latest patch for our forum software so it's not our fault, etc. etc." but the bottom line is that they fucked up. And they won't even "grow a pair" and admit it and apologize for it. They deserve all this bad karma.

Link to post
Share on other sites

Fortunately I have talked to one guy who I have $500 invested in the marketplace that weekend it went down...still waiting for it to come back up to talk to the other 3 guys I had some c-notes on that weekend...talk about bad timing on my part! Hoodskier, Giffordonian, Bolivier PM me please on updates on your packages/cashes etc.

Link to post
Share on other sites
You're making no sense. I have a pair. And if Mason did too, he'd man up and admit to his mistake and apologize for it. He's still trying to act like they did no wrong, blaming everything else but refusing to take any himself. He's the one that needs to "grow a pair" . And you btw, for getting so defensive even though it wasn't about you ;).

Unless I'm misunderstanding tr8cer's post, I think your sarcasm detector could use some new batteries. And I'm not sure who Mason is blaming.

Oh and as for the retarded "shit happens" comment...ummm....not a site losing everyone's emails/passwords in plaintext, no that does not just "happen".

Nor did this happen here. Not defending 2+2, just correcting an error.

Link to post
Share on other sites

Oh and as for the retarded "shit happens" comment...ummm....not a site losing everyone's emails/passwords in plaintext, no that does not just "happen". When was the last time Google lost everyone's emails and passwords? Yahoo? Microsoft? Dropbox? Amazon? You get my point. 2+2 fucked up. Simple as that. They can say stuff like "oh we were using the latest patch for our forum software so it's not our fault, etc. etc." but the bottom line is that they fucked up. And they won't even "grow a pair" and admit it and apologize for it. They deserve all this bad karma.

How can you compare 2+2 to Google, Yahoo, and Microsoft. Seriously? 2+2 runs a forum client that was hacked. They didn't lose emails and passwords. The hacker gained access to the email address associated with the account and password associated with the 2+2 account. Once they found out they shut the site down and posted security tips. Hacking happens, why are whining?

Link to post
Share on other sites
Fortunately I have talked to one guy who I have $500 invested in the marketplace that weekend it went down...still waiting for it to come back up to talk to the other 3 guys I had some c-notes on that weekend...talk about bad timing on my part! Hoodskier, Giffordonian, Bolivier PM me please on updates on your packages/cashes etc.

I got the word out to giff that you're looking to speak to him.

Link to post
Share on other sites
Unless I'm misunderstanding tr8cer's post, I think your sarcasm detector could use some new batteries. And I'm not sure who Mason is blaming.

Nor did this happen here. Not defending 2+2, just correcting an error.

So what did happen? If the breach happened because of weak security then 2+2 needs to admit it (they will not be the first site that this happened to because of weak security). If this was the case come clean, be honest, I would accept this and go back to the site when re-opened. By not saying what happened and not giving a general answer as how the problem was fixed ie There was a rewrite in code to make passwords/info harder to get, this shows that 2+2 can't be trusted and I am not sure if I will go back.

Since it is taking this long I am guessing a complete rewrite of the code was needed to fix the problem which would indicate that the security on the site was weak.

Link to post
Share on other sites
So what did happen? If the breach happened because of weak security then 2+2 needs to admit it (they will not be the first site that this happened to because of weak security). If this was the case come clean, be honest, I would accept this and go back to the site when re-opened. By not saying what happened and not giving a general answer as how the problem was fixed ie There was a rewrite in code to make passwords/info harder to get, this shows that 2+2 can't be trusted and I am not sure if I will go back.

Since it is taking this long I am guessing a complete rewrite of the code was needed to fix the problem which would indicate that the security on the site was weak.

Sony, Steam, even the US Govt have all been hacked recently. No system is unhackable. And as we've learned, no online forum software should be considered a safe haven from attackers.

Wait until the site is back online before bemoaning lack up information regarding updates and security. They haven't told us what was fixed because they haven't fixed it yet.

