additionally, to emphasize common sites including potential payment methods or active balances in the list:above
bundlestars.com
greenmangaming.com
tremorgames.com
instant-gaming.com
cdkeys.com
dailyindiegame.com
coinplay.io
patreon.com
funstockdigital
Comment has been collapsed.
(Changed reddit initially cause of OW discord message) Nevermind.. was not on the list, thanks overwatch discord for bugging me.
Comment has been collapsed.
I found this: http://www.doesitusecloudflare.com
It says following gaming sites are affected:
https://www.bundlestars.com
https://www.cdkeys.com
https://coinplay.io
https://www.dailyindiegame.com
https://www.funstockdigital.co.uk
https://gk4.me
https://www.greenmangaming.com/
https://indiegamestand.com
https://www.instant-gaming.com
https://www.mmoga.de
http://www.opiumpulses.com
http://www.onlinekeystore.com
https://www.primagames.com
http://www.tremorgames.com
And also https://www.mozilla.org & https://www.qwertee.com
Comment has been collapsed.
Brute forcing a 128-bit AES currently takes 13 billion years (Last pass is using 256-bit AES). Unless there are some significant technological advances( I wish!) it does seem slightly impossible :D And they have to reverse hash everything first so you must be a specific target worth all that time and effort!
Comment has been collapsed.
Impossible by definition means there is no way to do solve given infinite amount of time and resource. I'm gonna sound like a smartass jerk but technically speaking it still count as infeasibly difficult but not impossible :P practically impossible, sure. Not theoretically so. :PP
Comment has been collapsed.
Notable sites I found, so check those if you use any of them (most other sites were crap or pron)
https://www.change.org/
https://www.curse.com
https://www.destructoid.com/
https://www.patreon.com
http://funnyjunk.com/
http://www.gamefront.com/
http://www.mmo-champion.com/content/
http://www.moddb.com/
http://movieweb.com/
http://www.newgrounds.com/
http://www.nexusmods.com/games/?
Comment has been collapsed.
For the most important stuff maybe setting up two-factor authentication would be better nowadays.
Comment has been collapsed.
That would require me spreading my phone number all over the internet and I consider this a sensitive private information which is none of anyone's business.
Seriously, we're all providing our data way too freely anyways as if it was nothing. I'm concerned about that.
Comment has been collapsed.
Must be nice living in the EU were countries actually give a fuck about those issues.
In some countries like mine getting personal info about other people is so easy than trying to protect your privacy by limiting the spread of things like your phone number is pointless. Here, if you're over the age of 18 that means that you are forced to vote, and that means that your personal info is automatically added to a database that tends to be massively leaked every time that the elections are happening. All you need to do is ask one of the persons in charge of a voting table (most are random volunteers) to lend you the CD with the database for a few minutes and make a copy, its copy protection is laughable.
I learned about this because my family is full of lawyers and they tend to have a bunch of these databases even tho they're not supposed to.
Comment has been collapsed.
sure, sleep well...when the session tokens were exposed, and not every website with 2FA use session/location fingerprinting... or when humble key site were exposed (but they have 2fa! ..oh wait....)
risk in this case is minimal, but it is not 0
Comment has been collapsed.
Is Humble Bundle indeed using CloudFlare service? It looks to me they are hosting their server on Google Hosts.
www.humblebundle.com
A Records
74.125.34.32
Canonical Names
ghs-svc-https-c32.ghs-ssl.googlehosted.com
Comment has been collapsed.
I have no bloody idea what should I do after allowing it on HB's side then installing the app. Like bar code scanner, QR code? Where, from what? What code should I enter that weren't mentioned anywhere before? o.O
edit: apparently...nothing needed? same phone number in the app and HB seems to do the job. Or having more than an hour internet dowtime helped it to collect itself :D
Comment has been collapsed.
Not a single link about what happened?
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
It seems the sensible data has been filtering for months
EDIT: Oh the web with the list also had info about what happened. My bad, I didn't check it before posting >_<
Comment has been collapsed.
4,287,625 possibly affected domains.....
Well, my next few days are shot trying to figure out which sites I use aren't compromised.
Comment has been collapsed.
They can't access my account on Humble Bundle nor Indiegala, since it's 2-way-authentication but Bundle Stars... That's vulnerable as hell. Oh well, lets just hope that the Google researcher was the only guy who managed to find out about this thing before they started fixing it. ^_^
Comment has been collapsed.