Link to post
Share on other sites
So what did happen? If the breach happened because of weak security then 2+2 needs to admit it (they will not be the first site that this happened to because of weak security). If this was the case come clean, be honest, I would accept this and go back to the site when re-opened. By not saying what happened and not giving a general answer as how the problem was fixed ie There was a rewrite in code to make passwords/info harder to get, this shows that 2+2 can't be trusted and I am not sure if I will go back.

Since it is taking this long I am guessing a complete rewrite of the code was needed to fix the problem which would indicate that the security on the site was weak.

I do not mind them waiting to discuss the specifics once they have the upgraded security measures in place. Hacking happens, I would have liked to have seen a temporary alt forum opened. An open forum just for discussion, no marketplace. Once the new upgraded forum is in place the new forum would be locked.

Link to post
Share on other sites
Sony, Steam, even the US Govt have all been hacked recently. No system is unhackable. And as we've learned, no online forum software should be considered a safe haven from attackers.

Wait until the site is back online before bemoaning lack up information regarding updates and security. They haven't told us what was fixed because they haven't fixed it yet.

Fair enough.

Link to post
Share on other sites
Fortunately I have talked to one guy who I have $500 invested in the marketplace that weekend it went down...still waiting for it to come back up to talk to the other 3 guys I had some c-notes on that weekend...talk about bad timing on my part! Hoodskier, Giffordonian, Bolivier PM me please on updates on your packages/cashes etc.

Hoodskier cashed in party poker if your talking about scoop package with that in it. I will let him know u want to talk to him.

Link to post
Share on other sites
Fortunately I have talked to one guy who I have $500 invested in the marketplace that weekend it went down...still waiting for it to come back up to talk to the other 3 guys I had some c-notes on that weekend...talk about bad timing on my part! Hoodskier, Giffordonian, Bolivier PM me please on updates on your packages/cashes etc.

PM'ed

Link to post
Share on other sites
So what did happen? If the breach happened because of weak security then 2+2 needs to admit it (they will not be the first site that this happened to because of weak security). If this was the case come clean, be honest, I would accept this and go back to the site when re-opened. By not saying what happened and not giving a general answer as how the problem was fixed ie There was a rewrite in code to make passwords/info harder to get, this shows that 2+2 can't be trusted and I am not sure if I will go back.

Since it is taking this long I am guessing a complete rewrite of the code was needed to fix the problem which would indicate that the security on the site was weak.

There's not a whole lot that I can say right now. For one thing, my role with 2+2 doesn't involve working with the forum software. And of course, 2+2 isn't going to be saying much about what happened until after everything is fixed. I can't even guarantee they'll say much about the breach then, but that will be up to them.

But I think there are a couple things that are fairly safe for me to say. What I was correcting in that other post was that the passwords were stored as plaintext - they were not.

2+2 uses Vbulletin software (very widely used AFAIK), and what I've read elsewhere is that the default hashing algorithm isn't considered by many to be the most secure, so once a hacker was able to get the logins and passwords, they would be able to determine some of the passwords if 2+2 was using the default algorithm. How the hacker got to the database in the first place, I couldn't say, but obviously this is something they would be fixing. I'm not saying this is what happened, but it's certainly not unheard of for widely-used forum software to have security flaws uncovered, as has been the case in the past for other major software we all use.

You need to keep in mind that forum software isn't generally designed to be as "hacker proof" as websites that are storing sensitive personal information, financial transactions, etc. I'm talking about government websites, banks, etc. The vast majority of 2+2ers aren't all that concerned about their account security, just as I'm not all that concerned about the security of an account that I set up on some site to get the occasional question answered about digital cameras, or places to stay, or what have you. What I mean is that if their account were to be compromised, there would be no significant repercussions - of course sites try to prevent it, but they won't be employing measures as expensive as a bank would, for example.

But of course when people start conducting transactions on forums, their accounts start to become more valuable, and it gives a reason for hackers to target the forums. No forum will ever be able to completely prevent this. The most recent issue we had was people finding dormant accounts and trying some basic passwords ("password", "123456", etc.) with them. I wouldn't call them hackers; more like con men, as the work would come after they got hold of some 4 year old account and they had to convince someone to trade with them. There are steps that can be taken to make this more difficult, but there's always a new scam waiting in the wings.

What 2+2 has done now is hired a major security firm to improve security, in a major way AFAIK. Obviously this is costing 2+2 a great deal of money - not just for the security fix, but also for the downtime. Every day costs money, and who's to say how much traffic will be affected once the forums are back up, especially in the short term. The decision was made very quickly after the hack was discovered that the forums should be brought down and the problem(s) fixed properly. 2+2 could have thrown up their hands and said that they aren't storing sensitive information, and the stock Vbulletin solution would have to do, but I think they've made the responsible and correct response instead.

As for making statements about what happened, apologies, etc., it's more than a little premature to lambaste 2+2 for the lack of communication IMO. While I can't promise you they will tell you everything you want to hear the moment the forums are back up, I think it's pretty predictable that they'd have very little to say right now.

Sony, Steam, even the US Govt have all been hacked recently. No system is unhackable. And as we've learned, no online forum software should be considered a safe haven from attackers.

Wait until the site is back online before bemoaning lack up information regarding updates and security. They haven't told us what was fixed because they haven't fixed it yet.

Well said.

Link to post
Share on other sites

maybe if the guys behind 2+2 werent so busy hiring expensive lawyers to file all their lawsuits against anyone who looked at them the wrong way, they'd have payed more attention and allocated more funds to security....

and your analogies are just completely absurd Bobo....comparing 2+2 to a discussion forum for a digital camera ???

....2+2 has never been some simple self organized niche type discussion forum run by the community itself....its always been a business, cleverly disguised as a neutral community-run message board.

while many 2+2 members may not realize this, there is NO excuse for the people behind the scenes.....who certainly know whos paying their bills and lining their pockets!

and to basically show no concern for this part of the BUSINESS until something happens, its just a joke.

karma is awesome sometimes

oh and welcome to P5s, where they value integrity, respect and moderators who have actually finished puberty

Link to post
Share on other sites
and your analogies are just completely absurd Bobo....comparing 2+2 to a discussion forum for a digital camera ???

That could be a ridiculous analogy, if I made it. What I was doing was trying to demonstrate why forum software in general isn't going to have security as high as that for banks and governments. And then I went on to point out the difference between poker forums and other forums.

....2+2 has never been some simple self organized niche type discussion forum run by the community itself....its always been a business, cleverly disguised as a neutral community-run message board.

while many 2+2 members may not realize this, there is NO excuse for the people behind the scenes.....who certainly know whos paying their bills and lining their pockets!

Wait, what? Disguised??

and to basically show no concern for this part of the BUSINESS until something happens, its just a joke.

No concern would be absolutely incorrect. Whether there was enough concern I'll leave for others to judge, but it seems more sensible to do so after everything is fixed and we find out more about what happened.

oh and welcome to P5s, where they value integrity, respect and moderators who have actually finished puberty

Thanks!

Link to post
Share on other sites
There's not a whole lot that I can say right now. For one thing, my role with 2+2 doesn't involve working with the forum software. And of course, 2+2 isn't going to be saying much about what happened until after everything is fixed. I can't even guarantee they'll say much about the breach then, but that will be up to them.

But I think there are a couple things that are fairly safe for me to say. What I was correcting in that other post was that the passwords were stored as plaintext - they were not.

2+2 uses Vbulletin software (very widely used AFAIK), and what I've read elsewhere is that the default hashing algorithm isn't considered by many to be the most secure, so once a hacker was able to get the logins and passwords, they would be able to determine some of the passwords if 2+2 was using the default algorithm. How the hacker got to the database in the first place, I couldn't say, but obviously this is something they would be fixing. I'm not saying this is what happened, but it's certainly not unheard of for widely-used forum software to have security flaws uncovered, as has been the case in the past for other major software we all use.