Well, I guess it doesn't concern me since this leakage has been going on for five months already, and just yesterday came into the light. And I think average Steam/bundle site user won't know how to or be able to find any certain information from these websites ;)
Edit: Just to add, it's not worth the risk of stealing the confidential information of someone for Steam keys, since I can easily ask the support on bundle sites to contact developers and revoke the used keys. If so said thief would sell them on G2A in large numbers from multiple people I imagine his Paypal / bank account being investigated after multiple fraud declarations from users. Not worth it just for Steam keys.
But some information like emails and drawings for certain eyes only would be bigger leak. This way one could invest his money into some company because he knew something that others didn't and make legit profit out of it. And since some people use same password on multiple websites / emails it'd mean that same user could use same password on his / hers email = even more information about that person. I guess that's why it's a biggy. >.<
Comment has been collapsed.
You fully underestimate what people will do with leaked login information. If it were just access to Humble, then you'd have to worry about purchases using stored payment information. But being that it leaked plaintext login credentials, now they have something to test against other services in case you use recurring information. Let me give an example - since the Yahoo leak of December (yes, ANOTHER), I have had the following accounts attempted by thieves:
All of this happened within the span of approximately one month, from January 15th (Perfect World) to February 22nd (Armor Games). Thankfully my passes don't match and MOST of the services demand e-mail link verification (eBay, PSN, and Netflix DO NOT if secret questions are validated).
All because they got one e-mail/pass set, plus secret questions which most people match up across services unintentionally as the secret question pool tends to match between services (mother's maiden name, first school, etc.) and don't trigger reset e-mails. It doesn't mater how insignificant an account is - if it can be compromised, it can be sold to someone unable to open an account for whatever reason. Any security leak, no matter how small, is a "biggie".
Comment has been collapsed.
Yeah well, Yahoo leak would be comparable with my gmail. If my gmail somehow got hacked, I'd lose literally everything: Paypal, Netflix, Steam, every social media account, some online MMOs, every online store I'm signed up to. So that would be biggie, but something like Humble Bundle, password saving website that I don't use, some other unknown (to me) websites. I don't think it's as important to me as maybe to someone. Not gonna lose my sleep because of it. And as I said, this has been going on for 5 months already so most likely my credentials are safe.
Usually when hackers post huge lists of 100.000 or 200.000 logins with passwords and other information it's fast and furious who will get the most of the information, in this case no one even knew about it before Google researcher let us knew. :p
These cyber loop holes will always be there and it's just good that Google goodguys find them first, that way any cheating date site and Yahoos can keep their coolness. ^_^
Comment has been collapsed.
TL:DR Certain conditions would cause broken webpages from servers using Cloudflare's services to trigger a buffer overflow in Cloudflare's internal parsing code resulting in a memory leak potentially containing sensitive data from any other random website also using Cloudflare's service.
How worried should you be? Most likely, not more worried than usual as the probability of both having your credentials leaked and someone actually noticing is on par with your odds of winning 50 public giveaways on the same day, give or take a few..
Comment has been collapsed.
9 Comments - Last post 19 minutes ago by BloodyRo
2 Comments - Last post 2 hours ago by Berion83
43 Comments - Last post 3 hours ago by Krizader
14 Comments - Last post 3 hours ago by IronKnightAquila
15,461 Comments - Last post 5 hours ago by Channel28
8 Comments - Last post 6 hours ago by Axelflox
19 Comments - Last post 7 hours ago by Foxhack
131 Comments - Last post 1 minute ago by Gelweo
129 Comments - Last post 17 minutes ago by Aydaylin
1,201 Comments - Last post 34 minutes ago by Gelweo
20 Comments - Last post 50 minutes ago by matsalkoshek
2,321 Comments - Last post 57 minutes ago by ZYrushforce
847 Comments - Last post 1 hour ago by BroilKing
254 Comments - Last post 1 hour ago by matsalkoshek
Due to a bug in Cloudflare proxy, data from random people accessing the pages behind Cloudflare proxies could randomly be accessed by other users/crawlers and cached by search engines. This means that passwords, tokens and basically all the secure info might have been made public if the site was using Cloudflare.
I've briefly checked the list of potentially compromised sites here: https://github.com/pirate/sites-using-cloudflare
and HumbleBundle is on it. It's recommended that if you have an account on HB, you change it or the least enable 2 factor auth.
It's NOT CERTAIN that HumbleBundle is compromised, as we don't know if it was using the Cloudfront proxy service. The only way to know that is to get a response from HB people if Cloudfront proxy service was used by them.
Then again, it's probably safest to change the password until it's known for sure. There could be more gaming related sites compromised, but I haven't had time to go through the whole list, yet.
Other notable possibly compromised sites:
Comment has been collapsed.