You need to keep in mind that forum software isn't generally designed to be as "hacker proof" as websites that are storing sensitive personal information, financial transactions, etc. I'm talking about government websites, banks, etc. The vast majority of 2+2ers aren't all that concerned about their account security, just as I'm not all that concerned about the security of an account that I set up on some site to get the occasional question answered about digital cameras, or places to stay, or what have you. What I mean is that if their account were to be compromised, there would be no significant repercussions - of course sites try to prevent it, but they won't be employing measures as expensive as a bank would, for example.

But of course when people start conducting transactions on forums, their accounts start to become more valuable, and it gives a reason for hackers to target the forums. No forum will ever be able to completely prevent this. The most recent issue we had was people finding dormant accounts and trying some basic passwords ("password", "123456", etc.) with them. I wouldn't call them hackers; more like con men, as the work would come after they got hold of some 4 year old account and they had to convince someone to trade with them. There are steps that can be taken to make this more difficult, but there's always a new scam waiting in the wings.

What 2+2 has done now is hired a major security firm to improve security, in a major way AFAIK. Obviously this is costing 2+2 a great deal of money - not just for the security fix, but also for the downtime. Every day costs money, and who's to say how much traffic will be affected once the forums are back up, especially in the short term. The decision was made very quickly after the hack was discovered that the forums should be brought down and the problem(s) fixed properly. 2+2 could have thrown up their hands and said that they aren't storing sensitive information, and the stock Vbulletin solution would have to do, but I think they've made the responsible and correct response instead.

As for making statements about what happened, apologies, etc., it's more than a little premature to lambaste 2+2 for the lack of communication IMO. While I can't promise you they will tell you everything you want to hear the moment the forums are back up, I think it's pretty predictable that they'd have very little to say right now.

Well said.

/thread imo

Link to post
Share on other sites

lol...

so you and I both know that forum software is completely inadequate for any legitimate business dealings(small or large)....yet you want me to believe the nerds who run 2+2 like post WW1 Germany, didnt know about these risks?

it says everything about their priorities.

Link to post
Share on other sites
So what did happen? If the breach happened because of weak security then 2+2 needs to admit it (they will not be the first site that this happened to because of weak security). If this was the case come clean, be honest, I would accept this and go back to the site when re-opened. By not saying what happened and not giving a general answer as how the problem was fixed ie There was a rewrite in code to make passwords/info harder to get, this shows that 2+2 can't be trusted and I am not sure if I will go back.

Since it is taking this long I am guessing a complete rewrite of the code was needed to fix the problem which would indicate that the security on the site was weak.

ud better delete the p5's account u used to post this ignorant comment because it is just as likely for that account to get hacked as ur 2+2 acct

Link to post
Share on other sites
ud better delete the p5's account u used to post this ignorant comment because it is just as likely for that account to get hacked as ur 2+2 acct

Why is it just as likely? Has p5 been hacked before? According to this article the author says in the comments section that this is the second attack on 2p2 that he can remember, and the other one was pretty recent http://www.nsdpoker.com/2012/04/two-plus-two-hacked/

Also, what version of vBulletin was 2+2 running? The current version is 4.0, in the comments from the above link someone said it was 3.8.7 which was cracked in Jan. vBulletin also provides support plus there are websites that list exploits and how to fix them:

http://www.vbulletinguru.com/?s=vbulletin+4+exploits

How proactive was 2+2 on security?

Link to post
Share on other sites
Fortunately I have talked to one guy who I have $500 invested in the marketplace that weekend it went down...still waiting for it to come back up to talk to the other 3 guys I had some c-notes on that weekend...talk about bad timing on my part! Hoodskier, Giffordonian, Bolivier PM me please on updates on your packages/cashes etc.

PM sent

Link to post
Share on other sites
Why is it just as likely? Has p5 been hacked before? According to this article the author says in the comments section that this is the second attack on 2p2 that he can remember, and the other one was pretty recent http://www.nsdpoker.com/2012/04/two-plus-two-hacked/

Also, what version of vBulletin was 2+2 running? The current version is 4.0, in the comments from the above link someone said it was 3.8.7 which was cracked in Jan. vBulletin also provides support plus there are websites that list exploits and how to fix them:

http://www.vbulletinguru.com/?s=vbulletin+4+exploits

How proactive was 2+2 on security?

The previous incident that Noah was referring to wasn't the same thing, the site wasn't compromised or hacked, there was a a guy that guessed passwords on old/dormant accounts. This was the reason for the recent 2+2 email to members about password security.

You're correct that the forums are running VBulletin 3.8.7 - an announcement of an upgrade/migration to v4 was made but was then rescinded, on the advice of VBulletin as far as I know.

Time will tell whether 2+2 was active enough about security, but in my opinion security & site integrity were things that 2+2 was generally proactive about.

Link to post
Share on other sites
lol...

so you and I both know that forum software is completely inadequate for any legitimate business dealings(small or large)....yet you want me to believe the nerds who run 2+2 like post WW1 Germany, didnt know about these risks?

it says everything about their priorities.

I'm honestly not sure what you're trying to say here. Business dealings that take place in a forum are just using the forum as a means of communication. Is your issue with people doing business that way, or something else?

Why is it just as likely? Has p5 been hacked before? According to this article the author says in the comments section that this is the second attack on 2p2 that he can remember, and the other one was pretty recent http://www.nsdpoker.com/2012/04/two-plus-two-hacked/

I don't know why you're bringing up this "first attack" with a link as if it's new information - I mentioned it in my last reply to you. Dormant accounts with extremely weak passwords were being compromised and used by scammers. It has nothing in common with the site being hacked.

Also, what version of vBulletin was 2+2 running? The current version is 4.0, in the comments from the above link someone said it was 3.8.7 which was cracked in Jan. vBulletin also provides support plus there are websites that list exploits and how to fix them:

http://www.vbulletinguru.com/?s=vbulletin+4+exploits

How proactive was 2+2 on security?

Kind of funny that you posted a link to a page full of security patches that V4 has required, which would seem to be evidence that upgrading to V4 isn't going to suddenly make forums immune to attack.

3.86 is the most current version of V3. Although I don't have first-hand knowledge of this, AFAIK 2+2 had the latest security patches installed. As ASB mentioned, an upgrade to V4 was being considered, but it was determined that V4 isn't quite ready for a forum the size of 2+2 yet.

Link to post
Share on other sites
I'm honestly not sure what you're trying to say here. Business dealings that take place in a forum are just using the forum as a means of communication. Is your issue with people doing business that way, or something else?

I don't know why you're bringing up this "first attack" with a link as if it's new information - I mentioned it in my last reply to you. Dormant accounts with extremely weak passwords were being compromised and used by scammers. It has nothing in common with the site being hacked.

Kind of funny that you posted a link to a page full of security patches that V4 has required, which would seem to be evidence that upgrading to V4 isn't going to suddenly make forums immune to attack.

3.86 is the most current version of V3. Although I don't have first-hand knowledge of this, AFAIK 2+2 had the latest security patches installed. As ASB mentioned, an upgrade to V4 was being considered, but it was determined that V4 isn't quite ready for a forum the size of 2+2 yet.

So patching new software is bad? In general the older the software the greater chance

Link to post
Share on other sites
So patching new software is bad?

This is a straw man and you know it.

Looks like V4 has been available for awhile, (google is your friend)

V4 is also th version that is for sale on their site not sure how it cant be ready for 2+2

It has already been stated that V4 is not yet ready to support large forums. You don't even need google for that; it's stated in this thread.

Bobo, you should probably stop feeding the trolls. Can't have legitimate debate with someone who wants to use fallacies just to troll.

Link to post
Share on other sites

I am not particularly bothered that 2+2 was hacked. I don't use a password there that is used on something financial.

I have to agree with some of the posts here though. They refer to how much of a business 2+2 is. It shows how it earns from online poker, and is therefore completely beholden to online poker.

Obviously this site is run from online poker money too, and although I don't trust any forum that makes its money from online, I have doubted the 2+2 integrity for a number of years, and only visit or post there on the rare occasion.

That may be because of the way some of the moderators act. I agree about the moderators here compared to 2+2. I prefer them, and although I rarely post, I visit this forum nowadays more than others.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.